Edit tour

Windows Analysis Report
mode11_AKUh.exe

Overview

General Information

Sample name:	mode11_AKUh.exe
Analysis ID:	1583717
MD5:	ce12295b93c314028f05184606c5e6d2
SHA1:	4a16d632eb2eedfdc4957214bb2c22e6edba186c
SHA256:	899c529454c4286185a9d3c039277ce28957590e7ed3e586ccf1487317159c22
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

CobaltStrike

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Performs DNS queries to domains with low reputation

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

IP address seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains more sections than normal

PE file contains sections with non-standard names

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

mode11_AKUh.exe (PID: 4628 cmdline: "C:\Users\user\Desktop\mode11_AKUh.exe" MD5: CE12295B93C314028F05184606C5E6D2)

conhost.exe (PID: 6884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 8443, "SleepTime": 12000, "MaxGetSize": 1403642, "Jitter": 60, "C2Server": "632313373.xyz,/js/jquery-3.3.1.min.js", "HttpPostUri": "/post", "Malleable_C2_Instructions": ["Remove 1522 bytes from the end", "Remove 4016 bytes from the beginning", "Base64 decode"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe", "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 17500, "ProcInject_PrependAppend_x86": ["kJCQkJCQkJCQ", "Empty"], "ProcInject_PrependAppend_x64": ["kJCQkJCQkJCQ", "Empty"], "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "NtQueueApcThread-s", "SetThreadContext", "CreateRemoteThread", "kernel32.dll:LoadLibraryA", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "False", "HostHeader": "Host: 632313373.xyz\r\n"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30d60:$a39: %s as %s\%s: %d 0x401e2:$a41: beacon.x64.dll 0x31f70:$a46: %s (admin) 0x30ed8:$a48: %s%s: %s 0x30d8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x30db8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x31fd9:$a51: Content-Length: %d
00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1cd3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1896a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x32760:$a39: %s as %s\%s: %d 0x41be2:$a41: beacon.x64.dll 0x33970:$a46: %s (admin) 0x328d8:$a48: %s%s: %s 0x3278c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x327b8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x339d9:$a51: Content-Length: %d
00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1a4ca:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 8B 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 71 F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF 50 0x1986e:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0xb2d60:$a39: %s as %s\%s: %d 0xe8d60:$a39: %s as %s\%s: %d 0x12cd60:$a39: %s as %s\%s: %d 0xf81e2:$a41: beacon.x64.dll 0x13c1e2:$a41: beacon.x64.dll 0xb3f70:$a46: %s (admin) 0xe9f70:$a46: %s (admin) 0x12df70:$a46: %s (admin) 0xb2ed8:$a48: %s%s: %s 0xe8ed8:$a48: %s%s: %s 0x12ced8:$a48: %s%s: %s 0xb2d8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xb2db8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xe8d8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xe8db8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x12cd8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x12cdb8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xb3fd9:$a51: Content-Length: %d 0xe9fd9:$a51: Content-Length: %d 0x12dfd9:$a51: Content-Length: %d
00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x54d3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0x74d3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0x9ed3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0xd4d3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0x118d3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x5096a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x51c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x7096a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x71c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x9a96a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x9bc9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0xd096a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0xd1c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x11496a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x115c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
Process Memory Space: mode11_AKUh.exe PID: 4628	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
Process Memory Space: mode11_AKUh.exe PID: 4628	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
Process Memory Space: mode11_AKUh.exe PID: 4628	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Process Memory Space: mode11_AKUh.exe PID: 4628	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x1276c:$a39: %s as %s\%s: %d 0xd2b13:$a39: %s as %s\%s: %d 0x5a2907:$a39: %s as %s\%s: %d 0x16527:$a41: beacon.x64.dll 0xd66c2:$a41: beacon.x64.dll 0x5a64b6:$a41: beacon.x64.dll 0x12af2:$a46: %s (admin) 0x12b71:$a46: %s (admin) 0xd2e99:$a46: %s (admin) 0xd2f18:$a46: %s (admin) 0x5a2c8d:$a46: %s (admin) 0x5a2d0c:$a46: %s (admin) 0x1288a:$a48: %s%s: %s 0xd2c31:$a48: %s%s: %s 0x5a2a25:$a48: %s%s: %s 0x12786:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x127af:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x12932:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xd2b2d:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xd2b56:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xd2cd9:$a50: %02d/%02d/%02d %02d:%02d:%02d
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.mode11_AKUh.exe.c000102000.5.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x4873c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.mode11_AKUh.exe.24fe60a0000.6.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.mode11_AKUh.exe.24fe60a0000.6.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
0.2.mode11_AKUh.exe.24fe60a0000.6.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.mode11_AKUh.exe.24fe60a0000.6.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1c13c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.mode11_AKUh.exe.24fe60a0000.6.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x17d6a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1909b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.mode11_AKUh.exe.24fe60a0000.6.raw.unpack	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
0.2.mode11_AKUh.exe.24fe60a0000.6.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.mode11_AKUh.exe.24fe60a0000.6.raw.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
0.2.mode11_AKUh.exe.24fe60a0000.6.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.mode11_AKUh.exe.24fe60a0000.6.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30d60:$a39: %s as %s\%s: %d 0x401e2:$a41: beacon.x64.dll 0x31f70:$a46: %s (admin) 0x30ed8:$a48: %s%s: %s 0x30d8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x30db8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x31fd9:$a51: Content-Length: %d
0.2.mode11_AKUh.exe.24fe60a0000.6.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1cd3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.mode11_AKUh.exe.24fe60a0000.6.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1896a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.mode11_AKUh.exe.24fe60a0000.6.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
0.2.mode11_AKUh.exe.c000102000.5.raw.unpack	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
0.2.mode11_AKUh.exe.c000102000.5.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.mode11_AKUh.exe.c000102000.5.raw.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
0.2.mode11_AKUh.exe.c000102000.5.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.mode11_AKUh.exe.c000102000.5.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0xb2d60:$a39: %s as %s\%s: %d 0xe8d60:$a39: %s as %s\%s: %d 0x12cd60:$a39: %s as %s\%s: %d 0xf81e2:$a41: beacon.x64.dll 0x13c1e2:$a41: beacon.x64.dll 0xb3f70:$a46: %s (admin) 0xe9f70:$a46: %s (admin) 0x12df70:$a46: %s (admin) 0xb2ed8:$a48: %s%s: %s 0xe8ed8:$a48: %s%s: %s 0x12ced8:$a48: %s%s: %s 0xb2d8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xb2db8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xe8d8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xe8db8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x12cd8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x12cdb8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xb3fd9:$a51: Content-Length: %d 0xe9fd9:$a51: Content-Length: %d 0x12dfd9:$a51: Content-Length: %d
0.2.mode11_AKUh.exe.c000102000.5.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x54d3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0x74d3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0x9ed3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0xd4d3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0x118d3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.mode11_AKUh.exe.c000102000.5.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x5096a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x51c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x7096a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x71c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x9a96a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x9bc9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0xd096a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0xd1c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x11496a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x115c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
Click to see the 16 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsderS	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsW	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js3011b87bd06	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js#	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js7f3eaf2d450	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js3/	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsder&	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/H	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsG	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsS	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/8	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js9	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsific(	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsO	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsD	Avira URL Cloud: Label: malware
Source: https://632313373.xyz/	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsderl	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsl	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js3/l	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsll	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js3/0	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsgraphy	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsIp	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsder	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js3	Avira URL Cloud: Label: malware
Source: 632313373.xyz	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js0	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 8443, "SleepTime": 12000, "MaxGetSize": 1403642, "Jitter": 60, "C2Server": "632313373.xyz,/js/jquery-3.3.1.min.js", "HttpPostUri": "/post", "Malleable_C2_Instructions": ["Remove 1522 bytes from the end", "Remove 4016 bytes from the beginning", "Base64 decode"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe", "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 17500, "ProcInject_PrependAppend_x86": ["kJCQkJCQkJCQ", "Empty"], "ProcInject_PrependAppend_x64": ["kJCQkJCQkJCQ", "Empty"], "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "NtQueueApcThread-s", "SetThreadContext", "CreateRemoteThread", "kernel32.dll:LoadLibraryA", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "False", "HostHeader": "Host: 632313373.xyz\r\n"}

