Edit tour

Windows Analysis Report
m.exe

Overview

General Information

Sample name:	m.exe
Analysis ID:	1583711
MD5:	b7582a23e2181d7fa6e5d1517be74b66
SHA1:	0d2a6e0defa55dc0b0e2f2808be6241f88ef7eb1
SHA256:	1bcdd9648584644da843486719f16b20250d3ca1015a6996085b43135d67615b
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

CobaltStrike

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Performs DNS queries to domains with low reputation

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

m.exe (PID: 1996 cmdline: "C:\Users\user\Desktop\m.exe" MD5: B7582A23E2181D7FA6E5D1517BE74B66)

conhost.exe (PID: 1992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 8443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "632313373.xyz,/api/3", "HttpPostUri": "/api/4", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": "Host: 632313373.xyz\r\n"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x32760:$a39: %s as %s\%s: %d 0x41be2:$a41: beacon.x64.dll 0x33970:$a46: %s (admin) 0x328d8:$a48: %s%s: %s 0x3278c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x327b8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x339d9:$a51: Content-Length: %d
00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1a4ca:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 8B 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 71 F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF 50 0x1986e:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30d60:$a39: %s as %s\%s: %d 0x401e2:$a41: beacon.x64.dll 0x31f70:$a46: %s (admin) 0x30ed8:$a48: %s%s: %s 0x30d8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x30db8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x31fd9:$a51: Content-Length: %d
00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1cd3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1896a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x98d60:$a39: %s as %s\%s: %d 0xced60:$a39: %s as %s\%s: %d 0x112d60:$a39: %s as %s\%s: %d 0xde1e2:$a41: beacon.x64.dll 0x1221e2:$a41: beacon.x64.dll 0x99f70:$a46: %s (admin) 0xcff70:$a46: %s (admin) 0x113f70:$a46: %s (admin) 0x98ed8:$a48: %s%s: %s 0xceed8:$a48: %s%s: %s 0x112ed8:$a48: %s%s: %s 0x98d8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x98db8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xced8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xcedb8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x112d8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x112db8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x99fd9:$a51: Content-Length: %d 0xcffd9:$a51: Content-Length: %d 0x113fd9:$a51: Content-Length: %d
00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x3ad3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0x5ad3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0x84d3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0xbad3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0xfed3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x3696a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x37c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x5696a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x57c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x8096a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x81c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0xb696a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0xb7c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0xfa96a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0xfbc9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x378ca:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 8B 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 71 F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF 50 0x578ca:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 8B 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 71 F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF 50 0x818ca:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 8B 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 71 F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF 50 0xb78ca:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 8B 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 71 F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF 50 0xfb8ca:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 8B 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 71 F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF 50 0x36c6e:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ... 0x56c6e:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ... 0x80c6e:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ... 0xb6c6e:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ... 0xfac6e:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
Process Memory Space: m.exe PID: 1996	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
Process Memory Space: m.exe PID: 1996	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
Process Memory Space: m.exe PID: 1996	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Process Memory Space: m.exe PID: 1996	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x459e5a:$a39: %s as %s\%s: %d 0x4f0b42:$a39: %s as %s\%s: %d 0x676978:$a39: %s as %s\%s: %d 0x45d9e0:$a41: beacon.x64.dll 0x4f48cb:$a41: beacon.x64.dll 0x67a4fe:$a41: beacon.x64.dll 0x45a1b7:$a46: %s (admin) 0x45a236:$a46: %s (admin) 0x4f0e9f:$a46: %s (admin) 0x4f0f1e:$a46: %s (admin) 0x676cd5:$a46: %s (admin) 0x676d54:$a46: %s (admin) 0x459f78:$a48: %s%s: %s 0x4f0c60:$a48: %s%s: %s 0x676a96:$a48: %s%s: %s 0x459e74:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x459e9d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x45a020:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x4f0b5c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x4f0b85:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x4f0d08:$a50: %02d/%02d/%02d %02d:%02d:%02d
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.m.exe.24ef3db0000.12.raw.unpack	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
0.2.m.exe.24ef3db0000.12.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.m.exe.24ef3db0000.12.raw.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
0.2.m.exe.24ef3db0000.12.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.m.exe.24ef3db0000.12.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30d60:$a39: %s as %s\%s: %d 0x401e2:$a41: beacon.x64.dll 0x31f70:$a46: %s (admin) 0x30ed8:$a48: %s%s: %s 0x30d8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x30db8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x31fd9:$a51: Content-Length: %d
0.2.m.exe.24ef3db0000.12.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1cd3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.m.exe.24ef3db0000.12.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1896a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.m.exe.24ef3db0000.12.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
0.2.m.exe.24ef3db0000.12.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.m.exe.24ef3db0000.12.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
0.2.m.exe.24ef3db0000.12.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.m.exe.24ef3db0000.12.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1c13c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.m.exe.24ef3db0000.12.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x17d6a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1909b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
Click to see the 8 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://632313373.xyz:8443/api/3l	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/api/3q	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/api/3_	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/api/3	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/api/31	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/api/3xy	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/api/3c	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/api/3un-	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/api/37	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/soft	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/api/3.xyz:8443/api/3	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/N	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/api/3N	Avira URL Cloud: Label: malware
Source: https://632313373.xyz/2Au	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/api/3D	Avira URL Cloud: Label: malware
Source: 632313373.xyz	Avira URL Cloud: Label: malware
Source: https://632313373.xyz/	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 8443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "632313373.xyz,/api/3", "HttpPostUri": "/api/4", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": "Host: 632313373.xyz\r\n"}

Multi AV Scanner detection for submitted file

Source: m.exe	Virustotal: Detection: 70%			Perma Link
Source: m.exe	ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.8% probability

Source: m.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 632313373.xyz

Performs DNS queries to domains with low reputation

Source:

DNS query: 632313373.xyz

Source: global traffic

TCP traffic: 192.168.2.8:49706 -> 188.114.97.3:8443

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 632313373.xyz

Source: m.exe, 00000000.00000002.2638279763.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527068685.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA0D000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458840171.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911730977.0000024ECE9E2000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458823494.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351809919.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE992000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458784131.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA15000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0A000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE987000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708150941.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911366730.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/gsr1.crl0
Source: m.exe, 00000000.00000002.2638279763.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA0D000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458840171.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911730977.0000024ECE9E2000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351809919.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742927448.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE992000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458784131.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA15000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0A000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE987000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708150941.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911366730.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r4.crl0
Source: m.exe, 00000000.00000002.2638279763.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA0D000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458840171.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911730977.0000024ECE9E2000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351809919.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE992000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458784131.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA15000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0A000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE987000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911366730.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/we1/PCUeQViQlYc.crl0
Source: m.exe, 00000000.00000002.2638279763.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527068685.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA0D000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458840171.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911730977.0000024ECE9E2000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458823494.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351809919.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE992000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458784131.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA15000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0A000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE987000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708150941.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911366730.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/gsr1.crt0-
Source: m.exe, 00000000.00000002.2638279763.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA0D000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458840171.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911730977.0000024ECE9E2000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351809919.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742927448.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE992000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458784131.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA15000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0A000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE987000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708150941.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911366730.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r4.crt0
Source: m.exe, 00000000.00000003.1458840171.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/we1.crt
Source: m.exe, 00000000.00000002.2638279763.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA0D000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458840171.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911730977.0000024ECE9E2000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351809919.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE992000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458784131.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA15000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0A000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE987000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911366730.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/we1.crt0
Source: m.exe, 00000000.00000002.2638279763.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA0D000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458840171.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911730977.0000024ECE9E2000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351809919.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE992000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458784131.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA15000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0A000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE987000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911366730.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/s/we1/lk00%
Source: m.exe, 00000000.00000002.2638279763.0000024ECE92C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz/
Source: m.exe, 00000000.00000003.1527143033.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE992000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE987000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458840171.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz/2Au
Source: m.exe, 00000000.00000003.1527143033.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/
Source: m.exe, 00000000.00000003.1527143033.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/N
Source: m.exe, 00000000.00000003.1527143033.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/api/3
Source: m.exe, 00000000.00000003.1742999932.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/api/3.xyz:8443/api/3
Source: m.exe, 00000000.00000002.2638279763.0000024ECE92C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/api/31
Source: m.exe, 00000000.00000002.2638279763.0000024ECE92C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/api/37
Source: m.exe, 00000000.00000003.1911730977.0000024ECE9E2000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/api/3D
Source: m.exe, 00000000.00000003.1527143033.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/api/3N
Source: m.exe, 00000000.00000003.1742999932.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/api/3_
Source: m.exe, 00000000.00000003.1458840171.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/api/3c
Source: m.exe, 00000000.00000003.1911730977.0000024ECE9E2000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/api/3l
Source: m.exe, 00000000.00000003.1527143033.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/api/3q
Source: m.exe, 00000000.00000002.2638279763.0000024ECE987000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/api/3un-
Source: m.exe, 00000000.00000003.1527143033.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/api/3xy
Source: m.exe, 00000000.00000003.1742999932.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/soft

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.m.exe.24ef3db0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.m.exe.24ef3db0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.m.exe.24ef3db0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.m.exe.24ef3db0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.m.exe.24ef3db0000.12.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.m.exe.24ef3db0000.12.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: Process Memory Space: m.exe PID: 1996, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown

Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DD239C	0_2_0000024EF3DD239C
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DDC397	0_2_0000024EF3DDC397
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DD0374	0_2_0000024EF3DD0374
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DC0334	0_2_0000024EF3DC0334
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DDAAB0	0_2_0000024EF3DDAAB0
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DD1264	0_2_0000024EF3DD1264
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DB916C	0_2_0000024EF3DB916C
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DD1928	0_2_0000024EF3DD1928
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DD5914	0_2_0000024EF3DD5914
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DDCFF0	0_2_0000024EF3DDCFF0
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DDB7B0	0_2_0000024EF3DDB7B0
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DC6F38	0_2_0000024EF3DC6F38
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DB9680	0_2_0000024EF3DB9680
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DDC680	0_2_0000024EF3DDC680
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DBCE3C	0_2_0000024EF3DBCE3C
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DDE600	0_2_0000024EF3DDE600
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DCF5A8	0_2_0000024EF3DCF5A8
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3E3DBF0	0_2_0000024EF3E3DBF0
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3E27B38	0_2_0000024EF3E27B38
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3E3D280	0_2_0000024EF3E3D280
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3E301A8	0_2_0000024EF3E301A8
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3E32F9C	0_2_0000024EF3E32F9C
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3E31E64	0_2_0000024EF3E31E64
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3E32528	0_2_0000024EF3E32528

Source: 0.2.m.exe.24ef3db0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.m.exe.24ef3db0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.m.exe.24ef3db0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.m.exe.24ef3db0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.m.exe.24ef3db0000.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.m.exe.24ef3db0000.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: Process Memory Space: m.exe PID: 1996, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.winEXE@2/0@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1992:120:WilError_03

Source: m.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\m.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: m.exe	Virustotal: Detection: 70%
Source: m.exe	ReversingLabs: Detection: 52%

Source: m.exe	String found in binary or memory: _cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned" not supported for cpu option "MapIter.Value called before Nextuse of closed network connectioncrypto/aes: output not full blockCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyW142108547152020037174224853515625710542735760100185871124267578125too many levels of symbolic linksslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangeGODEBUG: no value specified for "reflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangewaiting for unsupported file typecrypto/aes: invalid buffer overlapillegal base64 data at input byte CM_Get_Device_Interface_List_SizeWSetFileCompletionNotificationModes3552713678800500929355621337890625too many references: cannot spliceslice bounds out of range [:%x:%y]slice bounds out of range [%x:%y:]out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedruntime: source value is too largeVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notreflect: Field of non-struct type reflect: Field index out of boundsreflect: string index out of rangeunexpected runtime.netpoll error: encoding/hex: odd length hex stringSubscribeServiceChangeNotifications1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9network dropped connection on resettransport endpoint is not connectedpersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid
Source: m.exe	String found in binary or memory: _cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned" not supported for cpu option "MapIter.Value called before Nextuse of closed network connectioncrypto/aes: output not full blockCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyW142108547152020037174224853515625710542735760100185871124267578125too many levels of symbolic linksslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangeGODEBUG: no value specified for "reflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangewaiting for unsupported file typecrypto/aes: invalid buffer overlapillegal base64 data at input byte CM_Get_Device_Interface_List_SizeWSetFileCompletionNotificationModes3552713678800500929355621337890625too many references: cannot spliceslice bounds out of range [:%x:%y]slice bounds out of range [%x:%y:]out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedruntime: source value is too largeVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notreflect: Field of non-struct type reflect: Field index out of boundsreflect: string index out of rangeunexpected runtime.netpoll error: encoding/hex: odd length hex stringSubscribeServiceChangeNotifications1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9network dropped connection on resettransport endpoint is not connectedpersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid
Source: m.exe	String found in binary or memory: net/addrselect.go

Source: unknown	Process created: C:\Users\user\Desktop\m.exe "C:\Users\user\Desktop\m.exe"
Source: C:\Users\user\Desktop\m.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\m.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\m.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: m.exe

Static file information: File size 3900928 > 1048576

Source: m.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2dac00

Source: m.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: m.exe	Static PE information: section name: .xdata
Source: m.exe	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DE1890 push rdi; retf	0_2_0000024EF3DE1896
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DE1860 push rdi; retf	0_2_0000024EF3DE1896
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DE1878 push rdi; retf	0_2_0000024EF3DE1896
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3DE776C push 0000006Ah; retf	0_2_0000024EF3DE7784
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3E403FC push ebp; iretd	0_2_0000024EF3E40401
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3E1A35D push edi; iretd	0_2_0000024EF3E1A35E
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3E1C91C pushad ; retf	0_2_0000024EF3E1C91D
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3E20901 push ebx; iretd	0_2_0000024EF3E20902
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3E3B898 push ebp; iretd	0_2_0000024EF3E3B899
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3E3B86F push ebp; iretd	0_2_0000024EF3E3B870
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3E3B84F push ebp; iretd	0_2_0000024EF3E3B850
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3E1A71E push cs; retf	0_2_0000024EF3E1A71F
Source: C:\Users\user\Desktop\m.exe	Code function: 0_2_0000024EF3E1BD58 push ebp; iretd	0_2_0000024EF3E1BD59

Source: C:\Users\user\Desktop\m.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\m.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\m.exe TID: 5216	Thread sleep count: 71 > 30			Jump to behavior
Source: C:\Users\user\Desktop\m.exe TID: 5216	Thread sleep time: -4260000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\m.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\m.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\m.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: m.exe, 00000000.00000003.2182559035.0000024ECE9BC000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE9BC000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE9BC000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE9BC000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE9BC000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458840171.0000024ECE9BC000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE92C000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE9BC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\m.exe

Code function: 0_2_0000024EF3E25E28 GetUserNameA,strrchr,_snprintf,

0_2_0000024EF3E25E28

Source: C:\Users\user\Desktop\m.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: 0.2.m.exe.24ef3db0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.m.exe.24ef3db0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m.exe PID: 1996, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
m.exe	70%	Virustotal		Browse
m.exe	53%	ReversingLabs	Win64.Backdoor.Cobeacon

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://632313373.xyz:8443/api/3l	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/api/3q	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/api/3_	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/api/3	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/api/31	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/api/3xy	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/api/3c	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/api/3un-	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/api/37	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/soft	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/api/3.xyz:8443/api/3	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/N	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/api/3N	100%	Avira URL Cloud	malware
https://632313373.xyz/2Au	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/api/3D	100%	Avira URL Cloud	malware
632313373.xyz	100%	Avira URL Cloud	malware
https://632313373.xyz/	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
632313373.xyz	188.114.97.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
632313373.xyz	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://o.pki.goog/s/we1/lk00%	m.exe, 00000000.00000002.2638279763.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA0D000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458840171.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911730977.0000024ECE9E2000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351809919.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE992000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458784131.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA15000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0A000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE987000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911366730.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/api/3l	m.exe, 00000000.00000003.1911730977.0000024ECE9E2000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/api/37	m.exe, 00000000.00000002.2638279763.0000024ECE92C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://i.pki.goog/we1.crt0	m.exe, 00000000.00000002.2638279763.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA0D000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458840171.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911730977.0000024ECE9E2000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351809919.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE992000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458784131.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA15000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0A000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE987000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911366730.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/api/31	m.exe, 00000000.00000002.2638279763.0000024ECE92C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/api/3q	m.exe, 00000000.00000003.1527143033.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/api/3xy	m.exe, 00000000.00000003.1527143033.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/api/3_	m.exe, 00000000.00000003.1742999932.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://c.pki.goog/r/gsr1.crl0	m.exe, 00000000.00000002.2638279763.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527068685.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA0D000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458840171.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911730977.0000024ECE9E2000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458823494.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351809919.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE992000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458784131.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA15000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0A000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE987000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708150941.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911366730.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/api/3	m.exe, 00000000.00000003.1527143033.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/soft	m.exe, 00000000.00000003.1742999932.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/api/3c	m.exe, 00000000.00000003.1458840171.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/api/3un-	m.exe, 00000000.00000002.2638279763.0000024ECE987000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/N	m.exe, 00000000.00000003.1527143033.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/api/3.xyz:8443/api/3	m.exe, 00000000.00000003.1742999932.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/api/3N	m.exe, 00000000.00000003.1527143033.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://c.pki.goog/we1/PCUeQViQlYc.crl0	m.exe, 00000000.00000002.2638279763.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA0D000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458840171.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911730977.0000024ECE9E2000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351809919.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE992000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458784131.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA15000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0A000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE987000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911366730.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/	m.exe, 00000000.00000003.1527143033.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://i.pki.goog/gsr1.crt0-	m.exe, 00000000.00000002.2638279763.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527068685.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA0D000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458840171.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911730977.0000024ECE9E2000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458823494.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351809919.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE992000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458784131.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA15000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0A000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE987000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708150941.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911366730.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz/2Au	m.exe, 00000000.00000003.1527143033.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE992000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE987000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458840171.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://c.pki.goog/r/r4.crl0	m.exe, 00000000.00000002.2638279763.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA0D000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458840171.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911730977.0000024ECE9E2000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351809919.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742927448.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE992000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458784131.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA15000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0A000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE987000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708150941.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911366730.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz/	m.exe, 00000000.00000002.2638279763.0000024ECE92C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://i.pki.goog/r4.crt0	m.exe, 00000000.00000002.2638279763.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA0D000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458840171.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911730977.0000024ECE9E2000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE990000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351809919.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742927448.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE992000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1458784131.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182460198.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2351687059.0000024ECEA15000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0A000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE987000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708150941.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911562695.0000024ECEA0E000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE993000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911366730.0000024ECEA04000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE9F9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/api/3D	m.exe, 00000000.00000003.1911730977.0000024ECE9E2000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://i.pki.goog/we1.crt	m.exe, 00000000.00000003.1458840171.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.2182559035.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1742999932.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1708178455.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000002.2638279763.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1911586335.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp, m.exe, 00000000.00000003.1527143033.0000024ECE9CA000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	632313373.xyz	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583711
Start date and time:	2025-01-03 12:50:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	m.exe
Detection:	MAL
Classification:	mal100.troj.winEXE@2/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:51:12	API Interceptor	71x Sleep call for process: m.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
632313373.xyz	svchostinter.exe	Get hash	malicious	CobaltStrike	Browse	172.67.175.230

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://www.escudier-sas.fr	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.18.11.207
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	http://www.technoafriwave.rw	Get hash	malicious	Unknown	Browse	1.1.1.1
	dropper.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Setup.msi	Get hash	malicious	Unknown	Browse	104.21.32.1
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.67.152

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.665985613603945
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	m.exe
File size:	3'900'928 bytes
MD5:	b7582a23e2181d7fa6e5d1517be74b66
SHA1:	0d2a6e0defa55dc0b0e2f2808be6241f88ef7eb1
SHA256:	1bcdd9648584644da843486719f16b20250d3ca1015a6996085b43135d67615b
SHA512:	47518b94f7188bb999f38c0af47acfd4923c22b0270bcbed8216b1f6c1c99941d86d7ff4961d04354a13d5fc05f22ef65b94532e23d65ace2d0c73a7e9ba6768
SSDEEP:	49152:bbj9GKMsRVYujjOXAXYpW6xbaJqt2sf5TVVup0yw2:besfM
TLSH:	E006CF0B7CE118B5C0AE93328966A6567A71BC440F3167D73E90B37C2F72BD4AA36744
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........;......."..........n................@..............................`@...........`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x46ec80
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	d42595b695fc008ef2c56aabd8efd68e

Entrypoint Preview

Instruction
jmp 00007F1164D151F0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
dec eax
mov ebp, esp
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
inc ebp
xorps xmm7, xmm7
dec ebp
xor esi, esi
dec eax
mov eax, dword ptr [003857B2h]
dec eax
mov eax, dword ptr [eax]
dec eax
cmp eax, 00000000h
je 00007F1164D18A95h
dec esp
mov esi, dword ptr [eax]
dec eax
sub esp, 10h
dec eax
mov eax, ecx
dec eax
mov ebx, edx
call 00007F1164D2306Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ff000	0x53e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x3f8000	0x5370	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x400000	0x499c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x398140	0x178	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xbbc11	0xbbe00	b640204ed8c6ff4443dffe83a715c0a5	False	0.4747913028110446	data	6.263431892416364	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xbd000	0x2daa20	0x2dac00	7739dfcae50e6b07d65b281662f76265	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x398000	0x5fde0	0x16e00	27db03880df569b60cb5a150e6a986d7	False	0.28514557718579236	data	3.199048218300947	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x3f8000	0x5370	0x5400	4cd4f6b911a62d0dd3ef5acf3e0e1cf7	False	0.4015997023809524	data	5.217671952320104	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x3fe000	0xb4	0x200	d5a432b15ea1de5871ba1b040f244088	False	0.228515625	shared library	1.787112262798912	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x3ff000	0x53e	0x600	947ae433b372351ebe424ca890a488f2	False	0.3776041666666667	OpenPGP Public Key	4.017189066074398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x400000	0x499c	0x4a00	efaedbfb568404da6965818de11ed081	False	0.3090688344594595	data	5.408218484092498	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x405000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 12:51:11.298739910 CET	49706	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:11.303529024 CET	8443	49706	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:11.303622961 CET	49706	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:11.314785004 CET	49706	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:11.319574118 CET	8443	49706	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:11.769176006 CET	8443	49706	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:11.769195080 CET	8443	49706	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:11.769206047 CET	8443	49706	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:11.769229889 CET	49706	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:11.769268036 CET	49706	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:11.789135933 CET	49706	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:11.793934107 CET	8443	49706	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:11.913136959 CET	8443	49706	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:11.913202047 CET	49706	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:11.949306011 CET	49706	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:11.954077959 CET	8443	49706	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:13.031308889 CET	8443	49706	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:13.031383991 CET	49706	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:13.152055979 CET	49707	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:13.156883001 CET	8443	49707	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:13.156991005 CET	49707	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:13.157645941 CET	49707	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:13.162475109 CET	8443	49707	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:13.612647057 CET	8443	49707	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:13.612850904 CET	49707	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:13.613306046 CET	49707	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:13.614384890 CET	49707	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:13.618081093 CET	8443	49707	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:13.619189024 CET	8443	49707	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:14.722631931 CET	8443	49707	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:14.722780943 CET	49707	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:14.839484930 CET	49706	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:14.840393066 CET	49708	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:14.844584942 CET	8443	49706	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:14.844654083 CET	49706	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:14.845197916 CET	8443	49708	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:14.845264912 CET	49708	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:14.845618963 CET	49708	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:14.851150990 CET	8443	49708	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:15.305701971 CET	8443	49708	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:15.305821896 CET	49708	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:15.306293011 CET	49708	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:15.307327986 CET	49708	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:15.311044931 CET	8443	49708	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:15.312062025 CET	8443	49708	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:16.408817053 CET	8443	49708	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:16.408957958 CET	49708	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:16.527000904 CET	49707	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:16.531955004 CET	8443	49707	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:16.532037973 CET	49707	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:16.541100025 CET	49709	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:16.545943022 CET	8443	49709	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:16.546008110 CET	49709	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:16.546288013 CET	49709	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:16.551079988 CET	8443	49709	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:16.995673895 CET	8443	49709	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:16.995774984 CET	49709	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:16.996517897 CET	49709	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:16.997767925 CET	49709	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:17.001604080 CET	8443	49709	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:17.002518892 CET	8443	49709	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:18.129704952 CET	8443	49709	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:18.129790068 CET	49709	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:18.245733976 CET	49708	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:18.246252060 CET	49710	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:18.250941992 CET	8443	49708	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:18.251056910 CET	49708	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:18.251096964 CET	8443	49710	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:18.251172066 CET	49710	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:18.251549959 CET	49710	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:18.256284952 CET	8443	49710	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:18.698237896 CET	8443	49710	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:18.698303938 CET	49710	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:18.699026108 CET	49710	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:18.700560093 CET	49710	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:18.703924894 CET	8443	49710	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:18.705285072 CET	8443	49710	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:19.850438118 CET	8443	49710	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:19.850560904 CET	49710	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:19.979952097 CET	49709	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:19.980451107 CET	49711	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:19.984956980 CET	8443	49709	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:19.985023022 CET	49709	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:19.985276937 CET	8443	49711	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:19.985333920 CET	49711	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:19.985558987 CET	49711	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:19.990329027 CET	8443	49711	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:20.433432102 CET	8443	49711	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:20.433514118 CET	49711	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:20.434072971 CET	49711	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:20.435591936 CET	49711	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:20.438899040 CET	8443	49711	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:20.440392017 CET	8443	49711	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:21.526689053 CET	8443	49711	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:21.526815891 CET	49711	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:21.636357069 CET	49710	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:21.636933088 CET	49712	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:21.641496897 CET	8443	49710	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:21.641565084 CET	49710	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:21.641794920 CET	8443	49712	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:21.641894102 CET	49712	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:21.642102957 CET	49712	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:21.646822929 CET	8443	49712	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:22.111677885 CET	8443	49712	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:22.111845016 CET	49712	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:22.112679005 CET	49712	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:22.113770008 CET	49712	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:22.117525101 CET	8443	49712	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:22.118546963 CET	8443	49712	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:23.239530087 CET	8443	49712	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:23.239655018 CET	49712	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:23.355431080 CET	49711	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:23.360500097 CET	8443	49711	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:23.360552073 CET	49711	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:23.372806072 CET	49713	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:23.378910065 CET	8443	49713	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:23.378999949 CET	49713	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:23.379231930 CET	49713	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:23.383965015 CET	8443	49713	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:23.852695942 CET	8443	49713	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:23.852776051 CET	49713	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:23.864384890 CET	49713	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:23.869249105 CET	8443	49713	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:23.880657911 CET	49713	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:23.885534048 CET	8443	49713	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:25.096462965 CET	8443	49713	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:25.096556902 CET	49713	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:25.203476906 CET	49712	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:25.204292059 CET	49714	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:25.208462000 CET	8443	49712	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:25.208549023 CET	49712	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:25.209042072 CET	8443	49714	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:25.209105968 CET	49714	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:25.212152004 CET	49714	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:25.217035055 CET	8443	49714	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:25.665018082 CET	8443	49714	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:25.665124893 CET	49714	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:25.665631056 CET	49714	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:25.666668892 CET	49714	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:25.670350075 CET	8443	49714	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:25.671435118 CET	8443	49714	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:26.812977076 CET	8443	49714	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:26.813047886 CET	49714	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:26.917503119 CET	49713	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:26.918083906 CET	49715	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:26.922949076 CET	8443	49713	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:26.922966003 CET	8443	49715	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:26.923022032 CET	49713	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:26.923075914 CET	49715	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:26.923460007 CET	49715	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:26.928282976 CET	8443	49715	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:27.370052099 CET	8443	49715	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:27.370192051 CET	49715	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:27.370688915 CET	49715	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:27.371849060 CET	49715	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:27.375439882 CET	8443	49715	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:27.376593113 CET	8443	49715	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:28.464560986 CET	8443	49715	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:28.464629889 CET	49715	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:28.590550900 CET	49714	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:28.595699072 CET	8443	49714	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:28.595756054 CET	49714	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:28.601294994 CET	49719	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:28.608908892 CET	8443	49719	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:28.608978033 CET	49719	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:28.609298944 CET	49719	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:28.618835926 CET	8443	49719	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:29.098227978 CET	8443	49719	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:29.098306894 CET	49719	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:29.099123955 CET	49719	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:29.100193024 CET	49719	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:29.103828907 CET	8443	49719	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:29.104926109 CET	8443	49719	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:30.210336924 CET	8443	49719	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:30.210397005 CET	49719	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:30.326661110 CET	49715	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:30.327796936 CET	49720	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:30.445209980 CET	8443	49720	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:30.445300102 CET	49720	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:30.445770025 CET	49720	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:30.446181059 CET	8443	49715	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:30.446230888 CET	49715	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:30.450588942 CET	8443	49720	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:30.905051947 CET	8443	49720	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:30.905164003 CET	49720	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:30.905744076 CET	49720	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:30.906878948 CET	49720	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:30.910506964 CET	8443	49720	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:30.911731958 CET	8443	49720	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:32.010901928 CET	8443	49720	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:32.011060953 CET	49720	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:32.124922991 CET	49719	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:32.125675917 CET	49721	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:32.129919052 CET	8443	49719	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:32.130000114 CET	49719	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:32.130434036 CET	8443	49721	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:32.130532980 CET	49721	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:32.130867958 CET	49721	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:32.135730028 CET	8443	49721	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:32.596790075 CET	8443	49721	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:32.596929073 CET	49721	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:32.597376108 CET	49721	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:32.598711014 CET	49721	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:32.602108955 CET	8443	49721	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:32.603461981 CET	8443	49721	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:34.503712893 CET	8443	49721	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:34.503796101 CET	49721	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:34.504098892 CET	8443	49721	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:34.504143953 CET	49721	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:34.504216909 CET	8443	49721	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:34.504281044 CET	49721	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:34.605308056 CET	49720	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:34.605906010 CET	49722	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:34.610285044 CET	8443	49720	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:34.610411882 CET	49720	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:34.610692024 CET	8443	49722	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:34.610806942 CET	49722	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:34.611171007 CET	49722	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:34.615901947 CET	8443	49722	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:35.058057070 CET	8443	49722	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:35.058198929 CET	49722	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:35.058764935 CET	49722	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:35.059735060 CET	49722	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:35.063499928 CET	8443	49722	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:35.065057993 CET	8443	49722	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:36.100642920 CET	8443	49722	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:36.100759983 CET	49722	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:36.214541912 CET	49721	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:36.215233088 CET	49723	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:36.219847918 CET	8443	49721	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:36.219976902 CET	49721	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:36.220067024 CET	8443	49723	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:36.220148087 CET	49723	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:36.220596075 CET	49723	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:36.225394011 CET	8443	49723	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:36.686925888 CET	8443	49723	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:36.687040091 CET	49723	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:36.687431097 CET	49723	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:36.688472033 CET	49723	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:36.692192078 CET	8443	49723	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:36.693272114 CET	8443	49723	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:37.761122942 CET	8443	49723	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:37.761209965 CET	49723	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:37.870831966 CET	49722	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:37.871486902 CET	49724	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:37.876000881 CET	8443	49722	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:37.876060963 CET	49722	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:37.876363993 CET	8443	49724	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:37.876425982 CET	49724	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:37.876756907 CET	49724	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:37.881498098 CET	8443	49724	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:38.341816902 CET	8443	49724	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:38.341933012 CET	49724	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:38.342328072 CET	49724	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:38.343310118 CET	49724	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:38.347156048 CET	8443	49724	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:38.348079920 CET	8443	49724	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:39.442182064 CET	8443	49724	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:39.445893049 CET	49724	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:39.558456898 CET	49723	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:39.559062958 CET	49725	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:39.563564062 CET	8443	49723	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:39.563968897 CET	8443	49725	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:39.564023018 CET	49723	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:39.564089060 CET	49725	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:39.568614960 CET	49725	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:39.573443890 CET	8443	49725	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:40.031991005 CET	8443	49725	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:40.032068014 CET	49725	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:40.332032919 CET	49725	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:40.333848000 CET	49725	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:40.336852074 CET	8443	49725	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:40.338681936 CET	8443	49725	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:41.463351011 CET	8443	49725	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:41.463496923 CET	49725	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:41.589960098 CET	49724	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:41.591200113 CET	49726	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:41.595066071 CET	8443	49724	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:41.595151901 CET	49724	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:41.596108913 CET	8443	49726	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:41.596225023 CET	49726	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:41.596591949 CET	49726	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:41.601475000 CET	8443	49726	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:42.043169975 CET	8443	49726	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:42.043247938 CET	49726	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:42.043782949 CET	49726	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:42.044739962 CET	49726	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:42.048593998 CET	8443	49726	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:42.049520016 CET	8443	49726	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:43.105752945 CET	8443	49726	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:43.105887890 CET	49726	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:43.207125902 CET	49725	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:43.207575083 CET	49727	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:43.212141991 CET	8443	49725	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:43.212251902 CET	49725	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:43.212354898 CET	8443	49727	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:43.212421894 CET	49727	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:43.212680101 CET	49727	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:43.217427969 CET	8443	49727	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:43.663088083 CET	8443	49727	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:43.663187027 CET	49727	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:43.663716078 CET	49727	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:43.664629936 CET	49727	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:43.668457031 CET	8443	49727	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:43.669420958 CET	8443	49727	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:44.831818104 CET	8443	49727	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:44.832014084 CET	49727	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:44.941478014 CET	49726	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:44.946873903 CET	8443	49726	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:44.946934938 CET	49726	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:44.958381891 CET	49728	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:44.963246107 CET	8443	49728	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:44.963330984 CET	49728	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:44.963633060 CET	49728	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:44.968508959 CET	8443	49728	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:45.409512997 CET	8443	49728	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:45.409605980 CET	49728	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:45.410346985 CET	49728	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:45.411336899 CET	49728	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:45.415226936 CET	8443	49728	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:45.416083097 CET	8443	49728	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:46.496750116 CET	8443	49728	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:46.496867895 CET	49728	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:46.613411903 CET	49727	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:46.614063025 CET	49729	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:46.618602991 CET	8443	49727	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:46.618680954 CET	49727	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:46.618942022 CET	8443	49729	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:46.619003057 CET	49729	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:46.619286060 CET	49729	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:46.624103069 CET	8443	49729	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:47.094633102 CET	8443	49729	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:47.094753027 CET	49729	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:47.095347881 CET	49729	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:47.096473932 CET	49729	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:47.100179911 CET	8443	49729	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:47.101228952 CET	8443	49729	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:48.242687941 CET	8443	49729	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:48.242803097 CET	49729	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:48.347714901 CET	49728	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:48.348254919 CET	49730	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:48.353065014 CET	8443	49728	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:48.353183985 CET	49728	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:48.353482962 CET	8443	49730	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:48.353590012 CET	49730	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:48.353822947 CET	49730	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:48.359106064 CET	8443	49730	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:48.821224928 CET	8443	49730	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:48.821357965 CET	49730	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:48.821870089 CET	49730	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:48.822843075 CET	49730	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:48.826725006 CET	8443	49730	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:48.827645063 CET	8443	49730	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:49.941467047 CET	8443	49730	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:49.941546917 CET	49730	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:50.050900936 CET	49729	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:50.051394939 CET	49731	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:50.055931091 CET	8443	49729	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:50.056050062 CET	49729	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:50.056226969 CET	8443	49731	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:50.056420088 CET	49731	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:50.056756973 CET	49731	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:50.061502934 CET	8443	49731	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:50.526660919 CET	8443	49731	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:50.526751041 CET	49731	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:50.527241945 CET	49731	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:50.528222084 CET	49731	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:50.532063007 CET	8443	49731	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:50.533035994 CET	8443	49731	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:51.629952908 CET	8443	49731	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:51.630042076 CET	49731	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:51.738502979 CET	49730	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:51.739134073 CET	49732	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:51.743674994 CET	8443	49730	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:51.743940115 CET	8443	49732	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:51.743946075 CET	49730	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:51.744018078 CET	49732	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:51.744364023 CET	49732	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:51.750417948 CET	8443	49732	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:52.200575113 CET	8443	49732	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:52.200674057 CET	49732	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:52.201210022 CET	49732	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:52.202266932 CET	49732	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:52.206048965 CET	8443	49732	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:52.207087040 CET	8443	49732	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:53.292738914 CET	8443	49732	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:53.292821884 CET	49732	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:53.394748926 CET	49731	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:53.395318985 CET	49733	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:53.399826050 CET	8443	49731	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:53.399900913 CET	49731	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:53.400149107 CET	8443	49733	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:53.400226116 CET	49733	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:53.400561094 CET	49733	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:53.405371904 CET	8443	49733	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:53.865695953 CET	8443	49733	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:53.865775108 CET	49733	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:53.866190910 CET	49733	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:53.867347002 CET	49733	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:53.870954990 CET	8443	49733	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:53.872090101 CET	8443	49733	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:54.978746891 CET	8443	49733	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:54.978832006 CET	49733	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:55.082217932 CET	49732	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:55.082681894 CET	49734	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:55.087225914 CET	8443	49732	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:55.087322950 CET	49732	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:55.087491989 CET	8443	49734	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:55.087557077 CET	49734	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:55.087920904 CET	49734	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:55.092643023 CET	8443	49734	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:55.561496019 CET	8443	49734	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:55.561634064 CET	49734	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:55.562316895 CET	49734	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:55.563198090 CET	49734	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:55.568857908 CET	8443	49734	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:55.569531918 CET	8443	49734	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:56.655057907 CET	8443	49734	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:56.655133009 CET	49734	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:56.769691944 CET	49733	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:56.770199060 CET	49735	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:56.774847031 CET	8443	49733	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:56.774930000 CET	49733	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:56.775033951 CET	8443	49735	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:56.775095940 CET	49735	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:56.775366068 CET	49735	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:56.780162096 CET	8443	49735	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:57.242135048 CET	8443	49735	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:57.242201090 CET	49735	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:57.242593050 CET	49735	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:57.243691921 CET	49735	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:57.247366905 CET	8443	49735	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:57.248471022 CET	8443	49735	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:58.337790966 CET	8443	49735	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:58.337949038 CET	49735	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:58.441637039 CET	49734	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:58.442125082 CET	49736	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:58.446670055 CET	8443	49734	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:58.446755886 CET	49734	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:58.448221922 CET	8443	49736	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:58.448295116 CET	49736	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:58.448626995 CET	49736	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:58.453480005 CET	8443	49736	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:58.905622959 CET	8443	49736	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:58.905750990 CET	49736	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:58.906327963 CET	49736	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:58.907426119 CET	49736	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:51:58.911084890 CET	8443	49736	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:58.912247896 CET	8443	49736	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:59.998955965 CET	8443	49736	188.114.97.3	192.168.2.8
Jan 3, 2025 12:51:59.999064922 CET	49736	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:00.113454103 CET	49735	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:00.114104033 CET	49737	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:00.118669033 CET	8443	49735	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:00.118724108 CET	49735	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:00.118938923 CET	8443	49737	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:00.119018078 CET	49737	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:00.119575024 CET	49737	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:00.124293089 CET	8443	49737	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:00.585314989 CET	8443	49737	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:00.585453033 CET	49737	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:00.585987091 CET	49737	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:00.587122917 CET	49737	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:00.592381001 CET	8443	49737	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:00.594110966 CET	8443	49737	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:01.684194088 CET	8443	49737	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:01.684263945 CET	49737	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:01.785461903 CET	49736	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:01.790564060 CET	8443	49736	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:01.790667057 CET	49736	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:01.824079037 CET	49738	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:01.830394983 CET	8443	49738	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:01.832073927 CET	49738	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:01.832823992 CET	49738	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:01.837641954 CET	8443	49738	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:02.302201033 CET	8443	49738	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:02.302294970 CET	49738	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:02.302850962 CET	49738	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:02.303889990 CET	49738	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:02.307682037 CET	8443	49738	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:02.308712006 CET	8443	49738	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:03.431193113 CET	8443	49738	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:03.431329012 CET	49738	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:03.535566092 CET	49737	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:03.536005974 CET	49739	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:03.540652037 CET	8443	49737	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:03.540729046 CET	49737	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:03.540812969 CET	8443	49739	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:03.540879011 CET	49739	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:03.541168928 CET	49739	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:03.545922041 CET	8443	49739	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:03.993846893 CET	8443	49739	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:03.993962049 CET	49739	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:04.018870115 CET	49739	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:04.023720026 CET	8443	49739	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:04.035280943 CET	49739	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:04.041949034 CET	8443	49739	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:05.111244917 CET	8443	49739	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:05.111337900 CET	49739	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:05.223128080 CET	49738	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:05.223762035 CET	49741	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:05.228578091 CET	8443	49741	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:05.228692055 CET	49741	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:05.229036093 CET	49741	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:05.237670898 CET	8443	49738	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:05.237684011 CET	8443	49741	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:05.237761021 CET	49738	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:05.698540926 CET	8443	49741	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:05.698632956 CET	49741	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:05.699083090 CET	49741	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:05.700119972 CET	49741	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:05.703824997 CET	8443	49741	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:05.704916000 CET	8443	49741	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:06.773896933 CET	8443	49741	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:06.773967981 CET	49741	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:06.895381927 CET	49739	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:06.895929098 CET	49742	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:06.900737047 CET	8443	49739	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:06.900794983 CET	49739	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:06.900996923 CET	8443	49742	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:06.901088953 CET	49742	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:06.901824951 CET	49742	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:06.906565905 CET	8443	49742	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:07.346419096 CET	8443	49742	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:07.346488953 CET	49742	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:07.347111940 CET	49742	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:07.348541975 CET	49742	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:07.351870060 CET	8443	49742	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:07.353419065 CET	8443	49742	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:08.446587086 CET	8443	49742	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:08.446722984 CET	49742	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:08.551117897 CET	49741	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:08.551676035 CET	49743	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:08.556319952 CET	8443	49741	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:08.556529999 CET	8443	49743	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:08.556725025 CET	49743	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:08.556725025 CET	49741	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:08.556966066 CET	49743	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:08.561834097 CET	8443	49743	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:09.000854015 CET	8443	49743	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:09.000971079 CET	49743	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:09.001549006 CET	49743	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:09.002724886 CET	49743	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:09.006365061 CET	8443	49743	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:09.007477045 CET	8443	49743	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:10.085225105 CET	8443	49743	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:10.085328102 CET	49743	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:10.191663027 CET	49742	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:10.192394018 CET	49744	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:10.196762085 CET	8443	49742	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:10.196861029 CET	49742	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:10.197210073 CET	8443	49744	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:10.197307110 CET	49744	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:10.197786093 CET	49744	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:10.202522039 CET	8443	49744	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:10.642987013 CET	8443	49744	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:10.643191099 CET	49744	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:10.643717051 CET	49744	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:10.644916058 CET	49744	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:10.648439884 CET	8443	49744	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:10.649729967 CET	8443	49744	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:11.748855114 CET	8443	49744	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:11.749047041 CET	49744	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:11.863466024 CET	49743	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:11.864337921 CET	49745	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:11.868588924 CET	8443	49743	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:11.868658066 CET	49743	