Multi AV Scanner detection for submitted file

Source: mode11_AKUh.exe

Virustotal: Detection: 22%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Source: mode11_AKUh.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 632313373.xyz

Performs DNS queries to domains with low reputation

Source:

DNS query: 632313373.xyz

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 188.114.96.3:8443

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\mode11_AKUh.exe

Code function: 0_2_0000024FE789E68C _snprintf,_snprintf,_snprintf,InternetQueryDataAvailable,InternetReadFile,InternetCloseHandle,

0_2_0000024FE789E68C

Source: global traffic

DNS traffic detected: DNS query: 632313373.xyz

Source: mode11_AKUh.exe, 00000000.00000003.2136128323.0000024FE0D23000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2012958625.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081591268.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1995524197.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D1D000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D27000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030938547.0000024FE0D20000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D2D000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D14000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/gsr1.crl0
Source: mode11_AKUh.exe, 00000000.00000003.2136128323.0000024FE0D23000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2012958625.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2012806074.0000024FE0D22000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CD1000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081591268.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1995524197.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D27000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CD1000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030938547.0000024FE0D20000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D2D000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r4.crl0
Source: mode11_AKUh.exe, 00000000.00000003.2136128323.0000024FE0D23000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2012958625.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081591268.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1995524197.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D27000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030938547.0000024FE0D20000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269477983.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D2D000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D14000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/we1/PCUeQViQlYc.crl0
Source: mode11_AKUh.exe, 00000000.00000003.2136128323.0000024FE0D23000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2012958625.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081591268.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1995524197.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D1D000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D27000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030938547.0000024FE0D20000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D2D000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D14000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/gsr1.crt0-
Source: mode11_AKUh.exe, 00000000.00000003.2136128323.0000024FE0D23000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2012958625.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2012806074.0000024FE0D22000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CD1000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081591268.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1995524197.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D27000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CD1000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030938547.0000024FE0D20000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D2D000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r4.crt0
Source: mode11_AKUh.exe, 00000000.00000003.2136128323.0000024FE0D23000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2012958625.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081591268.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1995524197.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D27000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030938547.0000024FE0D20000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269477983.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D2D000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D14000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/we1.crt0
Source: mode11_AKUh.exe, 00000000.00000003.2136128323.0000024FE0D23000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2012958625.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081591268.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1995524197.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D27000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030938547.0000024FE0D20000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269477983.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D2D000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D14000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/s/we1/lk00%
Source: mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz/
Source: mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/
Source: mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/8
Source: mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/H
Source: mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js
Source: mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js#
Source: mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D05000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js0
Source: mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js3
Source: mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D05000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js3/
Source: mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js3/0
Source: mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js3/l
Source: mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js3011b87bd06
Source: mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js7f3eaf2d450
Source: mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js9
Source: mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsD
Source: mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsG
Source: mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsIp
Source: mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsO
Source: mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsS
Source: mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsW
Source: mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D05000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsder
Source: mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsder&
Source: mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsderS
Source: mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsderl
Source: mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsgraphy