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:11.869165897 CET	8443	49745	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:11.869241953 CET	49745	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:11.869571924 CET	49745	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:11.874393940 CET	8443	49745	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:12.335410118 CET	8443	49745	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:12.335556030 CET	49745	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:12.341772079 CET	49745	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:12.342834949 CET	49745	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:12.346628904 CET	8443	49745	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:12.347697973 CET	8443	49745	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:13.444720030 CET	8443	49745	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:13.446060896 CET	49745	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:13.551052094 CET	49744	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:13.551737070 CET	49746	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:13.556186914 CET	8443	49744	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:13.556493998 CET	8443	49746	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:13.556596041 CET	49744	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:13.556615114 CET	49746	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:13.557001114 CET	49746	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:13.561832905 CET	8443	49746	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:14.001748085 CET	8443	49746	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:14.001916885 CET	49746	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:14.002437115 CET	49746	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:14.003599882 CET	49746	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:14.007761955 CET	8443	49746	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:14.008858919 CET	8443	49746	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:15.078663111 CET	8443	49746	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:15.078784943 CET	49746	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:15.192485094 CET	49745	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:15.193042994 CET	49747	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:15.197623014 CET	8443	49745	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:15.197684050 CET	49745	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:15.197933912 CET	8443	49747	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:15.197990894 CET	49747	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:15.198198080 CET	49747	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:15.202944040 CET	8443	49747	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:15.645009995 CET	8443	49747	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:15.645127058 CET	49747	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:15.656346083 CET	49747	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:15.657434940 CET	49747	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:15.661127090 CET	8443	49747	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:15.662277937 CET	8443	49747	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:16.729758024 CET	8443	49747	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:16.729932070 CET	49747	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:16.832264900 CET	49746	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:16.833014965 CET	49748	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:16.837327003 CET	8443	49746	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:16.837817907 CET	8443	49748	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:16.837889910 CET	49746	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:16.837934971 CET	49748	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:16.838207960 CET	49748	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:16.842945099 CET	8443	49748	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:17.311892986 CET	8443	49748	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:17.312345028 CET	49748	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:17.312787056 CET	49748	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:17.313905954 CET	49748	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:17.317604065 CET	8443	49748	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:17.318671942 CET	8443	49748	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:18.422491074 CET	8443	49748	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:18.422584057 CET	49748	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:18.535448074 CET	49747	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:18.536035061 CET	49749	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:18.540544987 CET	8443	49747	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:18.540611029 CET	49747	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:18.540888071 CET	8443	49749	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:18.540958881 CET	49749	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:18.541177988 CET	49749	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:18.546019077 CET	8443	49749	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:18.992295980 CET	8443	49749	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:18.992417097 CET	49749	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:18.992981911 CET	49749	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:18.994160891 CET	49749	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:18.997834921 CET	8443	49749	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:18.998994112 CET	8443	49749	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:20.092559099 CET	8443	49749	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:20.092619896 CET	49749	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:20.207299948 CET	49748	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:20.208039045 CET	49750	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:20.212522030 CET	8443	49748	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:20.212594986 CET	49748	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:20.212882042 CET	8443	49750	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:20.212963104 CET	49750	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:20.213268042 CET	49750	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:20.218024969 CET	8443	49750	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:20.659414053 CET	8443	49750	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:20.659481049 CET	49750	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:20.659866095 CET	49750	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:20.661268950 CET	49750	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:20.664730072 CET	8443	49750	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:20.666068077 CET	8443	49750	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:21.837055922 CET	8443	49750	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:21.837137938 CET	49750	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:21.941802025 CET	49749	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:21.942320108 CET	49751	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:21.946919918 CET	8443	49749	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:21.947012901 CET	49749	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:21.947153091 CET	8443	49751	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:21.947235107 CET	49751	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:21.947581053 CET	49751	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:21.952460051 CET	8443	49751	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:22.400013924 CET	8443	49751	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:22.400255919 CET	49751	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:22.400640965 CET	49751	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:22.401879072 CET	49751	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:22.405497074 CET	8443	49751	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:22.406764984 CET	8443	49751	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:23.507989883 CET	8443	49751	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:23.508055925 CET	49751	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:23.613765001 CET	49750	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:23.614437103 CET	49752	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:23.618983030 CET	8443	49750	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:23.619106054 CET	49750	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:23.619246960 CET	8443	49752	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:23.619329929 CET	49752	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:23.619683027 CET	49752	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:23.624468088 CET	8443	49752	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:24.079965115 CET	8443	49752	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:24.080048084 CET	49752	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:24.080534935 CET	49752	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:24.081628084 CET	49752	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:24.085283995 CET	8443	49752	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:24.086410046 CET	8443	49752	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:25.171386957 CET	8443	49752	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:25.171449900 CET	49752	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:25.285422087 CET	49751	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:25.285974026 CET	49753	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:25.290568113 CET	8443	49751	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:25.290668011 CET	49751	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:25.290776968 CET	8443	49753	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:25.290838003 CET	49753	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:25.291107893 CET	49753	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:25.295855045 CET	8443	49753	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:25.950345039 CET	8443	49753	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:25.950967073 CET	49753	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:25.950967073 CET	49753	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:25.951982975 CET	49753	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:25.955831051 CET	8443	49753	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:25.956880093 CET	8443	49753	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:27.106447935 CET	8443	49753	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:27.106549025 CET	49753	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:27.223834038 CET	49752	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:27.224431992 CET	49754	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:27.228962898 CET	8443	49752	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:27.229028940 CET	49752	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:27.229254007 CET	8443	49754	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:27.229329109 CET	49754	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:27.229640007 CET	49754	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:27.234380960 CET	8443	49754	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:27.672696114 CET	8443	49754	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:27.672945976 CET	49754	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:27.673661947 CET	49754	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:27.674751997 CET	49754	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:27.678493977 CET	8443	49754	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:27.679539919 CET	8443	49754	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:28.780293941 CET	8443	49754	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:28.780525923 CET	49754	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:28.894912004 CET	49753	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:28.900043964 CET	8443	49753	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:28.900098085 CET	49753	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:28.913820982 CET	49755	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:28.918791056 CET	8443	49755	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:28.918932915 CET	49755	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:28.919234991 CET	49755	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:28.924005032 CET	8443	49755	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:29.375775099 CET	8443	49755	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:29.375932932 CET	49755	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:29.376693010 CET	49755	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:29.377763987 CET	49755	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:29.381510019 CET	8443	49755	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:29.382563114 CET	8443	49755	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:30.473329067 CET	8443	49755	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:30.473462105 CET	49755	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:30.582277060 CET	49754	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:30.583281040 CET	49756	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:30.587261915 CET	8443	49754	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:30.587342978 CET	49754	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:30.588113070 CET	8443	49756	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:30.588196039 CET	49756	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:30.588562012 CET	49756	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:30.593394995 CET	8443	49756	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:31.034008980 CET	8443	49756	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:31.034106970 CET	49756	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:31.034646988 CET	49756	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:31.036000967 CET	49756	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:31.039434910 CET	8443	49756	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:31.040733099 CET	8443	49756	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:32.138397932 CET	8443	49756	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:32.138509035 CET	49756	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:32.258127928 CET	49755	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:32.258675098 CET	49757	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:32.263443947 CET	8443	49755	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:32.263465881 CET	8443	49757	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:32.263551950 CET	49755	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:32.263597965 CET	49757	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:32.263969898 CET	49757	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:32.268712044 CET	8443	49757	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:32.725663900 CET	8443	49757	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:32.725725889 CET	49757	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:32.726116896 CET	49757	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:32.727051973 CET	49757	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:32.730885983 CET	8443	49757	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:32.731878042 CET	8443	49757	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:33.894099951 CET	8443	49757	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:33.894349098 CET	49757	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:34.004374027 CET	49756	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:34.004928112 CET	49758	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:34.009856939 CET	8443	49758	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:34.009995937 CET	49758	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:34.010051966 CET	8443	49756	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:34.010108948 CET	49756	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:34.010359049 CET	49758	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:34.015135050 CET	8443	49758	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:34.456254005 CET	8443	49758	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:34.456346989 CET	49758	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:34.456763983 CET	49758	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:34.457894087 CET	49758	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:34.461590052 CET	8443	49758	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:34.462738037 CET	8443	49758	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:35.587210894 CET	8443	49758	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:35.587270021 CET	49758	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:35.692861080 CET	49757	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:35.693417072 CET	49759	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:35.698046923 CET	8443	49757	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:35.698193073 CET	8443	49759	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:35.698288918 CET	49757	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:35.698358059 CET	49759	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:35.698748112 CET	49759	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:35.703542948 CET	8443	49759	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:36.149691105 CET	8443	49759	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:36.149841070 CET	49759	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:36.150336981 CET	49759	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:36.151349068 CET	49759	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:36.155249119 CET	8443	49759	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:36.156135082 CET	8443	49759	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:37.251157045 CET	8443	49759	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:37.251329899 CET	49759	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:37.363543034 CET	49758	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:37.364032030 CET	49760	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:37.368612051 CET	8443	49758	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:37.368685007 CET	49758	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:37.368942022 CET	8443	49760	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:37.369018078 CET	49760	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:37.369323969 CET	49760	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:37.374058962 CET	8443	49760	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:37.838696957 CET	8443	49760	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:37.838844061 CET	49760	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:37.870798111 CET	49760	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:37.871772051 CET	49760	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:37.876812935 CET	8443	49760	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:37.876823902 CET	8443	49760	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:38.980834961 CET	8443	49760	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:38.980933905 CET	49760	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:39.082313061 CET	49759	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:39.082827091 CET	49761	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:39.087445974 CET	8443	49759	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:39.087528944 CET	49759	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:39.087649107 CET	8443	49761	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:39.087713003 CET	49761	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:39.087903023 CET	49761	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:39.092638016 CET	8443	49761	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:39.558440924 CET	8443	49761	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:39.562191963 CET	49761	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:39.562614918 CET	49761	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:39.563601017 CET	49761	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:39.567703009 CET	8443	49761	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:39.568351984 CET	8443	49761	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:40.643896103 CET	8443	49761	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:40.644013882 CET	49761	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:40.754160881 CET	49760	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:40.754645109 CET	49762	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:40.759222984 CET	8443	49760	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:40.759325981 CET	49760	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:40.759423971 CET	8443	49762	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:40.759499073 CET	49762	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:40.759783983 CET	49762	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:40.764517069 CET	8443	49762	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:41.224261045 CET	8443	49762	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:41.224378109 CET	49762	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:41.224891901 CET	49762	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:41.226180077 CET	49762	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:41.229691982 CET	8443	49762	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:41.230957985 CET	8443	49762	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:42.290716887 CET	8443	49762	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:42.290806055 CET	49762	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:42.395459890 CET	49761	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:42.396126986 CET	49763	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:42.400681019 CET	8443	49761	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:42.400758982 CET	49761	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:42.400917053 CET	8443	49763	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:42.401139021 CET	49763	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:42.401396990 CET	49763	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:42.406244040 CET	8443	49763	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:42.858108044 CET	8443	49763	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:42.858223915 CET	49763	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:42.858750105 CET	49763	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:42.860301971 CET	49763	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:42.863544941 CET	8443	49763	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:42.865124941 CET	8443	49763	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:43.978296041 CET	8443	49763	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:43.978449106 CET	49763	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:44.098690987 CET	49762	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:44.099289894 CET	49764	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:44.103812933 CET	8443	49762	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:44.103900909 CET	49762	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:44.104134083 CET	8443	49764	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:44.104217052 CET	49764	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:44.104433060 CET	49764	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:44.109225035 CET	8443	49764	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:44.571475983 CET	8443	49764	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:44.571597099 CET	49764	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:44.616497040 CET	49764	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:44.618072987 CET	49764	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:44.621366978 CET	8443	49764	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:44.622833967 CET	8443	49764	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:45.704106092 CET	8443	49764	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:45.704323053 CET	49764	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:45.817688942 CET	49763	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:45.822909117 CET	8443	49763	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:45.822968006 CET	49763	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:45.832484961 CET	49765	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:45.837357044 CET	8443	49765	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:45.837460995 CET	49765	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:45.837706089 CET	49765	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:45.842472076 CET	8443	49765	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:46.284993887 CET	8443	49765	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:46.285111904 CET	49765	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:46.285533905 CET	49765	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:46.286665916 CET	49765	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:46.290321112 CET	8443	49765	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:46.291501999 CET	8443	49765	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:47.373739004 CET	8443	49765	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:47.373847961 CET	49765	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:47.513062954 CET	49764	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:47.513850927 CET	49766	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:47.518143892 CET	8443	49764	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:47.518198967 CET	49764	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:47.518650055 CET	8443	49766	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:47.518711090 CET	49766	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:47.519098997 CET	49766	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:47.523943901 CET	8443	49766	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:47.985877037 CET	8443	49766	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:47.986243010 CET	49766	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:47.986923933 CET	49766	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:47.988394976 CET	49766	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:47.991729021 CET	8443	49766	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:47.993298054 CET	8443	49766	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:49.081648111 CET	8443	49766	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:49.081899881 CET	49766	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:49.192711115 CET	49765	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:49.193366051 CET	49767	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:49.198196888 CET	8443	49767	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:49.198352098 CET	49767	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:49.198512077 CET	8443	49765	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:49.198602915 CET	49765	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:49.203634977 CET	49767	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:49.208498001 CET	8443	49767	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:49.645762920 CET	8443	49767	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:49.645870924 CET	49767	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:49.646431923 CET	49767	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:49.647612095 CET	49767	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:49.651221991 CET	8443	49767	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:49.652412891 CET	8443	49767	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:50.728312016 CET	8443	49767	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:50.728452921 CET	49767	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:50.833129883 CET	49766	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:50.833842993 CET	49768	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:50.838347912 CET	8443	49766	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:50.838562012 CET	49766	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:50.838705063 CET	8443	49768	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:50.838782072 CET	49768	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:50.839044094 CET	49768	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:50.843846083 CET	8443	49768	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:51.304375887 CET	8443	49768	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:51.304528952 CET	49768	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:51.305336952 CET	49768	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:51.306329012 CET	49768	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:51.310131073 CET	8443	49768	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:51.311152935 CET	8443	49768	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:52.374126911 CET	8443	49768	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:52.374250889 CET	49768	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:52.491689920 CET	49767	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:52.492364883 CET	49769	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:52.496830940 CET	8443	49767	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:52.496903896 CET	49767	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:52.497231960 CET	8443	49769	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:52.497306108 CET	49769	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:52.497555971 CET	49769	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:52.502330065 CET	8443	49769	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:52.953387976 CET	8443	49769	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:52.953583956 CET	49769	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:52.954054117 CET	49769	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:52.955334902 CET	49769	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:52.958820105 CET	8443	49769	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:52.960134983 CET	8443	49769	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:54.065597057 CET	8443	49769	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:54.067318916 CET	49769	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:54.398684978 CET	49768	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:54.399244070 CET	49770	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:54.404073954 CET	8443	49770	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:54.404149055 CET	8443	49768	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:54.404165030 CET	49770	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:54.404266119 CET	49768	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:54.404942036 CET	49770	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:54.409771919 CET	8443	49770	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:54.849961042 CET	8443	49770	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:54.850054979 CET	49770	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:54.850549936 CET	49770	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:54.851573944 CET	49770	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:54.856028080 CET	8443	49770	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:54.856340885 CET	8443	49770	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:55.970001936 CET	8443	49770	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:55.970097065 CET	49770	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:56.082937002 CET	49769	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:56.083465099 CET	49771	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:56.088125944 CET	8443	49769	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:56.088191986 CET	49769	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:56.088268995 CET	8443	49771	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:56.088422060 CET	49771	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:56.088730097 CET	49771	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:56.093472004 CET	8443	49771	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:56.535141945 CET	8443	49771	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:56.535334110 CET	49771	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:56.535780907 CET	49771	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:56.536719084 CET	49771	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:56.540576935 CET	8443	49771	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:56.541604042 CET	8443	49771	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:57.615398884 CET	8443	49771	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:57.615464926 CET	49771	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:57.723761082 CET	49770	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:57.724333048 CET	49772	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:57.728888988 CET	8443	49770	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:57.728950024 CET	49770	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:57.729141951 CET	8443	49772	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:57.729224920 CET	49772	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:57.729559898 CET	49772	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:57.734298944 CET	8443	49772	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:58.174338102 CET	8443	49772	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:58.174422026 CET	49772	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:58.174907923 CET	49772	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:58.176230907 CET	49772	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:58.179673910 CET	8443	49772	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:58.181014061 CET	8443	49772	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:59.267813921 CET	8443	49772	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:59.270236015 CET	49772	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:59.382488012 CET	49771	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:59.383085966 CET	49773	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:59.387639999 CET	8443	49771	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:59.387940884 CET	8443	49773	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:59.388005018 CET	49771	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:59.388046980 CET	49773	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:59.437077999 CET	49773	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:59.442027092 CET	8443	49773	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:59.853811979 CET	8443	49773	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:59.853876114 CET	49773	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:59.854438066 CET	49773	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:59.855654955 CET	49773	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:52:59.859241962 CET	8443	49773	188.114.97.3	192.168.2.8
Jan 3, 2025 12:52:59.860435963 CET	8443	49773	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:00.961590052 CET	8443	49773	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:00.961858034 CET	49773	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:01.067382097 CET	49772	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:01.068006039 CET	49774	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:01.072494984 CET	8443	49772	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:01.072603941 CET	49772	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:01.072812080 CET	8443	49774	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:01.072897911 CET	49774	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:01.073266983 CET	49774	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:01.078027964 CET	8443	49774	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:01.558521986 CET	8443	49774	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:01.558603048 CET	49774	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:01.559025049 CET	49774	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:01.560054064 CET	49774	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:01.563744068 CET	8443	49774	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:01.564810991 CET	8443	49774	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:02.695673943 CET	8443	49774	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:02.695738077 CET	49774	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:02.801736116 CET	49773	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:02.802242994 CET	49775	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:02.807145119 CET	8443	49775	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:02.807348967 CET	49775	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:02.807593107 CET	49775	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:02.812331915 CET	8443	49775	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:02.818027973 CET	8443	49773	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:02.818095922 CET	49773	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:03.296807051 CET	8443	49775	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:03.296969891 CET	49775	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:03.297482014 CET	49775	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:03.298516035 CET	49775	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:03.302294970 CET	8443	49775	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:03.303338051 CET	8443	49775	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:04.385356903 CET	8443	49775	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:04.385483980 CET	49775	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:04.489324093 CET	49774	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:04.489845037 CET	49776	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:04.494611979 CET	8443	49774	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:04.494646072 CET	8443	49776	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:04.494708061 CET	49774	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:04.494770050 CET	49776	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:04.494949102 CET	49776	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:04.499775887 CET	8443	49776	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:04.960123062 CET	8443	49776	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:04.962207079 CET	49776	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:04.962606907 CET	49776	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:04.963629961 CET	49776	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:04.967885017 CET	8443	49776	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:04.968784094 CET	8443	49776	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:06.062585115 CET	8443	49776	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:06.062679052 CET	49776	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:06.177347898 CET	49775	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:06.178111076 CET	49777	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:06.182540894 CET	8443	49775	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:06.182724953 CET	49775	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:06.182997942 CET	8443	49777	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:06.183072090 CET	49777	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:06.183389902 CET	49777	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:06.188199043 CET	8443	49777	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:06.640921116 CET	8443	49777	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:06.641088963 CET	49777	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:06.641638994 CET	49777	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:06.642744064 CET	49777	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:06.646445990 CET	8443	49777	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:06.647516012 CET	8443	49777	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:07.795300007 CET	8443	49777	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:07.795397997 CET	49777	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:07.911236048 CET	49776	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:07.911969900 CET	49778	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:07.916392088 CET	8443	49776	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:07.916469097 CET	49776	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:07.916810989 CET	8443	49778	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:07.916992903 CET	49778	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:07.917365074 CET	49778	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:07.923377991 CET	8443	49778	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:08.382287979 CET	8443	49778	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:08.382420063 CET	49778	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:08.382905960 CET	49778	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:08.384077072 CET	49778	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:08.387729883 CET	8443	49778	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:08.388925076 CET	8443	49778	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:09.483417034 CET	8443	49778	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:09.483546019 CET	49778	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:09.599721909 CET	49777	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:09.600538015 CET	49779	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:09.604845047 CET	8443	49777	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:09.604897022 CET	49777	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:09.605317116 CET	8443	49779	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:09.605396032 CET	49779	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:09.605866909 CET	49779	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:09.610680103 CET	8443	49779	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:10.053250074 CET	8443	49779	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:10.053478003 CET	49779	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:10.053868055 CET	49779	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:10.054842949 CET	49779	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:10.058696985 CET	8443	49779	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:10.059607983 CET	8443	49779	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:11.127973080 CET	8443	49779	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:11.128210068 CET	49779	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:11.239463091 CET	49778	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:11.241494894 CET	49780	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:11.244469881 CET	8443	49778	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:11.244548082 CET	49778	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:11.246332884 CET	8443	49780	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:11.246398926 CET	49780	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:11.246905088 CET	49780	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:11.251689911 CET	8443	49780	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:11.693989992 CET	8443	49780	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:11.694068909 CET	49780	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:11.709382057 CET	49780	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:11.714117050 CET	8443	49780	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:11.721672058 CET	49780	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:11.726478100 CET	8443	49780	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:12.800878048 CET	8443	49780	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:12.804462910 CET	49780	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:12.916105986 CET	49779	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:12.916575909 CET	49781	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:12.921277046 CET	8443	49779	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:12.921334028 CET	8443	49781	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:12.921413898 CET	49779	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:12.921416044 CET	49781	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:12.921724081 CET	49781	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:12.926553011 CET	8443	49781	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:13.372431040 CET	8443	49781	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:13.376312971 CET	49781	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:13.376784086 CET	49781	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:13.377880096 CET	49781	8443	192.168.2.8	188.114.97.3
Jan 3, 2025 12:53:13.381643057 CET	8443	49781	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:13.382651091 CET	8443	49781	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:14.477008104 CET	8443	49781	188.114.97.3	192.168.2.8
Jan 3, 2025 12:53:14.477088928 CET	49781	8443	192.168.2.8	188.114.97.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 12:51:11.277395010 CET	60082	53	192.168.2.8	1.1.1.1
Jan 3, 2025 12:51:11.293634892 CET	53	60082	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 3, 2025 12:51:11.277395010 CET	192.168.2.8	1.1.1.1	0xc15f	Standard query (0)	632313373.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 3, 2025 12:51:11.293634892 CET	1.1.1.1	192.168.2.8	0xc15f	No error (0)	632313373.xyz		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 3, 2025 12:51:11.293634892 CET	1.1.1.1	192.168.2.8	0xc15f	No error (0)	632313373.xyz		188.114.96.3	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	06:51:09
Start date:	03/01/2025
Path:	C:\Users\user\Desktop\m.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\m.exe"
Imagebase:	0xf80000
File size:	3'900'928 bytes
MD5 hash:	B7582A23E2181D7FA6E5D1517BE74B66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.2637998442.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	06:51:09
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.3%
Total number of Nodes:	207
Total number of Limit Nodes:	26

Executed Functions

Function 0000024EF3E25E28 Relevance: 4.7, APIs: 3, Instructions: 190
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000024EF3E25FEC: malloc.LIBCMT ref: 0000024EF3E26008

GetUserNameA.ADVAPI32(?,?,?,?,?,?,?,-00000001,?,-00000001,?,00000002,0000024EF3E1CC89), ref: 0000024EF3E25EAF
strrchr.LIBCMT ref: 0000024EF3E25EED
_snprintf.LIBCMT ref: 0000024EF3E25F9B

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: NameUser_snprintfmallocstrrchr
String ID:
API String ID: 1238167203-0
Opcode ID: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
Instruction ID: 30e6ce83141ffb9b89181774d0725c25ab9bff6a8152f3ae26a406ec27f18308
Opcode Fuzzy Hash: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
Instruction Fuzzy Hash: 20516330718B084FFA58BB68945A7A9B2D2FBC8310F15452DF48FC3797DAB8D8468746

Function 0000024EF3E1CA74 Relevance: 7.9, APIs: 6, Instructions: 411
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000024EF3E25FEC: malloc.LIBCMT ref: 0000024EF3E26008

malloc.LIBCMT ref: 0000024EF3E1CB3B

Part of subcall function 0000024EF3E2F284: _FF_MSGBANNER.LIBCMT ref: 0000024EF3E2F2B4
Part of subcall function 0000024EF3E2F284: _NMSG_WRITE.LIBCMT ref: 0000024EF3E2F2BE
Part of subcall function 0000024EF3E2F284: _callnewh.LIBCMT ref: 0000024EF3E2F2F2
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F2FD
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F308

Part of subcall function 0000024EF3E2C230: malloc.LIBCMT ref: 0000024EF3E2C29C

Part of subcall function 0000024EF3E2EAA8: malloc.LIBCMT ref: 0000024EF3E2EAF8

Part of subcall function 0000024EF3E2EAA8: realloc.LIBCMT ref: 0000024EF3E2EB07

malloc.LIBCMT ref: 0000024EF3E1CC4A
_snprintf.LIBCMT ref: 0000024EF3E1CCC1
_snprintf.LIBCMT ref: 0000024EF3E1CCE7
_snprintf.LIBCMT ref: 0000024EF3E1CD0E
free.LIBCMT ref: 0000024EF3E1CEC6

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errno$_callnewhfreerealloc
String ID:
API String ID: 74200508-0
Opcode ID: fd4b1ce187cf5d2c7b3c7d1d5f2f485ec143d87fcb2d796d9dd721ce5a89571b
Instruction ID: 462ec84ee4fe5e7181561b05f4b85661c3c1688370ec6d7d0fcbd7a814388b92
Opcode Fuzzy Hash: fd4b1ce187cf5d2c7b3c7d1d5f2f485ec143d87fcb2d796d9dd721ce5a89571b
Instruction Fuzzy Hash: 6AD14330B14B4547FF68BB64889A7A973D1FF84300F57452DA446C3AD3EEACD90E8692

Function 0000024EF3E1E68C Relevance: 7.8, APIs: 5, Instructions: 260
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_snprintf.LIBCMT ref: 0000024EF3E1E725

Part of subcall function 0000024EF3E2F63C: _errno.LIBCMT ref: 0000024EF3E2F673
Part of subcall function 0000024EF3E2F63C: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E2F67E

_snprintf.LIBCMT ref: 0000024EF3E1E7BD
_snprintf.LIBCMT ref: 0000024EF3E1E7D4
HttpOpenRequestA.WININET ref: 0000024EF3E1E818
InternetCloseHandle.WININET ref: 0000024EF3E1E898

Part of subcall function 0000024EF3E22D70: strchr.LIBCMT ref: 0000024EF3E22DD6
Part of subcall function 0000024EF3E22D70: _snprintf.LIBCMT ref: 0000024EF3E22E0C

Part of subcall function 0000024EF3E22C0C: strchr.LIBCMT ref: 0000024EF3E22C69
Part of subcall function 0000024EF3E22C0C: _snprintf.LIBCMT ref: 0000024EF3E22CB3

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _snprintf$strchr$CloseHandleHttpInternetOpenRequest_errno_invalid_parameter_noinfo
String ID:
API String ID: 3355560759-0
Opcode ID: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
Instruction ID: 1f8678a48a3af8cc79d4159fe7a23fbe5a032928df9dcf9fa00a5943b9fad803
Opcode Fuzzy Hash: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
Instruction Fuzzy Hash: BE81A831A187484FFB55EB14D8897AAB3E5FFD4311F02052DF48AC3292DEA8D9068782

Function 0000024EF3E1F014 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketA.WS2_32 ref: 0000024EF3E1F042
WSAIoctl.WS2_32 ref: 0000024EF3E1F08F
closesocket.WS2_32 ref: 0000024EF3E1F0EE

Strings

_Cy, xrefs: 0000024EF3E1F0A1

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: IoctlSocketclosesocket
String ID: _Cy
API String ID: 3445158922-1085951347
Opcode ID: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
Instruction ID: a6f31b5e30861abd7f09f7f900404329af511983e09c2fa25ffcf82bec3ba98e
Opcode Fuzzy Hash: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
Instruction Fuzzy Hash: 6031CC7051CF484BEB54EF2898887A677D1FB94315F12473ED44EC3192DB74C5468782

Function 0000024EF3E1EA48 Relevance: 3.2, APIs: 2, Instructions: 159
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET ref: 0000024EF3E1EB0C
InternetConnectA.WININET ref: 0000024EF3E1EB7A

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: Internet$ConnectOpen
String ID:
API String ID: 2790792615-0
Opcode ID: c02896be98f17698b461471e8597e5ae08ffedd86d74317b17a8770a829ca45e
Instruction ID: 4ff4013bffbee6d3938597f47a47ecc7fce630997cb8fdfe95c0eb9ab466c8a9
Opcode Fuzzy Hash: c02896be98f17698b461471e8597e5ae08ffedd86d74317b17a8770a829ca45e
Instruction Fuzzy Hash: 26519330618B054FFF59EB28D89A76973D5FB88304F17042DE487C7692DABCD90A8742

Function 0000024EF3DC96B4 Relevance: 1.6, APIs: 1, Instructions: 149
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000024EF3DC977B

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
Instruction ID: 48aad8c85ff01159b3507570a56145974faccd14c4ebb724577fd8a1294b916d
Opcode Fuzzy Hash: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
Instruction Fuzzy Hash: D8719936219B8486DAA0CB0AE49035AB7A0F7C8BD8F514125EFCE83B68DF7DD555CB00

Function 0000024EF3DC9324 Relevance: 1.3, APIs: 1, Instructions: 87
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000024EF3DC9471

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
Instruction ID: a2be6f9470d276f148ef2c2cae89fc467a2faf1ff55d9b06785e1b076a462b07
Opcode Fuzzy Hash: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
Instruction Fuzzy Hash: E141BA72628B84C7DB50CB19E44471AB7A1F3C8B94F111225FACE83BA8DB3CD4558F04

Function 00FEF220 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2636069717.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2636012413.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636234506.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636496768.0000000001318000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636529189.000000000131A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636552047.000000000131F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636578296.000000000132C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636593892.000000000132D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636593892.0000000001346000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636593892.0000000001349000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636593892.000000000134C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636593892.0000000001374000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636681250.0000000001378000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636696726.000000000137F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636710963.0000000001380000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a83c295b55d1fb3924cfc6086ff6026e810ee76d85704118357723c5304dc2
Instruction ID: aa2c91fc79940eba4079ddab2333dbf74e30367a24dde2999a26ff39d9aebee5
Opcode Fuzzy Hash: a2a83c295b55d1fb3924cfc6086ff6026e810ee76d85704118357723c5304dc2
Instruction Fuzzy Hash: B9319A6391CFC482D3218B25F5413AAB364F7A9784F15A715EFC812A1ADF38E2E5CB40

Function 00FEB5C0 Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2636069717.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.2636012413.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636234506.000000000103D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636496768.0000000001318000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636529189.000000000131A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636552047.000000000131F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636578296.000000000132C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636593892.000000000132D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636593892.0000000001346000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636593892.0000000001349000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636593892.000000000134C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636593892.0000000001374000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636681250.0000000001378000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636696726.000000000137F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2636710963.0000000001380000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f80000_m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f426410239744f5ba57e2b78151ac65bfe157d6a2c0a85e8369f5e0dce230c44
Instruction ID: 5f21e3ffaabd9afb935586c06ba919c12bd6afbc45323d1118ca008ceaf13e0b
Opcode Fuzzy Hash: f426410239744f5ba57e2b78151ac65bfe157d6a2c0a85e8369f5e0dce230c44
Instruction Fuzzy Hash:

Non-executed Functions

Function 0000024EF3DD239C Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 694COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000024EF3DD23FD

Part of subcall function 0000024EF3DD0A00: _getptd.LIBCMT ref: 0000024EF3DD0A16
Part of subcall function 0000024EF3DD0A00: __updatetlocinfo.LIBCMT ref: 0000024EF3DD0A4B
Part of subcall function 0000024EF3DD0A00: __updatetmbcinfo.LIBCMT ref: 0000024EF3DD0A72

_errno.LIBCMT ref: 0000024EF3DD2402

Part of subcall function 0000024EF3DD1118: _getptd_noexit.LIBCMT ref: 0000024EF3DD111C

_fileno.LIBCMT ref: 0000024EF3DD242F

Part of subcall function 0000024EF3DD4E54: _errno.LIBCMT ref: 0000024EF3DD4E5D
Part of subcall function 0000024EF3DD4E54: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DD4E68

write_multi_char.LIBCMT ref: 0000024EF3DD2A6B
write_string.LIBCMT ref: 0000024EF3DD2A88
write_multi_char.LIBCMT ref: 0000024EF3DD2AA5
write_string.LIBCMT ref: 0000024EF3DD2B04
write_string.LIBCMT ref: 0000024EF3DD2B3B
write_multi_char.LIBCMT ref: 0000024EF3DD2B5D
free.LIBCMT ref: 0000024EF3DD2B71
_isleadbyte_l.LIBCMT ref: 0000024EF3DD2C42
write_char.LIBCMT ref: 0000024EF3DD2C58
write_char.LIBCMT ref: 0000024EF3DD2C79
_errno.LIBCMT ref: 0000024EF3DD2D7C
_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DD2D87

Strings

, xrefs: 0000024EF3DD2A3F
@, xrefs: 0000024EF3DD241B

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3318157856-1077428164
Opcode ID: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
Instruction ID: 68cce5b7de111b20689b70ddfef19f01d702cd9db9c409083829ba817993a00b
Opcode Fuzzy Hash: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
Instruction Fuzzy Hash: 4352EE6260868486FF658F18D54C3AE7BA0B745786F271005DE4A87EE8DBFFC949CB00

Function 0000024EF3E32F9C Relevance: 30.8, APIs: 15, Strings: 2, Instructions: 1030COMMON

Download Yara Rule

APIs

Part of subcall function 0000024EF3E31600: _getptd.LIBCMT ref: 0000024EF3E31616
Part of subcall function 0000024EF3E31600: __updatetlocinfo.LIBCMT ref: 0000024EF3E3164B
Part of subcall function 0000024EF3E31600: __updatetmbcinfo.LIBCMT ref: 0000024EF3E31672

_errno.LIBCMT ref: 0000024EF3E33002

Part of subcall function 0000024EF3E31D18: _getptd_noexit.LIBCMT ref: 0000024EF3E31D1C

_fileno.LIBCMT ref: 0000024EF3E3302F

Part of subcall function 0000024EF3E35A54: _errno.LIBCMT ref: 0000024EF3E35A5D
Part of subcall function 0000024EF3E35A54: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E35A68

write_multi_char.LIBCMT ref: 0000024EF3E3366B
write_string.LIBCMT ref: 0000024EF3E33688
write_multi_char.LIBCMT ref: 0000024EF3E336A5
write_string.LIBCMT ref: 0000024EF3E33704
write_multi_char.LIBCMT ref: 0000024EF3E3375D
free.LIBCMT ref: 0000024EF3E33771
_isleadbyte_l.LIBCMT ref: 0000024EF3E33842
write_char.LIBCMT ref: 0000024EF3E33858
write_char.LIBCMT ref: 0000024EF3E33879
_errno.LIBCMT ref: 0000024EF3E3397C
_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E33987

Strings

, xrefs: 0000024EF3E3363F
@, xrefs: 0000024EF3E3301B

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3613058218-1077428164
Opcode ID: 0599035506f01076b605f9026c3628a483f4ccd483033c44f83e2593a1d2db07
Instruction ID: da5e9ca419444bd130d6e483819fefbce22262c101a97853436e82c7298d92d9
Opcode Fuzzy Hash: 0599035506f01076b605f9026c3628a483f4ccd483033c44f83e2593a1d2db07
Instruction Fuzzy Hash: B1620C30B187498AFF698A18C44DBB9FBD1FF65310F27421DD48BC3AD2D6ADD80A8641

Function 0000024EF3E32528 Relevance: 29.0, APIs: 15, Strings: 1, Instructions: 1022COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000024EF3E31600: _getptd.LIBCMT ref: 0000024EF3E31616
Part of subcall function 0000024EF3E31600: __updatetlocinfo.LIBCMT ref: 0000024EF3E3164B
Part of subcall function 0000024EF3E31600: __updatetmbcinfo.LIBCMT ref: 0000024EF3E31672

_errno.LIBCMT ref: 0000024EF3E3258E

Part of subcall function 0000024EF3E31D18: _getptd_noexit.LIBCMT ref: 0000024EF3E31D1C

_fileno.LIBCMT ref: 0000024EF3E325BB

Part of subcall function 0000024EF3E35A54: _errno.LIBCMT ref: 0000024EF3E35A5D
Part of subcall function 0000024EF3E35A54: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E35A68

write_multi_char.LIBCMT ref: 0000024EF3E32BEB
write_string.LIBCMT ref: 0000024EF3E32C08
write_multi_char.LIBCMT ref: 0000024EF3E32C25
write_string.LIBCMT ref: 0000024EF3E32C84
write_multi_char.LIBCMT ref: 0000024EF3E32CDD
free.LIBCMT ref: 0000024EF3E32CF1
_isleadbyte_l.LIBCMT ref: 0000024EF3E32DC2
write_char.LIBCMT ref: 0000024EF3E32DD8
write_char.LIBCMT ref: 0000024EF3E32DF9
_errno.LIBCMT ref: 0000024EF3E32EF3
_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E32EFE

Strings

, xrefs: 0000024EF3E32BBF

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID:
API String ID: 3613058218-3916222277
Opcode ID: 99560b4e6a3ba651302837abcdacc877c80be0c82fbf8e81c16206e006ab6ccb
Instruction ID: 9901fb0017abfb7de6b17624ae71f76db65c06e8995a2980e13d63816630af2b
Opcode Fuzzy Hash: 99560b4e6a3ba651302837abcdacc877c80be0c82fbf8e81c16206e006ab6ccb
Instruction Fuzzy Hash: 8B62E730B18B498AFF688A18C4593B9FBE1FF95310F67411DD4C6C3AD2D6BD984A8781

Function 0000024EF3DD1928 Relevance: 28.6, APIs: 14, Strings: 2, Instructions: 645COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000024EF3DD1989

Part of subcall function 0000024EF3DD0A00: _getptd.LIBCMT ref: 0000024EF3DD0A16
Part of subcall function 0000024EF3DD0A00: __updatetlocinfo.LIBCMT ref: 0000024EF3DD0A4B
Part of subcall function 0000024EF3DD0A00: __updatetmbcinfo.LIBCMT ref: 0000024EF3DD0A72

_errno.LIBCMT ref: 0000024EF3DD198E

Part of subcall function 0000024EF3DD1118: _getptd_noexit.LIBCMT ref: 0000024EF3DD111C

_fileno.LIBCMT ref: 0000024EF3DD19BB

Part of subcall function 0000024EF3DD4E54: _errno.LIBCMT ref: 0000024EF3DD4E5D
Part of subcall function 0000024EF3DD4E54: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DD4E68

write_multi_char.LIBCMT ref: 0000024EF3DD1FEB
write_string.LIBCMT ref: 0000024EF3DD2008
_errno.LIBCMT ref: 0000024EF3DD22F3
_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DD22FE

Strings

-, xrefs: 0000024EF3DD1F9C
0, xrefs: 0000024EF3DD1D28

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _errno$Locale_invalid_parameter_noinfo$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexitwrite_multi_charwrite_string
String ID: -$0
API String ID: 3246410048-417717675
Opcode ID: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
Instruction ID: 42468447cd2d548ff13c2c4972f05820bdfc5be14defd55c9a68526ccd9af776
Opcode Fuzzy Hash: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
Instruction Fuzzy Hash: CE420E6260868586FFA58F24D5483BE7BA8F741786F174005EA46C6ED9DBBFC94CCB00

Function 0000024EF3DD5914 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 460COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000024EF3DD596A
_errno.LIBCMT ref: 0000024EF3DD5971
_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DD597C

Strings

U, xrefs: 0000024EF3DD5EDE

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
Instruction ID: bfb18c8b20beabdfdb27af3ee94a7d0dc97a0993f6bfc0b24dab73fefe9f6f6e
Opcode Fuzzy Hash: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
Instruction Fuzzy Hash: EA12F13221464986FF209F28D48836EB7A2F785756F530116EE89C7E98DBBEC54DCB10

Function 0000024EF3E27B38 Relevance: 13.3, APIs: 10, Instructions: 790COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000024EF3E27CA5
_snprintf.LIBCMT ref: 0000024EF3E27D66
_snprintf.LIBCMT ref: 0000024EF3E27D83
_snprintf.LIBCMT ref: 0000024EF3E27FD8
_snprintf.LIBCMT ref: 0000024EF3E280E8
_snprintf.LIBCMT ref: 0000024EF3E281A6
_snprintf.LIBCMT ref: 0000024EF3E2825E
_snprintf.LIBCMT ref: 0000024EF3E28002

Part of subcall function 0000024EF3E2F63C: _errno.LIBCMT ref: 0000024EF3E2F673
Part of subcall function 0000024EF3E2F63C: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E2F67E

_snprintf.LIBCMT ref: 0000024EF3E28276
_snprintf.LIBCMT ref: 0000024EF3E28334

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID:
API String ID: 3442832105-0
Opcode ID: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
Instruction ID: 8b89bb7de478705ca71b18fed3bfe4551cff95a639afb3b617cc343be2d550e5
Opcode Fuzzy Hash: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
Instruction Fuzzy Hash: BE52F83091CE898BFB69AB2CD8467E4F3E0FF64305F465208D985C3952EB78E5878781

Function 0000024EF3DC6F38 Relevance: 13.0, APIs: 10, Instructions: 545COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000024EF3DC7166
_snprintf.LIBCMT ref: 0000024EF3DC7183
_snprintf.LIBCMT ref: 0000024EF3DC70A5

Part of subcall function 0000024EF3DCEA3C: _errno.LIBCMT ref: 0000024EF3DCEA73
Part of subcall function 0000024EF3DCEA3C: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DCEA7E

_snprintf.LIBCMT ref: 0000024EF3DC73D8
_snprintf.LIBCMT ref: 0000024EF3DC7734

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID:
API String ID: 3442832105-0
Opcode ID: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
Instruction ID: 49753f6297a52655a6102713315c69e68a5fe35f34c3370f925d6d1c1bc8b346
Opcode Fuzzy Hash: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
Instruction Fuzzy Hash: 8942A8A1624E8492FF168B29D0053E9A3A0FF947D9F065101DF8957F61EF7DD2AAC340

Function 0000024EF3DDB7B0 Relevance: 5.9, Strings: 4, Instructions: 884COMMONLIBRARYCODE

Download Yara Rule

Strings

<, xrefs: 0000024EF3DDBE6E
e ', xrefs: 0000024EF3DDC405, 0000024EF3DDC47E, 0000024EF3DDC4F7, 0000024EF3DDC570
, xrefs: 0000024EF3DDBE63
ailure #%d - %s, xrefs: 0000024EF3DDC41F, 0000024EF3DDC498, 0000024EF3DDC511, 0000024EF3DDC58A

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID:
String ID: $<$ailure #%d - %s$e '
API String ID: 0-963976815
Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
Instruction ID: 2fee86df13c1687c08b2bca953b563d68e909b98052c0aa4bd32ca8d3a9468cd
Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
Instruction Fuzzy Hash: B392F1B2325A8087DB58CB1DE4A573AB7A1F3C8B84F44512AEB9B87794CE7CD451CB04

Function 0000024EF3DDC397 Relevance: 2.6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

e ', xrefs: 0000024EF3DDC405, 0000024EF3DDC47E, 0000024EF3DDC4F7, 0000024EF3DDC570
ailure #%d - %s, xrefs: 0000024EF3DDC41F, 0000024EF3DDC498, 0000024EF3DDC511, 0000024EF3DDC58A

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID:
String ID: ailure #%d - %s$e '
API String ID: 0-4163927988
Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
Instruction ID: ebaf2ab91cb2b24734a34bf669f911068959a0b6fdebd0272811dab4d846311e
Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
Instruction Fuzzy Hash: 126140B6214A508BDB14CB1DE4D462AB7E1F3CC7C4F85421AE78B87B68CA3DD549CB40

Function 0000024EF3E301A8 Relevance: 1.8, APIs: 1, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

_initp_misc_winsig.LIBCMT ref: 0000024EF3E301DC

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _initp_misc_winsig
String ID:
API String ID: 2710132595-0
Opcode ID: c8c90554330dcabd03fa81e8dd660722591610607187a6cda5de2b4df199049a
Instruction ID: 631e23397b194b24feeeb0160e72b07d2e91beb4634247eeb4c08d80513e0e93
Opcode Fuzzy Hash: c8c90554330dcabd03fa81e8dd660722591610607187a6cda5de2b4df199049a
Instruction Fuzzy Hash: BDA1CD71619A098FFF54FF75E898AAA37B2F764301721893A904AC3174DABCD549CF40

Function 0000024EF3E3DBF0 Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction ID: 3a5dd352f029a1e6c12d442ec617bd9520056b36126ab67fb2d5f3242f3c23de
Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction Fuzzy Hash: 86620A312286558FD31CCB1CC5B1B7AB7E1FB89340F44896DE287CB692C639DA45CB91

Function 0000024EF3E3D280 Relevance: .8, Instructions: 761COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction ID: 81a905f463a1ecd27826ec40dfb2c4fb6db6fc1a96b5c4074c1dd11ba145db61
Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction Fuzzy Hash: B252EE312286558FD31CCF1CC5A1E7AB7E1FB8D340F448A6DE28ACB692C639E545CB91

Function 0000024EF3DDCFF0 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction ID: 39db513e952f56f1e945f1110f1fdff87b325bb3bf14d9d3f2f906e417155b48
Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction Fuzzy Hash: A85262B221895187DB08CB1CE4A173AB7E1F3C9B80F45852AE7978BB99CE7DD554CB00

Function 0000024EF3DDC680 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction ID: 8e858a32900a3a8076e87e6edb2a045b378ff250f366a38f5d7b91daf446c72f
Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction Fuzzy Hash: 5C5275B220498187DB08CF1DE4A473AB7E1F3C9B80F45852AE7868BB99CA7DD554CF40

Function 0000024EF3DB9680 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
Instruction ID: f8d4dc128e68adcbed38b6a733dd0f854fa376dbf4ff1e3f0066b7b7838e9bb5
Opcode Fuzzy Hash: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
Instruction Fuzzy Hash: F3F19772704A82C2FF21CB25D49839E63A1F795798F530115EA49C7E99EFBEC909CB40

Function 0000024EF3DBCE3C Relevance: .4, Instructions: 374COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a34f2510a6bdda36c019d7c9474c92714271ad77d8ea5857b13b9428aab684
Instruction ID: 833f962865359a79d8c4f1505b021113fde6a4069aa98ac6a619493a4d8b5b9c
Opcode Fuzzy Hash: 24a34f2510a6bdda36c019d7c9474c92714271ad77d8ea5857b13b9428aab684
Instruction Fuzzy Hash: 85E19062A1064187FF64CF35E8493AA63A1F748794F078125DB8AD7F96DBBEE049C310

Function 0000024EF3DB916C Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
Instruction ID: b141dd50262f1722b80a0a00c21da4bcbc8d64a27c6d0cb622d1868d918c3f93
Opcode Fuzzy Hash: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
Instruction Fuzzy Hash: 97E1C222704A82D2FF209B65D4983AE67A1F79578CF831011DA4DC7E99EBBEC90DC740

Function 0000024EF3DC0334 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
Instruction ID: dfeaafa7a56e9ad4c5c64673a6c739356e3774735af2617145c2021bf9dc54d3
Opcode Fuzzy Hash: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
Instruction Fuzzy Hash: 28714972724A40C6FF609F65E48835E67A5F788BC4F03512ADA4983F94DFBEC4988B40

Function 0000024EF3E36E1C Relevance: 16.6, APIs: 11, Instructions: 108COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3E36E4E

Part of subcall function 0000024EF3E31D18: _getptd_noexit.LIBCMT ref: 0000024EF3E31D1C

__doserrno.LIBCMT ref: 0000024EF3E36E45

Part of subcall function 0000024EF3E31CA8: _getptd_noexit.LIBCMT ref: 0000024EF3E31CAC

__doserrno.LIBCMT ref: 0000024EF3E36EAB
_errno.LIBCMT ref: 0000024EF3E36EB2
_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E36F16

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: f569b21a01fad2a92039226acf8a97d91cb16fac7f3924a9cc2c8e1a455bf938
Instruction ID: 7b8c628402cc3d9245eedd7b7ad6d111f1fd61ce323b5a8e2f91d57617eb6a9b
Opcode Fuzzy Hash: f569b21a01fad2a92039226acf8a97d91cb16fac7f3924a9cc2c8e1a455bf938
Instruction Fuzzy Hash: 8E31B2313187058FFB19AF78988A379BA90FF42320F53025DE416976E3D6B898094391

Function 0000024EF3DD1B48 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 227COMMON

Download Yara Rule

APIs

write_multi_char.LIBCMT ref: 0000024EF3DD1FEB
write_string.LIBCMT ref: 0000024EF3DD2008
write_multi_char.LIBCMT ref: 0000024EF3DD2025
write_string.LIBCMT ref: 0000024EF3DD2084
write_multi_char.LIBCMT ref: 0000024EF3DD20DD
free.LIBCMT ref: 0000024EF3DD20F1

Strings

, xrefs: 0000024EF3DD1FBF

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: write_multi_char$write_string$free
String ID:
API String ID: 2630409672-3916222277
Opcode ID: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
Instruction ID: d882ca00f2a7460f814112cc09b3425e7932dff07afb84c463edd45aaffe9360
Opcode Fuzzy Hash: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
Instruction Fuzzy Hash: 88A1C02260869186FF61CF65E4083AE7BB4F785795F170006EE4997E99CBBEC949CB00

Function 0000024EF3E37C08 Relevance: 15.1, APIs: 10, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3E37C33

Part of subcall function 0000024EF3E31D18: _getptd_noexit.LIBCMT ref: 0000024EF3E31D1C

__doserrno.LIBCMT ref: 0000024EF3E37C2B

Part of subcall function 0000024EF3E31CA8: _getptd_noexit.LIBCMT ref: 0000024EF3E31CAC

__lock_fhandle.LIBCMT ref: 0000024EF3E37C77
_lseeki64_nolock.LIBCMT ref: 0000024EF3E37C90
_unlock_fhandle.LIBCMT ref: 0000024EF3E37CB3

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
String ID:
API String ID: 2644381645-0
Opcode ID: 1a0056bbafc3a7faafb75a0a5683c60387dc6450d26c6e1c9b28f7a797692c5c
Instruction ID: 29512c17fa9a4b80a49230018870332fd5d10da3d96c49ddf7d09647109ae5be
Opcode Fuzzy Hash: 1a0056bbafc3a7faafb75a0a5683c60387dc6450d26c6e1c9b28f7a797692c5c
Instruction Fuzzy Hash: 5921D130708B004FFB59BB58988A3BDBAD0FF8A321F57025DE016876D3D6FC585582A2

Function 0000024EF3E37A90 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3E37ABB

Part of subcall function 0000024EF3E31D18: _getptd_noexit.LIBCMT ref: 0000024EF3E31D1C

__doserrno.LIBCMT ref: 0000024EF3E37AB3

Part of subcall function 0000024EF3E31CA8: _getptd_noexit.LIBCMT ref: 0000024EF3E31CAC

__lock_fhandle.LIBCMT ref: 0000024EF3E37AFF
_lseek_nolock.LIBCMT ref: 0000024EF3E37B18
_unlock_fhandle.LIBCMT ref: 0000024EF3E37B39

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock_unlock_fhandle
String ID:
API String ID: 1078912150-0
Opcode ID: af586274eb7c0247a5ed565ce490a43ddd2b1adc4c580e4a875ff27a69eb19f0
Instruction ID: b34d9d30f428c78f5488a4131451f64718092c8f3fe0049d14cab166e4e43382
Opcode Fuzzy Hash: af586274eb7c0247a5ed565ce490a43ddd2b1adc4c580e4a875ff27a69eb19f0
Instruction Fuzzy Hash: 3921AE31B087004FFB196B68988A3BDBAA1FF82321F57025DE456876D3D6FC585942A2

Function 0000024EF3DD621C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3DD624E

Part of subcall function 0000024EF3DD1118: _getptd_noexit.LIBCMT ref: 0000024EF3DD111C

__doserrno.LIBCMT ref: 0000024EF3DD6245

Part of subcall function 0000024EF3DD10A8: _getptd_noexit.LIBCMT ref: 0000024EF3DD10AC

__doserrno.LIBCMT ref: 0000024EF3DD62AB
_errno.LIBCMT ref: 0000024EF3DD62B2
_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DD6316

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
Instruction ID: cea896d3909577d31b9eccdde96c266551ccdbf147e7bffe600a1287978738dd
Opcode Fuzzy Hash: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
Instruction Fuzzy Hash: C3310432B0028186FF526F66D88936D3A54F7817A2F8B4129AA1197FD3CBFEC44D8750

Function 0000024EF3DDF150 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DDF176
_errno.LIBCMT ref: 0000024EF3DDF16B

Part of subcall function 0000024EF3DD1118: _getptd_noexit.LIBCMT ref: 0000024EF3DD111C

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1812809483-0
Opcode ID: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
Instruction ID: 2854a3171dac93e4e496044152d7d128709ffda7dfb62da362f7dd356061f049
Opcode Fuzzy Hash: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
Instruction Fuzzy Hash: E541457661039181FF60AF62D4083AD7BE8F754BA6F934121EA94C7EC5D7AECA4D8700

Function 0000024EF3E36434 Relevance: 13.6, APIs: 9, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3E3645F

Part of subcall function 0000024EF3E31D18: _getptd_noexit.LIBCMT ref: 0000024EF3E31D1C

__doserrno.LIBCMT ref: 0000024EF3E36457

Part of subcall function 0000024EF3E31CA8: _getptd_noexit.LIBCMT ref: 0000024EF3E31CAC

__lock_fhandle.LIBCMT ref: 0000024EF3E364A3
_unlock_fhandle.LIBCMT ref: 0000024EF3E364DD

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 2464146582-0
Opcode ID: c89056d156aae0bb9c491ae48c02d203d405bbf82af9f534bcd04b22b5544d86
Instruction ID: da2bd9e703506d3cd4f8d083f0abfe2be0897c74b854959323b88164cab8012c
Opcode Fuzzy Hash: c89056d156aae0bb9c491ae48c02d203d405bbf82af9f534bcd04b22b5544d86
Instruction Fuzzy Hash: C821B531B0C7004EFB196B68D88A3BDBAD0FF86321F57065DE016876D3D6EC584542A6

Function 0000024EF3E35C58 Relevance: 13.6, APIs: 9, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3E35C79

Part of subcall function 0000024EF3E31D18: _getptd_noexit.LIBCMT ref: 0000024EF3E31D1C

__doserrno.LIBCMT ref: 0000024EF3E35C71

Part of subcall function 0000024EF3E31CA8: _getptd_noexit.LIBCMT ref: 0000024EF3E31CAC

__lock_fhandle.LIBCMT ref: 0000024EF3E35CBD
_close_nolock.LIBCMT ref: 0000024EF3E35CD0
_unlock_fhandle.LIBCMT ref: 0000024EF3E35CE9

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 2140805544-0
Opcode ID: d63a0d9a057a00514656f61d256491cfcc4309f98023220473e92bade8306c33
Instruction ID: 33e41a1dcdfec6062be8db00fc99cd16aa009f624cfa04939266979040a22dbf
Opcode Fuzzy Hash: d63a0d9a057a00514656f61d256491cfcc4309f98023220473e92bade8306c33
Instruction Fuzzy Hash: 2521D231709B008EFB15AB64888E3A9FED0FF42321F67056CE416876E3C6FC98484761

Function 0000024EF3DD7008 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3DD7033

Part of subcall function 0000024EF3DD1118: _getptd_noexit.LIBCMT ref: 0000024EF3DD111C

__doserrno.LIBCMT ref: 0000024EF3DD702B

Part of subcall function 0000024EF3DD10A8: _getptd_noexit.LIBCMT ref: 0000024EF3DD10AC

__lock_fhandle.LIBCMT ref: 0000024EF3DD7077
_lseeki64_nolock.LIBCMT ref: 0000024EF3DD7090

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
String ID:
API String ID: 4140391395-0
Opcode ID: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
Instruction ID: 9fc43af9310e06bbd0f60cbf6a0b2fb53796a305d03814f042eb402c0b9cb224
Opcode Fuzzy Hash: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
Instruction Fuzzy Hash: 0F21012230024041FF112F25E84A3BDB620B780BB3F0B4304AA358BBD2C7FEC4598360

Function 0000024EF3DD6E90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3DD6EBB

Part of subcall function 0000024EF3DD1118: _getptd_noexit.LIBCMT ref: 0000024EF3DD111C

__doserrno.LIBCMT ref: 0000024EF3DD6EB3

Part of subcall function 0000024EF3DD10A8: _getptd_noexit.LIBCMT ref: 0000024EF3DD10AC

__lock_fhandle.LIBCMT ref: 0000024EF3DD6EFF
_lseek_nolock.LIBCMT ref: 0000024EF3DD6F18

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
String ID:
API String ID: 310312816-0
Opcode ID: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
Instruction ID: 12fef68e702e30fc8e37915133f8c001103777a15a6a919ceb27cb7751173acb
Opcode Fuzzy Hash: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
Instruction Fuzzy Hash: 22210532B00A4145FF116F75E84936D7654F7807A3F8B4114AA158BFD2CBFE884D8794

Function 0000024EF3E2FF6C Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000024EF3E2FF9A

Part of subcall function 0000024EF3E2F244: RtlFreeHeap.NTDLL ref: 0000024EF3E2F25A
Part of subcall function 0000024EF3E2F244: _errno.LIBCMT ref: 0000024EF3E2F264

free.LIBCMT ref: 0000024EF3E2FFAF
free.LIBCMT ref: 0000024EF3E2FFD0
free.LIBCMT ref: 0000024EF3E2FFE5
free.LIBCMT ref: 0000024EF3E2FFF9
free.LIBCMT ref: 0000024EF3E30005
free.LIBCMT ref: 0000024EF3E30030
free.LIBCMT ref: 0000024EF3E30051
free.LIBCMT ref: 0000024EF3E3006A
free.LIBCMT ref: 0000024EF3E3009B

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: free$FreeHeap_errno
String ID:
API String ID: 2737118440-0
Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction ID: a8a08085dda1eb457cad77cbb69409954172ee751da388b02453d008f46dd18d
Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction Fuzzy Hash: F541AF31664B0A8FFFA5EB58D898BE473D0FF59311F6640699406C26E1CEACCD4ACB10

Function 0000024EF3DCF36C Relevance: 12.6, APIs: 10, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000024EF3DCF39A

Part of subcall function 0000024EF3DCE644: _errno.LIBCMT ref: 0000024EF3DCE664

free.LIBCMT ref: 0000024EF3DCF3AF
free.LIBCMT ref: 0000024EF3DCF3D0
free.LIBCMT ref: 0000024EF3DCF3E5
free.LIBCMT ref: 0000024EF3DCF3F9
free.LIBCMT ref: 0000024EF3DCF405
free.LIBCMT ref: 0000024EF3DCF430
free.LIBCMT ref: 0000024EF3DCF451
free.LIBCMT ref: 0000024EF3DCF46A
free.LIBCMT ref: 0000024EF3DCF49B

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
Instruction ID: 04b2f9a91f5e5b3129737854db734a77ccd6e681c7503727b46e9777019d6fde
Opcode Fuzzy Hash: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
Instruction Fuzzy Hash: BD318C69661A4081FE54EB21E89D3A833A4BB94BD8F0B0625D919C7F91DFEFC45CC301

Function 0000024EF3E3FD50 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E3FD76
_errno.LIBCMT ref: 0000024EF3E3FD6B

Part of subcall function 0000024EF3E31D18: _getptd_noexit.LIBCMT ref: 0000024EF3E31D1C

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1812809483-0
Opcode ID: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
Instruction ID: 360a8c830e4ef6e71da8cb1331fe3a627746475a109305d5942ef60a7f6fe3d0
Opcode Fuzzy Hash: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
Instruction Fuzzy Hash: 37513830715B0A8BFF64AB19844D3F9FAD0FF54321F97016AE055C79D6D6AC884A8341

Function 0000024EF3DD5834 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3DD585F

Part of subcall function 0000024EF3DD1118: _getptd_noexit.LIBCMT ref: 0000024EF3DD111C

__doserrno.LIBCMT ref: 0000024EF3DD5857

Part of subcall function 0000024EF3DD10A8: _getptd_noexit.LIBCMT ref: 0000024EF3DD10AC

__lock_fhandle.LIBCMT ref: 0000024EF3DD58A3

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
String ID:
API String ID: 2611593033-0
Opcode ID: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
Instruction ID: 0c4d23d1b4981b88946aa4dbd78839bb7c628b63bdc3edd5dbb40c505d371996
Opcode Fuzzy Hash: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
Instruction Fuzzy Hash: F721F32270024946FF552F66E84937D7651B780BA3F5B4115AE268BBD2CBFE884DC720

Function 0000024EF3DD5058 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3DD5079

Part of subcall function 0000024EF3DD1118: _getptd_noexit.LIBCMT ref: 0000024EF3DD111C

__doserrno.LIBCMT ref: 0000024EF3DD5071

Part of subcall function 0000024EF3DD10A8: _getptd_noexit.LIBCMT ref: 0000024EF3DD10AC

__lock_fhandle.LIBCMT ref: 0000024EF3DD50BD
_close_nolock.LIBCMT ref: 0000024EF3DD50D0

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
String ID:
API String ID: 4060740672-0
Opcode ID: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
Instruction ID: 39e3bce4c8166dbc2e9e9a8dd62585535735758eda6748cc639a518bd5dc638b
Opcode Fuzzy Hash: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
Instruction Fuzzy Hash: A111D02260028985FF156F65EC8D36C7A52B7807A3F5B4624A91687BD2C7FE845C8350

Function 0000024EF3E1460C Relevance: 11.6, APIs: 9, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024EF3E146A9

Part of subcall function 0000024EF3E2F284: _FF_MSGBANNER.LIBCMT ref: 0000024EF3E2F2B4
Part of subcall function 0000024EF3E2F284: _NMSG_WRITE.LIBCMT ref: 0000024EF3E2F2BE
Part of subcall function 0000024EF3E2F284: _callnewh.LIBCMT ref: 0000024EF3E2F2F2
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F2FD
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F308

malloc.LIBCMT ref: 0000024EF3E146B3

Part of subcall function 0000024EF3E2F284: _callnewh.LIBCMT ref: 0000024EF3E2F318
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F31D

malloc.LIBCMT ref: 0000024EF3E146BE
free.LIBCMT ref: 0000024EF3E1487E
free.LIBCMT ref: 0000024EF3E14886
free.LIBCMT ref: 0000024EF3E1488E

Part of subcall function 0000024EF3E154F0: malloc.LIBCMT ref: 0000024EF3E1553A
Part of subcall function 0000024EF3E154F0: malloc.LIBCMT ref: 0000024EF3E15545
Part of subcall function 0000024EF3E154F0: free.LIBCMT ref: 0000024EF3E1562C
Part of subcall function 0000024EF3E154F0: free.LIBCMT ref: 0000024EF3E15634

free.LIBCMT ref: 0000024EF3E1489A
free.LIBCMT ref: 0000024EF3E148A7
free.LIBCMT ref: 0000024EF3E148B4

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh
String ID:
API String ID: 4160633307-0
Opcode ID: 78c5723810e6e6d18fab4a62d391ea0db65c57382cb75ed74f6abc212771b6cb
Instruction ID: 68a66594294f299f6ca569c0fc5fd72d157f359f84dbbf768e7e74d2e9b3ddee
Opcode Fuzzy Hash: 78c5723810e6e6d18fab4a62d391ea0db65c57382cb75ed74f6abc212771b6cb
Instruction Fuzzy Hash: 6C91C730718B494BFB69BA6C94557F973D1FF85700F52025EE48AC3783DEA8D80A8687

Function 0000024EF3DB3A0C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024EF3DB3AA9

Part of subcall function 0000024EF3DCE684: _FF_MSGBANNER.LIBCMT ref: 0000024EF3DCE6B4
Part of subcall function 0000024EF3DCE684: _NMSG_WRITE.LIBCMT ref: 0000024EF3DCE6BE
Part of subcall function 0000024EF3DCE684: _callnewh.LIBCMT ref: 0000024EF3DCE6F2
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE6FD
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE708

malloc.LIBCMT ref: 0000024EF3DB3AB3

Part of subcall function 0000024EF3DCE684: _callnewh.LIBCMT ref: 0000024EF3DCE718
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE71D

malloc.LIBCMT ref: 0000024EF3DB3ABE
free.LIBCMT ref: 0000024EF3DB3C7E
free.LIBCMT ref: 0000024EF3DB3C86
free.LIBCMT ref: 0000024EF3DB3C8E

Part of subcall function 0000024EF3DB48F0: malloc.LIBCMT ref: 0000024EF3DB493A
Part of subcall function 0000024EF3DB48F0: malloc.LIBCMT ref: 0000024EF3DB4945
Part of subcall function 0000024EF3DB48F0: free.LIBCMT ref: 0000024EF3DB4A2C
Part of subcall function 0000024EF3DB48F0: free.LIBCMT ref: 0000024EF3DB4A34

free.LIBCMT ref: 0000024EF3DB3C9A
free.LIBCMT ref: 0000024EF3DB3CA7
free.LIBCMT ref: 0000024EF3DB3CB4

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh
String ID:
API String ID: 4160633307-0
Opcode ID: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
Instruction ID: e5cb3c241f881b927b96969608e67efc82dd8c10fed3554f0dd35737c7ea561a
Opcode Fuzzy Hash: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
Instruction Fuzzy Hash: 707133623147C446FF21DB6694487AA7B90B784BC8F434124ED4687F86DFBEC80ADB00

Function 0000024EF3E2FE10 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3E2FE36

Part of subcall function 0000024EF3E31D18: _getptd_noexit.LIBCMT ref: 0000024EF3E31D1C

_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E2FE42
__crtIsPackagedApp.LIBCMT ref: 0000024EF3E2FE53
_dosmaperr.LIBCMT ref: 0000024EF3E2FE9D

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2917016420-0
Opcode ID: cfbfe809ff06962f400f8854e8dfaca57605153f463412cb5835124c7fa4a529
Instruction ID: a276da7a1d7e48cf11a6db8c08f9054927321cf572c33a01a998c777b3897628
Opcode Fuzzy Hash: cfbfe809ff06962f400f8854e8dfaca57605153f463412cb5835124c7fa4a529
Instruction Fuzzy Hash: B831A430B14B098FFF59AB6998493A977D1FF88321F17425DA44AC36D2DBBCC8468742

Function 0000024EF3E3A73C Relevance: 10.6, APIs: 7, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3E3A755

Part of subcall function 0000024EF3E31D18: _getptd_noexit.LIBCMT ref: 0000024EF3E31D1C

__lock_fhandle.LIBCMT ref: 0000024EF3E3A79D
__doserrno.LIBCMT ref: 0000024EF3E3A7D2
_errno.LIBCMT ref: 0000024EF3E3A7D9
_unlock_fhandle.LIBCMT ref: 0000024EF3E3A7E9

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 4120058822-0
Opcode ID: 9341880fa3ae8ea43da77f4714028596b22b009dd5c4526b8d460d71b2af8a07
Instruction ID: 6dd716286f485ec0b13112c2119f2e2314bf48e4b36b3acfd548f291d86b8d05
Opcode Fuzzy Hash: 9341880fa3ae8ea43da77f4714028596b22b009dd5c4526b8d460d71b2af8a07
Instruction Fuzzy Hash: B121C2317087018EFB19AB6898DD3ADBEA0FF46310F57016CE516876D2D6EC5C898391

Function 0000024EF3DCF210 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3DCF236

Part of subcall function 0000024EF3DD1118: _getptd_noexit.LIBCMT ref: 0000024EF3DD111C

_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DCF242
__crtIsPackagedApp.LIBCMT ref: 0000024EF3DCF253
_dosmaperr.LIBCMT ref: 0000024EF3DCF29D

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2917016420-0
Opcode ID: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
Instruction ID: a3b1a9e74683a067496c61226adcc2212d83e6029fdaed54abe52ed5281566fc
Opcode Fuzzy Hash: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
Instruction Fuzzy Hash: 1331D222310B4182FF10AF66D808369B6E9FB85BD4F170524DA05C3BD5DFBEC5488300

Function 0000024EF3DDEFD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000024EF3DDF004

Part of subcall function 0000024EF3DD0A00: _getptd.LIBCMT ref: 0000024EF3DD0A16
Part of subcall function 0000024EF3DD0A00: __updatetlocinfo.LIBCMT ref: 0000024EF3DD0A4B
Part of subcall function 0000024EF3DD0A00: __updatetmbcinfo.LIBCMT ref: 0000024EF3DD0A72

_errno.LIBCMT ref: 0000024EF3DDF01F
_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DDF02A

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
Instruction ID: 8a17992b59e4dfcbd0b6d33ef675a25e35e2af4bf3ae3632fc4f3921f1855208
Opcode Fuzzy Hash: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
Instruction Fuzzy Hash: 1F318F7220478485FB609F11E44876DB7A8F788BE6F578121EE5887FC5CBBAC859C700

Function 0000024EF3E30B10 Relevance: 9.3, APIs: 6, Instructions: 257COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3E30B4C

Part of subcall function 0000024EF3E31D18: _getptd_noexit.LIBCMT ref: 0000024EF3E31D1C

_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E30B57
memcpy_s.LIBCMT ref: 0000024EF3E30C1C
_fileno.LIBCMT ref: 0000024EF3E30C87
_filbuf.LIBCMT ref: 0000024EF3E30CB5
_errno.LIBCMT ref: 0000024EF3E30D05

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
Instruction ID: dc04dd32a155cad3047a60a309def029f9c991816bb72e2fc722d81f4772eb40
Opcode Fuzzy Hash: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
Instruction Fuzzy Hash: DA61A230318F094AFA6C562C585D239FAD1FF95724F67032ED457C3AD2DAB4AC5A42C1

Function 0000024EF3DCFF10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3DCFF4C

Part of subcall function 0000024EF3DD1118: _getptd_noexit.LIBCMT ref: 0000024EF3DD111C

_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DCFF57
memcpy_s.LIBCMT ref: 0000024EF3DD001C
_fileno.LIBCMT ref: 0000024EF3DD0087
_filbuf.LIBCMT ref: 0000024EF3DD00B5
_errno.LIBCMT ref: 0000024EF3DD0105

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
Instruction ID: a2d1cea9277454f80567cd08e188681ec2198505460da4f8e6bffcdec86a28ab
Opcode Fuzzy Hash: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
Instruction Fuzzy Hash: C451372171425092FE648E66A4087A97694F385BF4F178711EE79C3FD5CBBEC49D8340

Function 0000024EF3E3FBD0 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 0000024EF3E31600: _getptd.LIBCMT ref: 0000024EF3E31616
Part of subcall function 0000024EF3E31600: __updatetlocinfo.LIBCMT ref: 0000024EF3E3164B
Part of subcall function 0000024EF3E31600: __updatetmbcinfo.LIBCMT ref: 0000024EF3E31672

_errno.LIBCMT ref: 0000024EF3E3FC1F
_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E3FC2A

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: __updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 2808835054-0
Opcode ID: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
Instruction ID: baf3cfb1f87b2795d4da6f97188eeb9182eb1acf01d5d61ae00a7ef43f77f803
Opcode Fuzzy Hash: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
Instruction Fuzzy Hash: 4E317030718B088FEF94EF1890887A9BAD1FF58310F5302ADA849C76D2DBB4DC498785

Function 0000024EF3E30620 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3E30577

Part of subcall function 0000024EF3E31D18: _getptd_noexit.LIBCMT ref: 0000024EF3E31D1C

_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E30582
_getstream.LIBCMT ref: 0000024EF3E305A2
_errno.LIBCMT ref: 0000024EF3E305B4
_errno.LIBCMT ref: 0000024EF3E305C6
_openfile.LIBCMT ref: 0000024EF3E305F4

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: 25a8bf288fd42ce426ab2ae56b53d18e2e8359fd32586f4ae3706e9ff750b65b
Instruction ID: 13e8419ecf5c02d44e64b65ffde22bde616f34d582bf6556fb1d678eb89a95a7
Opcode Fuzzy Hash: 25a8bf288fd42ce426ab2ae56b53d18e2e8359fd32586f4ae3706e9ff750b65b
Instruction Fuzzy Hash: D021B670718B098FFFA1EB28540937EBAD1FF99310F570569A44AC3692DBACCC454381

Function 0000024EF3DCFA20 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3DCF977

Part of subcall function 0000024EF3DD1118: _getptd_noexit.LIBCMT ref: 0000024EF3DD111C

_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DCF982
_getstream.LIBCMT ref: 0000024EF3DCF9A2
_errno.LIBCMT ref: 0000024EF3DCF9B4
_errno.LIBCMT ref: 0000024EF3DCF9C6
_openfile.LIBCMT ref: 0000024EF3DCF9F4

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
Instruction ID: 3776c449229f6c76a9f8c756051754854c141b8602703798c4276630c3432ed2
Opcode Fuzzy Hash: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
Instruction Fuzzy Hash: CE21066132478691FF615F62A80939EF699B744BC0F474421EE89C7F96DFBEC4488700

Function 0000024EF3DD9B3C Relevance: 9.1, APIs: 6, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3DD9B55

Part of subcall function 0000024EF3DD1118: _getptd_noexit.LIBCMT ref: 0000024EF3DD111C

__lock_fhandle.LIBCMT ref: 0000024EF3DD9B9D
__doserrno.LIBCMT ref: 0000024EF3DD9BD2
_errno.LIBCMT ref: 0000024EF3DD9BD9

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno__lock_fhandle_getptd_noexit
String ID:
API String ID: 2102446242-0
Opcode ID: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
Instruction ID: d0ca497883670f4338c603208310eb399085fda789bd53621838a68e6560f9c3
Opcode Fuzzy Hash: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
Instruction Fuzzy Hash: 3C21C321300641C5FF126FA9D8CD36D7654F78176AF0B41199A168BBD2CBFF888D8314

Function 0000024EF3DCE3EC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024EF3DCE40F

Part of subcall function 0000024EF3DCE684: _FF_MSGBANNER.LIBCMT ref: 0000024EF3DCE6B4
Part of subcall function 0000024EF3DCE684: _NMSG_WRITE.LIBCMT ref: 0000024EF3DCE6BE
Part of subcall function 0000024EF3DCE684: _callnewh.LIBCMT ref: 0000024EF3DCE6F2
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE6FD
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE708

malloc.LIBCMT ref: 0000024EF3DCE41D

Part of subcall function 0000024EF3DCE684: _callnewh.LIBCMT ref: 0000024EF3DCE718
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE71D

malloc.LIBCMT ref: 0000024EF3DCE43F
_snprintf.LIBCMT ref: 0000024EF3DCE45A

Part of subcall function 0000024EF3DCEA3C: _errno.LIBCMT ref: 0000024EF3DCEA73
Part of subcall function 0000024EF3DCEA3C: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DCEA7E

malloc.LIBCMT ref: 0000024EF3DCE475

Strings

dpoolWait, xrefs: 0000024EF3DCE444

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
String ID: dpoolWait
API String ID: 2026495703-1875951006
Opcode ID: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
Instruction ID: 8d58343297f751a366deface8a0e46aecab21eb1a74653b7b0b3e26fff5f25a6
Opcode Fuzzy Hash: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
Instruction Fuzzy Hash: 270100B1720B9041FE14DB12B8087596799F398FE1F07422AEFA893BC6CEBCC0458780

Function 0000024EF3E231F4 Relevance: 9.0, APIs: 7, Instructions: 264stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strchr.LIBCMT ref: 0000024EF3E2322E
strchr.LIBCMT ref: 0000024EF3E2324C
malloc.LIBCMT ref: 0000024EF3E23264
malloc.LIBCMT ref: 0000024EF3E23271
rand.LIBCMT ref: 0000024EF3E2333D
free.LIBCMT ref: 0000024EF3E2345B
free.LIBCMT ref: 0000024EF3E23463

Part of subcall function 0000024EF3E2F244: RtlFreeHeap.NTDLL ref: 0000024EF3E2F25A
Part of subcall function 0000024EF3E2F244: _errno.LIBCMT ref: 0000024EF3E2F264

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: freemallocstrchr$FreeHeap_errnorand
String ID:
API String ID: 3504763109-0
Opcode ID: f35e4bf4a30ec4413237561f10dac7197b8990473e0b46e11b580f4fb44e5963
Instruction ID: 4a5d2faf9e7e2667f7cc4e90bf29f971a4fec297ee042f37b277e0bc50cbad78
Opcode Fuzzy Hash: f35e4bf4a30ec4413237561f10dac7197b8990473e0b46e11b580f4fb44e5963
Instruction Fuzzy Hash: E481E630A18F884AFF76AB2C98097F6B3D0FF99305F0601ADD589C7592DE68D94B8741

Function 0000024EF3DC25F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strchr.LIBCMT ref: 0000024EF3DC262E
strchr.LIBCMT ref: 0000024EF3DC264C
malloc.LIBCMT ref: 0000024EF3DC2664
malloc.LIBCMT ref: 0000024EF3DC2671
rand.LIBCMT ref: 0000024EF3DC273D
free.LIBCMT ref: 0000024EF3DC285B
free.LIBCMT ref: 0000024EF3DC2863

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: freemallocstrchr$rand
String ID:
API String ID: 1305919620-0
Opcode ID: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
Instruction ID: 367f187a494602e7c2ccbac6dbfac1e68b3f330ffe258f02d07851ad4176a71c
Opcode Fuzzy Hash: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
Instruction Fuzzy Hash: 70712B91624BC441FE269B29A4193EAA3A0FF95BC5F0B4110DF8557FD6DE7EC14A8700

Function 0000024EF3E14170 Relevance: 8.9, APIs: 7, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024EF3E141BD

Part of subcall function 0000024EF3E2F284: _FF_MSGBANNER.LIBCMT ref: 0000024EF3E2F2B4
Part of subcall function 0000024EF3E2F284: _NMSG_WRITE.LIBCMT ref: 0000024EF3E2F2BE
Part of subcall function 0000024EF3E2F284: _callnewh.LIBCMT ref: 0000024EF3E2F2F2
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F2FD
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F308

malloc.LIBCMT ref: 0000024EF3E141C8

Part of subcall function 0000024EF3E2F284: _callnewh.LIBCMT ref: 0000024EF3E2F318
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F31D

free.LIBCMT ref: 0000024EF3E142AF
free.LIBCMT ref: 0000024EF3E142B7
free.LIBCMT ref: 0000024EF3E142BF
free.LIBCMT ref: 0000024EF3E142CB
free.LIBCMT ref: 0000024EF3E142D8

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: a46d6df1e63736bbf5e6f8efd513222b2720334364c4a35ae3722e37f335d37b
Instruction ID: 2650b051279e0be699378ccf66d55bae0c03a12a8132c6ccaeb27e5c5cd6a2c7
Opcode Fuzzy Hash: a46d6df1e63736bbf5e6f8efd513222b2720334364c4a35ae3722e37f335d37b
Instruction Fuzzy Hash: 9451C534618F094BFF59AB6894496B9B3E0FF49300F52016DD84AC3787EEA4DC4ACA85

Function 0000024EF3DB3570 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024EF3DB35BD

Part of subcall function 0000024EF3DCE684: _FF_MSGBANNER.LIBCMT ref: 0000024EF3DCE6B4
Part of subcall function 0000024EF3DCE684: _NMSG_WRITE.LIBCMT ref: 0000024EF3DCE6BE
Part of subcall function 0000024EF3DCE684: _callnewh.LIBCMT ref: 0000024EF3DCE6F2
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE6FD
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE708

malloc.LIBCMT ref: 0000024EF3DB35C8

Part of subcall function 0000024EF3DCE684: _callnewh.LIBCMT ref: 0000024EF3DCE718
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE71D

free.LIBCMT ref: 0000024EF3DB36AF
free.LIBCMT ref: 0000024EF3DB36B7
free.LIBCMT ref: 0000024EF3DB36BF
free.LIBCMT ref: 0000024EF3DB36CB
free.LIBCMT ref: 0000024EF3DB36D8

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
Instruction ID: 51e8db1c1ff8e854c1971538da235962179514147768c8c963d796616feb3910
Opcode Fuzzy Hash: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
Instruction Fuzzy Hash: 3741ED223107919BFF94DB26995836A2794B709BC0F470524DE1687F41EFBED82AC700

Function 0000024EF3DCB630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_time64.LIBCMT ref: 0000024EF3DCB654

Part of subcall function 0000024EF3DCF84C: _getptd.LIBCMT ref: 0000024EF3DCF854

malloc.LIBCMT ref: 0000024EF3DCB69C
strtok.LIBCMT ref: 0000024EF3DCB700
strtok.LIBCMT ref: 0000024EF3DCB711

Strings

eThreadpoolTimer, xrefs: 0000024EF3DCB6DA

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: strtok$_getptd_time64malloc
String ID: eThreadpoolTimer
API String ID: 1522986614-2707337283
Opcode ID: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
Instruction ID: 1903c1278598958cdc4395de9d95ca479b3296abfcf2ecd897fe16e3b5a10591
Opcode Fuzzy Hash: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
Instruction Fuzzy Hash: F321F3B2660BA481FF00DF12E08C6AD3BA8F784BD4F174216EF5A87B81CB79C4458780

Function 0000024EF3DBBE74 Relevance: 7.8, APIs: 6, Instructions: 296COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000024EF3DC53EC: malloc.LIBCMT ref: 0000024EF3DC5408

malloc.LIBCMT ref: 0000024EF3DBBF3B

Part of subcall function 0000024EF3DCE684: _FF_MSGBANNER.LIBCMT ref: 0000024EF3DCE6B4
Part of subcall function 0000024EF3DCE684: _NMSG_WRITE.LIBCMT ref: 0000024EF3DCE6BE
Part of subcall function 0000024EF3DCE684: _callnewh.LIBCMT ref: 0000024EF3DCE6F2
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE6FD
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE708

Part of subcall function 0000024EF3DCB630: _time64.LIBCMT ref: 0000024EF3DCB654
Part of subcall function 0000024EF3DCB630: malloc.LIBCMT ref: 0000024EF3DCB69C
Part of subcall function 0000024EF3DCB630: strtok.LIBCMT ref: 0000024EF3DCB700
Part of subcall function 0000024EF3DCB630: strtok.LIBCMT ref: 0000024EF3DCB711

Part of subcall function 0000024EF3DC28A0: _time64.LIBCMT ref: 0000024EF3DC28AE

Part of subcall function 0000024EF3DCDEA8: malloc.LIBCMT ref: 0000024EF3DCDEF8

Part of subcall function 0000024EF3DCDEA8: realloc.LIBCMT ref: 0000024EF3DCDF07

malloc.LIBCMT ref: 0000024EF3DBC04A
_snprintf.LIBCMT ref: 0000024EF3DBC0C1
_snprintf.LIBCMT ref: 0000024EF3DBC0E7
_snprintf.LIBCMT ref: 0000024EF3DBC10E
free.LIBCMT ref: 0000024EF3DBC2C6

Part of subcall function 0000024EF3DCA144: malloc.LIBCMT ref: 0000024EF3DCA178
Part of subcall function 0000024EF3DCA144: free.LIBCMT ref: 0000024EF3DCA32F

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errno_time64freestrtok$_callnewhrealloc
String ID:
API String ID: 1314452303-0
Opcode ID: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
Instruction ID: 3c53b9deceed8bc408c5cbe98684512f81cf4e85fb82039877803362b84c9d20
Opcode Fuzzy Hash: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
Instruction Fuzzy Hash: A7C18C2172168146FE18EB62A85D7AA7299BB857C0F434124EE46C7FD7DFBEC50E8700

Function 0000024EF3E21694 Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0000024EF3E25FEC: malloc.LIBCMT ref: 0000024EF3E26008

Part of subcall function 0000024EF3E30620: _errno.LIBCMT ref: 0000024EF3E30577
Part of subcall function 0000024EF3E30620: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E30582

fseek.LIBCMT ref: 0000024EF3E21730

Part of subcall function 0000024EF3E30EA4: _errno.LIBCMT ref: 0000024EF3E30ECC
Part of subcall function 0000024EF3E30EA4: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E30ED7

_ftelli64.LIBCMT ref: 0000024EF3E21738

Part of subcall function 0000024EF3E30F18: _errno.LIBCMT ref: 0000024EF3E30F36
Part of subcall function 0000024EF3E30F18: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E30F41

fseek.LIBCMT ref: 0000024EF3E21748

Part of subcall function 0000024EF3E30EA4: _fseek_nolock.LIBCMT ref: 0000024EF3E30EF5

malloc.LIBCMT ref: 0000024EF3E21788

Part of subcall function 0000024EF3E2F284: _FF_MSGBANNER.LIBCMT ref: 0000024EF3E2F2B4
Part of subcall function 0000024EF3E2F284: _NMSG_WRITE.LIBCMT ref: 0000024EF3E2F2BE
Part of subcall function 0000024EF3E2F284: _callnewh.LIBCMT ref: 0000024EF3E2F2F2
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F2FD
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F308

fclose.LIBCMT ref: 0000024EF3E21845

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo$fseekmalloc$_callnewh_fseek_nolock_ftelli64fclose
String ID:
API String ID: 2887643383-0
Opcode ID: f1c4e02295faa99f8843714657dd5281141177bf23df19fa39898597ddf49910
Instruction ID: fd0d713fbc4f6ebbc566c87ee429b3d821f7bb59cd1d3e5903433403e13942f7
Opcode Fuzzy Hash: f1c4e02295faa99f8843714657dd5281141177bf23df19fa39898597ddf49910
Instruction Fuzzy Hash: E4519631B18B084BFB5DEB2894997B973D1FF88310F52426DE48BC36D7DE68D9068681

Function 0000024EF3E3A348 Relevance: 7.7, APIs: 5, Instructions: 201COMMON

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 0000024EF3E3A375

Part of subcall function 0000024EF3E33E58: _FF_MSGBANNER.LIBCMT ref: 0000024EF3E33E75
Part of subcall function 0000024EF3E33E58: _NMSG_WRITE.LIBCMT ref: 0000024EF3E33E7F

_lock.LIBCMT ref: 0000024EF3E3A388
_lock.LIBCMT ref: 0000024EF3E3A3E3
_calloc_crt.LIBCMT ref: 0000024EF3E3A49A

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _lock$_calloc_crt_mtinitlocknum
String ID:
API String ID: 3962633935-0
Opcode ID: b1e94c722dda090378a8e761eed7513b06593d91ccd6790d0d4411b736f80c7c
Instruction ID: 352b3d89a39e60f054a828167e58de0fb4a9b81d06b73a6c1eb97142bb90a1b8
Opcode Fuzzy Hash: b1e94c722dda090378a8e761eed7513b06593d91ccd6790d0d4411b736f80c7c
Instruction Fuzzy Hash: FE51A570718B088BFB649F18C889379FBE0FF54310F57465DD84AC75A2D6B8D8868782

Function 0000024EF3E154F0 Relevance: 7.7, APIs: 6, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024EF3E1553A

Part of subcall function 0000024EF3E2F284: _FF_MSGBANNER.LIBCMT ref: 0000024EF3E2F2B4
Part of subcall function 0000024EF3E2F284: _NMSG_WRITE.LIBCMT ref: 0000024EF3E2F2BE
Part of subcall function 0000024EF3E2F284: _callnewh.LIBCMT ref: 0000024EF3E2F2F2
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F2FD
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F308

malloc.LIBCMT ref: 0000024EF3E15545

Part of subcall function 0000024EF3E2F284: _callnewh.LIBCMT ref: 0000024EF3E2F318
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F31D

free.LIBCMT ref: 0000024EF3E1562C
free.LIBCMT ref: 0000024EF3E15634
free.LIBCMT ref: 0000024EF3E15640
free.LIBCMT ref: 0000024EF3E1564D

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 9dd44889f23309e2c133c4e883ac3d7c03cf28f4ebc62bcd805b5d39935d1e2d
Instruction ID: 10045928cdb61bae5a7e0fffcd365eb9d535fa2028b273e4d61c39e59271c7e6
Opcode Fuzzy Hash: 9dd44889f23309e2c133c4e883ac3d7c03cf28f4ebc62bcd805b5d39935d1e2d
Instruction Fuzzy Hash: 05411931328B0D4BFF68AA28484927A73D5FF96350F16412DD887C3693EE68D80B47C2

Function 0000024EF3E3239C Relevance: 7.6, APIs: 5, Instructions: 149COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 0000024EF3E323B9

Part of subcall function 0000024EF3E35A54: _errno.LIBCMT ref: 0000024EF3E35A5D
Part of subcall function 0000024EF3E35A54: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E35A68

_errno.LIBCMT ref: 0000024EF3E323C9

Part of subcall function 0000024EF3E31D18: _getptd_noexit.LIBCMT ref: 0000024EF3E31D1C

_errno.LIBCMT ref: 0000024EF3E323E5
_isatty.LIBCMT ref: 0000024EF3E32446
_getbuf.LIBCMT ref: 0000024EF3E32452

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _errno$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty
String ID:
API String ID: 304646821-0
Opcode ID: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
Instruction ID: 49158f897315cb6fc4f21119dac0edf0bfdb0b6b4510525b9abd62245eb56b84
Opcode Fuzzy Hash: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
Instruction Fuzzy Hash: F6517F30214B088FFF98EF28C489765BAE1FF58310F570699D895CB6D6D7B8D8898781

Function 0000024EF3E29220 Relevance: 7.6, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024EF3E2924F

Part of subcall function 0000024EF3E2F284: _FF_MSGBANNER.LIBCMT ref: 0000024EF3E2F2B4
Part of subcall function 0000024EF3E2F284: _NMSG_WRITE.LIBCMT ref: 0000024EF3E2F2BE
Part of subcall function 0000024EF3E2F284: _callnewh.LIBCMT ref: 0000024EF3E2F2F2
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F2FD
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F308

_snprintf.LIBCMT ref: 0000024EF3E29267

Part of subcall function 0000024EF3E2F63C: _errno.LIBCMT ref: 0000024EF3E2F673
Part of subcall function 0000024EF3E2F63C: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E2F67E

free.LIBCMT ref: 0000024EF3E2927E

Part of subcall function 0000024EF3E2F244: RtlFreeHeap.NTDLL ref: 0000024EF3E2F25A
Part of subcall function 0000024EF3E2F244: _errno.LIBCMT ref: 0000024EF3E2F264

malloc.LIBCMT ref: 0000024EF3E292CE
_snprintf.LIBCMT ref: 0000024EF3E292E6
free.LIBCMT ref: 0000024EF3E2930E

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _errno$_snprintffreemalloc$FreeHeap_callnewh_invalid_parameter_noinfo
String ID:
API String ID: 343393124-0
Opcode ID: faf2166294d0965833cb84c6e7fe882f3c5ed13ceeefabe40a4c11aee224dca5
Instruction ID: 720b7752fbf4734cd0ad7f16c0ad3489884e51a6260b5ab16aebd6f3d4d6e2fc
Opcode Fuzzy Hash: faf2166294d0965833cb84c6e7fe882f3c5ed13ceeefabe40a4c11aee224dca5
Instruction Fuzzy Hash: A141E731B0CA4C4FFAA8AB6C64157B477D2FB89310F46515DE08EC3296DE68DC178781

Function 0000024EF3DC0A94 Relevance: 7.6, APIs: 5, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0000024EF3DC53EC: malloc.LIBCMT ref: 0000024EF3DC5408

Part of subcall function 0000024EF3DCFA20: _errno.LIBCMT ref: 0000024EF3DCF977
Part of subcall function 0000024EF3DCFA20: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DCF982

fseek.LIBCMT ref: 0000024EF3DC0B30

Part of subcall function 0000024EF3DD02A4: _errno.LIBCMT ref: 0000024EF3DD02CC
Part of subcall function 0000024EF3DD02A4: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DD02D7

_ftelli64.LIBCMT ref: 0000024EF3DC0B38

Part of subcall function 0000024EF3DD0318: _errno.LIBCMT ref: 0000024EF3DD0336
Part of subcall function 0000024EF3DD0318: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DD0341

fseek.LIBCMT ref: 0000024EF3DC0B48

Part of subcall function 0000024EF3DD02A4: _fseek_nolock.LIBCMT ref: 0000024EF3DD02F5

malloc.LIBCMT ref: 0000024EF3DC0B88

Part of subcall function 0000024EF3DCE684: _FF_MSGBANNER.LIBCMT ref: 0000024EF3DCE6B4
Part of subcall function 0000024EF3DCE684: _NMSG_WRITE.LIBCMT ref: 0000024EF3DCE6BE
Part of subcall function 0000024EF3DCE684: _callnewh.LIBCMT ref: 0000024EF3DCE6F2
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE6FD
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE708

Part of subcall function 0000024EF3DBC444: malloc.LIBCMT ref: 0000024EF3DBC457

fclose.LIBCMT ref: 0000024EF3DC0C45

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfomalloc$fseek$_callnewh_fseek_nolock_ftelli64fclose
String ID:
API String ID: 1756087678-0
Opcode ID: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
Instruction ID: 6754e54e53ddc2ca991a5eb88d2defea15591cec3609fc628f8b67c2cc85d22a
Opcode Fuzzy Hash: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
Instruction Fuzzy Hash: 9741B42532468082FE14EB22E4593AD7656B7C9BD0F838121EE5E87FD6DFBEC5098700

Function 0000024EF3DCFA2C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3DCFA64

Part of subcall function 0000024EF3DD1118: _getptd_noexit.LIBCMT ref: 0000024EF3DD111C

_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DCFA6F
_flush.LIBCMT ref: 0000024EF3DCFB21
_fileno.LIBCMT ref: 0000024EF3DCFB42
_flsbuf.LIBCMT ref: 0000024EF3DCFB85

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1640621425-0
Opcode ID: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
Instruction ID: 7b4d5f9d78961fd30209ec7a3cf67c57c8f92576a5c10ba822acafb7194feafa
Opcode Fuzzy Hash: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
Instruction Fuzzy Hash: EA41063132064486FE699E62555839EF69AB744FE4F1B8220DE55C7FD1DBBEC44D8300

Function 0000024EF3DB48F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024EF3DB493A

Part of subcall function 0000024EF3DCE684: _FF_MSGBANNER.LIBCMT ref: 0000024EF3DCE6B4
Part of subcall function 0000024EF3DCE684: _NMSG_WRITE.LIBCMT ref: 0000024EF3DCE6BE
Part of subcall function 0000024EF3DCE684: _callnewh.LIBCMT ref: 0000024EF3DCE6F2
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE6FD
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE708

malloc.LIBCMT ref: 0000024EF3DB4945

Part of subcall function 0000024EF3DCE684: _callnewh.LIBCMT ref: 0000024EF3DCE718
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE71D

free.LIBCMT ref: 0000024EF3DB4A2C
free.LIBCMT ref: 0000024EF3DB4A34
free.LIBCMT ref: 0000024EF3DB4A40
free.LIBCMT ref: 0000024EF3DB4A4D

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
Instruction ID: e28f55a3f294d23e8c41b4680d8157ef984cdabced3b6476dd1d26bc66dd291d
Opcode Fuzzy Hash: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
Instruction Fuzzy Hash: B841BF223247C586FE15DB2694496696AA8B795BCCF0B4124DD55CBF41EFBEC80EC304

Function 0000024EF3E1FC64 Relevance: 7.6, APIs: 5, Instructions: 90fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024EF3E1FC85

Part of subcall function 0000024EF3E2F284: _FF_MSGBANNER.LIBCMT ref: 0000024EF3E2F2B4
Part of subcall function 0000024EF3E2F284: _NMSG_WRITE.LIBCMT ref: 0000024EF3E2F2BE
Part of subcall function 0000024EF3E2F284: _callnewh.LIBCMT ref: 0000024EF3E2F2F2
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F2FD
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F308

free.LIBCMT ref: 0000024EF3E1FCC0
fwrite.LIBCMT ref: 0000024EF3E1FD01
fclose.LIBCMT ref: 0000024EF3E1FD09
free.LIBCMT ref: 0000024EF3E1FD16

Part of subcall function 0000024EF3E2F244: RtlFreeHeap.NTDLL ref: 0000024EF3E2F25A
Part of subcall function 0000024EF3E2F244: _errno.LIBCMT ref: 0000024EF3E2F264

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _errno$free$FreeHeap_callnewhfclosefwritemalloc
String ID:
API String ID: 415550720-0
Opcode ID: c287650ca013cd6fba82a94b2bfab312077d62521af6d54d1c0599a360ecab3d
Instruction ID: beb3038b5232bf23ed129b1d7386a1d0efed741d316e61f2cf90d480d902db6f
Opcode Fuzzy Hash: c287650ca013cd6fba82a94b2bfab312077d62521af6d54d1c0599a360ecab3d
Instruction Fuzzy Hash: AC217431618B084BFF94F76884593AEB2D1FF88340F53065DA44AC36C7DDA8D90A8782

Function 0000024EF3DC8620 Relevance: 7.6, APIs: 6, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024EF3DC864F

Part of subcall function 0000024EF3DCE684: _FF_MSGBANNER.LIBCMT ref: 0000024EF3DCE6B4
Part of subcall function 0000024EF3DCE684: _NMSG_WRITE.LIBCMT ref: 0000024EF3DCE6BE
Part of subcall function 0000024EF3DCE684: _callnewh.LIBCMT ref: 0000024EF3DCE6F2
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE6FD
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE708

_snprintf.LIBCMT ref: 0000024EF3DC8667

Part of subcall function 0000024EF3DCEA3C: _errno.LIBCMT ref: 0000024EF3DCEA73
Part of subcall function 0000024EF3DCEA3C: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DCEA7E

free.LIBCMT ref: 0000024EF3DC867E

Part of subcall function 0000024EF3DCE644: _errno.LIBCMT ref: 0000024EF3DCE664

malloc.LIBCMT ref: 0000024EF3DC86CE
_snprintf.LIBCMT ref: 0000024EF3DC86E6
free.LIBCMT ref: 0000024EF3DC870E

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
String ID:
API String ID: 761449704-0
Opcode ID: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
Instruction ID: db097935ea5cb00a4a57e4de0f588a2d2abbba2e109ec9247f3743c8d605edcf
Opcode Fuzzy Hash: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
Instruction Fuzzy Hash: E331F4613202C045FE159B62A81C7A9AF657345FD0F8B4152DEE597FD6DEBEC48AC300

Function 0000024EF3DBF064 Relevance: 7.6, APIs: 5, Instructions: 58fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024EF3DBF085

Part of subcall function 0000024EF3DCE684: _FF_MSGBANNER.LIBCMT ref: 0000024EF3DCE6B4
Part of subcall function 0000024EF3DCE684: _NMSG_WRITE.LIBCMT ref: 0000024EF3DCE6BE
Part of subcall function 0000024EF3DCE684: _callnewh.LIBCMT ref: 0000024EF3DCE6F2
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE6FD
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE708

free.LIBCMT ref: 0000024EF3DBF0C0
fwrite.LIBCMT ref: 0000024EF3DBF101
fclose.LIBCMT ref: 0000024EF3DBF109
free.LIBCMT ref: 0000024EF3DBF116

Part of subcall function 0000024EF3DCE644: _errno.LIBCMT ref: 0000024EF3DCE664

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _errno$free$_callnewhfclosefwritemalloc
String ID:
API String ID: 1696598829-0
Opcode ID: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
Instruction ID: d229da38032f0075c02ba7e9c9cb4e5b3f92a60b3cab39641875fbd4285fc2dc
Opcode Fuzzy Hash: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
Instruction Fuzzy Hash: 2E11845132464041FE10E752E0193AE5396BB85BD4F474621EE5DDBFCADFAEC50D8740

Function 0000024EF3E3A5EC Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3E3A5FD

Part of subcall function 0000024EF3E31D18: _getptd_noexit.LIBCMT ref: 0000024EF3E31D1C

__doserrno.LIBCMT ref: 0000024EF3E3A5F5

Part of subcall function 0000024EF3E31CA8: _getptd_noexit.LIBCMT ref: 0000024EF3E31CAC

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction ID: d12196d48dabf52474115e649c56d9fae0563ccaddadf3389d86ee8f1ce0052d
Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction Fuzzy Hash: FB01A93075474D8EFF59B764C8593A8BAA0FF11326F974258D0058B9F2D7FC44898752

Function 0000024EF3DD99EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3DD99FD

Part of subcall function 0000024EF3DD1118: _getptd_noexit.LIBCMT ref: 0000024EF3DD111C

__doserrno.LIBCMT ref: 0000024EF3DD99F5

Part of subcall function 0000024EF3DD10A8: _getptd_noexit.LIBCMT ref: 0000024EF3DD10AC

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
Instruction ID: 78b95bcddba5ce7d262ce51e56dc5031aebe852a565fbb21f265aba5beebab12
Opcode Fuzzy Hash: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
Instruction Fuzzy Hash: 2801AF7271164584FF552F64C8893AC7251BB91B7BF939301D52987BD2C7FF444C8220

Function 0000024EF3E1EC04 Relevance: 6.5, APIs: 5, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000024EF3E1ECD3
_snprintf.LIBCMT ref: 0000024EF3E1ECFE
_snprintf.LIBCMT ref: 0000024EF3E1ED1A
_snprintf.LIBCMT ref: 0000024EF3E1EDCF
_snprintf.LIBCMT ref: 0000024EF3E1EDE6

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _snprintf
String ID:
API String ID: 3512837008-0
Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction ID: ba1afa2c2502c76d34c7e9cb6a279e120b81f36a328afe16177273a2169a984d
Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction Fuzzy Hash: 48917431618B488FFF55EF18D889BAA73E5FF95304F020569E486C3292DE78D9498782

Function 0000024EF3DBE004 Relevance: 6.4, APIs: 5, Instructions: 165COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000024EF3DBE0D3
_snprintf.LIBCMT ref: 0000024EF3DBE0FE
_snprintf.LIBCMT ref: 0000024EF3DBE11A
_snprintf.LIBCMT ref: 0000024EF3DBE1CF
_snprintf.LIBCMT ref: 0000024EF3DBE1E6

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _snprintf
String ID:
API String ID: 3512837008-0
Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction ID: 337218aa057743248c5ca61a668a4f80af84ccfe77d9816e69095818141299c2
Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction Fuzzy Hash: 50816976210B8486FF109B61E8883E977A0F788788F470126EA4D93B96DFBEC54DC740

Function 0000024EF3E2EFEC Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024EF3E2F00F

Part of subcall function 0000024EF3E2F284: _FF_MSGBANNER.LIBCMT ref: 0000024EF3E2F2B4
Part of subcall function 0000024EF3E2F284: _NMSG_WRITE.LIBCMT ref: 0000024EF3E2F2BE
Part of subcall function 0000024EF3E2F284: _callnewh.LIBCMT ref: 0000024EF3E2F2F2
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F2FD
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F308

malloc.LIBCMT ref: 0000024EF3E2F01D

Part of subcall function 0000024EF3E2F284: _callnewh.LIBCMT ref: 0000024EF3E2F318
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F31D

malloc.LIBCMT ref: 0000024EF3E2F03F
_snprintf.LIBCMT ref: 0000024EF3E2F05A

Part of subcall function 0000024EF3E2F63C: _errno.LIBCMT ref: 0000024EF3E2F673
Part of subcall function 0000024EF3E2F63C: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E2F67E

malloc.LIBCMT ref: 0000024EF3E2F075

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
String ID:
API String ID: 2026495703-0
Opcode ID: b352101c7262c8bcb4a5e96376bd10b91777e0dce9561e268234f3b9efdf5141
Instruction ID: e2abe75244ea9b16c4923fa0f55bf70dfac3a08329394a8360dc5b35cb61298b
Opcode Fuzzy Hash: b352101c7262c8bcb4a5e96376bd10b91777e0dce9561e268234f3b9efdf5141
Instruction Fuzzy Hash: 28114C31A1CB084FEBA8AB68A4493A577D1FB8D710F12455EE09AC3396EA78D84647C1

Function 0000024EF3E3062C Relevance: 6.2, APIs: 4, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3E30664

Part of subcall function 0000024EF3E31D18: _getptd_noexit.LIBCMT ref: 0000024EF3E31D1C

_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E3066F
_flush.LIBCMT ref: 0000024EF3E30721
_fileno.LIBCMT ref: 0000024EF3E30742

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 634798775-0
Opcode ID: 34e7f92ebff520e6a17a4e985317f9f17b8bd586bad3667c73d28a98cf0395a5
Instruction ID: a82832b9c28a9fdc682c5e3911737a8985a51695250cef7692d8bd9831fc0ce9
Opcode Fuzzy Hash: 34e7f92ebff520e6a17a4e985317f9f17b8bd586bad3667c73d28a98cf0395a5
Instruction Fuzzy Hash: CB51D630318F0D4BFA686A6D544E335BAC0FF98710F27026D949BC39E6EAE5DC5A4582

Function 0000024EF3DCB3C0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
Instruction ID: 00e7337916d3dd7ee1f52b1a84118b001d1529580b8f97b74f8d7ee12b573c5e
Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
Instruction Fuzzy Hash: A9618039626A5086FF148F35E58D3A832A0F758BD9F174129DD05C7BA1CBBEC4598B40

Function 0000024EF3E110D0 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 0000024EF3E11117
clock.LIBCMT ref: 0000024EF3E11124
clock.LIBCMT ref: 0000024EF3E1112D
clock.LIBCMT ref: 0000024EF3E1113A

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction ID: 1222bb1135a4b489159e96c1e84a123b3c37b7744b3c7e6763cf7e566edcb000
Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction Fuzzy Hash: B821C93260C7480EFBA4BD98544666AF7D0FF95350F17022DE8C683643E9A59C4682D7

Function 0000024EF3DDE9D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000024EF3DDE9FC

Part of subcall function 0000024EF3DD0A00: _getptd.LIBCMT ref: 0000024EF3DD0A16
Part of subcall function 0000024EF3DD0A00: __updatetlocinfo.LIBCMT ref: 0000024EF3DD0A4B
Part of subcall function 0000024EF3DD0A00: __updatetmbcinfo.LIBCMT ref: 0000024EF3DD0A72

_errno.LIBCMT ref: 0000024EF3DDEA08

Part of subcall function 0000024EF3DD1118: _getptd_noexit.LIBCMT ref: 0000024EF3DD111C

_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DDEA13
strchr.LIBCMT ref: 0000024EF3DDEA29

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
Instruction ID: 645a9a7096dbf88ad35c5adba5c542e4a0e36720bd6209ae0439f45b612fef2d
Opcode Fuzzy Hash: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
Instruction Fuzzy Hash: 0B2124622086B640FF609E11905833DB6D0F380BDBF1B6125EA96CBFD5CBEDC5498750

Function 0000024EF3DB04D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 0000024EF3DB0517
clock.LIBCMT ref: 0000024EF3DB0524
clock.LIBCMT ref: 0000024EF3DB052D
clock.LIBCMT ref: 0000024EF3DB053A

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction ID: e488ea57fd1d801980ac31e6b618faa36bc0d993c693eac47b14d50c6df4db7a
Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction Fuzzy Hash: 2611066210474485FB709E66748462BB6D0BB84390F1B4025EE4583F45EBBAC889C700

Function 0000024EF3DC13B0 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024EF3DC13D2

Part of subcall function 0000024EF3DCE684: _FF_MSGBANNER.LIBCMT ref: 0000024EF3DCE6B4
Part of subcall function 0000024EF3DCE684: _NMSG_WRITE.LIBCMT ref: 0000024EF3DCE6BE
Part of subcall function 0000024EF3DCE684: _callnewh.LIBCMT ref: 0000024EF3DCE6F2
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE6FD
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE708

_snprintf.LIBCMT ref: 0000024EF3DC13F1

Part of subcall function 0000024EF3DCEA3C: _errno.LIBCMT ref: 0000024EF3DCEA73
Part of subcall function 0000024EF3DCEA3C: _invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DCEA7E

remove.LIBCMT ref: 0000024EF3DC13FD
remove.LIBCMT ref: 0000024EF3DC1404

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _errno$remove$_callnewh_invalid_parameter_noinfo_snprintfmalloc
String ID:
API String ID: 2566950902-0
Opcode ID: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
Instruction ID: 950e1674cac872b7437b26f5ebe8ec9ea8f3e34bff6b67725f0c79f35456dd87
Opcode Fuzzy Hash: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
Instruction Fuzzy Hash: 5EF0906121869089FA109B12F80539AB364F784BC1F5B4621EF88A7F96CEBEC4458744

Function 0000024EF3E2F860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3E2F8B1

Part of subcall function 0000024EF3E31D18: _getptd_noexit.LIBCMT ref: 0000024EF3E31D1C

_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3E2F8BC

Strings

B, xrefs: 0000024EF3E2F8E8

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction ID: 1b09da7673bf75f6ca45f3bfa831ff95f63f8f8c293a105b5e8d79ad47061219
Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction Fuzzy Hash: A411C430618B084FEB58EF1CD4497A9B7D1FB98324F6143AEA419C32A1CF78C845C782

Function 0000024EF3DCEC60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024EF3DCECB1

Part of subcall function 0000024EF3DD1118: _getptd_noexit.LIBCMT ref: 0000024EF3DD111C

_invalid_parameter_noinfo.LIBCMT ref: 0000024EF3DCECBC

Strings

B, xrefs: 0000024EF3DCECE8

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
Instruction ID: 18be5d2b2dc3b846d7f371ca7e98689a52bf8039a4fc3630ea2116e8898276e9
Opcode Fuzzy Hash: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
Instruction Fuzzy Hash: 3F118EB2620A5086FB109F12D544399B664F798FE4F964320EB5857B95CF7CC548CB00

Function 0000024EF3DB10C4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE

Download Yara Rule

APIs

calloc.LIBCMT ref: 0000024EF3DB116A

Part of subcall function 0000024EF3DDE208: _calloc_impl.LIBCMT ref: 0000024EF3DDE218
Part of subcall function 0000024EF3DDE208: _errno.LIBCMT ref: 0000024EF3DDE22B
Part of subcall function 0000024EF3DDE208: _errno.LIBCMT ref: 0000024EF3DDE235

free.LIBCMT ref: 0000024EF3DB12F3
free.LIBCMT ref: 0000024EF3DB12FD
free.LIBCMT ref: 0000024EF3DB130F

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: free$_errno$_calloc_implcalloc
String ID:
API String ID: 4000150058-0
Opcode ID: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
Instruction ID: d444aa3b2ff6a785cb9a41a637e5fa00e5c0c0d4568f07daedf80eb6cedf806b
Opcode Fuzzy Hash: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
Instruction Fuzzy Hash: EAC10A72604B848AEB64CF65E48439E77F4F788788F11412AEB8D83F58DB79C559CB00

Function 0000024EF3E2AD44 Relevance: 5.2, APIs: 4, Instructions: 226COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024EF3E2AD78

Part of subcall function 0000024EF3E2F284: _FF_MSGBANNER.LIBCMT ref: 0000024EF3E2F2B4
Part of subcall function 0000024EF3E2F284: _NMSG_WRITE.LIBCMT ref: 0000024EF3E2F2BE
Part of subcall function 0000024EF3E2F284: _callnewh.LIBCMT ref: 0000024EF3E2F2F2
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F2FD
Part of subcall function 0000024EF3E2F284: _errno.LIBCMT ref: 0000024EF3E2F308

free.LIBCMT ref: 0000024EF3E2AEBF
free.LIBCMT ref: 0000024EF3E2AF23
free.LIBCMT ref: 0000024EF3E2AF2F

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 220d10eecca3932b28677e19a5d899b4e1de467fae96e5e6bbac4d4284393be2
Instruction ID: d85951ba8d3d48e5bea7693c71ae8adef77bc6447c4a7ccf28f54704bb66c98e
Opcode Fuzzy Hash: 220d10eecca3932b28677e19a5d899b4e1de467fae96e5e6bbac4d4284393be2
Instruction Fuzzy Hash: 79617430B18B094BFF68AB2894997B973D1FF94740F13052DE44AC3997DEACD94A8681

Function 0000024EF3E14300 Relevance: 5.2, APIs: 4, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024EF3E14363

Memory Dump Source

Source File: 00000000.00000002.2639427046.0000024EF3E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024EF3E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3e10000_m.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: eb22e79342f6c44f5990d3d93bc1acaf377093f70efb3d4e41a798bd81bbd69f
Instruction ID: d99534f8cf7049b72ce1db230550e0b3cb0f5e9b431e5328b433acf3364c9e84
Opcode Fuzzy Hash: eb22e79342f6c44f5990d3d93bc1acaf377093f70efb3d4e41a798bd81bbd69f
Instruction Fuzzy Hash: D051B671618B054BFF58EF28948926973E1FF85300F52456DD89BC3787EA64EC4A8A81

Function 0000024EF3DCA144 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024EF3DCA178

Part of subcall function 0000024EF3DCE684: _FF_MSGBANNER.LIBCMT ref: 0000024EF3DCE6B4
Part of subcall function 0000024EF3DCE684: _NMSG_WRITE.LIBCMT ref: 0000024EF3DCE6BE
Part of subcall function 0000024EF3DCE684: _callnewh.LIBCMT ref: 0000024EF3DCE6F2
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE6FD
Part of subcall function 0000024EF3DCE684: _errno.LIBCMT ref: 0000024EF3DCE708

free.LIBCMT ref: 0000024EF3DCA2BF
free.LIBCMT ref: 0000024EF3DCA323
free.LIBCMT ref: 0000024EF3DCA32F

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
Instruction ID: 2ad01f9337c6f96491637a05291132a2b160f7788501903b40cf05a392d48c6c
Opcode Fuzzy Hash: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
Instruction Fuzzy Hash: E651EF6532024582FE28AB62A4683AD6391BB80BC4F574525DE0ADBF96DFFFC51DC700

Function 0000024EF3DB3700 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024EF3DB3763

Memory Dump Source

Source File: 00000000.00000002.2639370153.0000024EF3DB0000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000024EF3DB0000, based on PE: true

Associated: 00000000.00000002.2639398214.0000024EF3E00000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2639398214.0000024EF3E05000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24ef3db0000_m.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
Instruction ID: e133bdcdf78aaddbea537f7d53c80a98e62c3a5acda48e07b1e684035d9e6183
Opcode Fuzzy Hash: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
Instruction Fuzzy Hash: 8341AC6660078087FF58DB26A40866D63A1F744B84F474524EE2A87F85EFBAD80DD701

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report m.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
m.exe

Function 0000024EF3E25E28 Relevance: 4.7, APIs: 3, Instructions: 190
stringCOMMONLIBRARYCODE

Function 0000024EF3E1CA74 Relevance: 7.9, APIs: 6, Instructions: 411
COMMONLIBRARYCODE

Function 0000024EF3E1E68C Relevance: 7.8, APIs: 5, Instructions: 260
networkCOMMONLIBRARYCODE

Function 0000024EF3E1F014 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103
networkCOMMONLIBRARYCODE

Function 0000024EF3E1EA48 Relevance: 3.2, APIs: 2, Instructions: 159
networkCOMMONLIBRARYCODE

Function 0000024EF3DC96B4 Relevance: 1.6, APIs: 1, Instructions: 149
libraryCOMMON

Function 0000024EF3DC9324 Relevance: 1.3, APIs: 1, Instructions: 87
memoryCOMMON

Function 00FEF220 Relevance: .1, Instructions: 57
COMMON

Function 00FEB5C0 Relevance: .0, Instructions: 2
COMMON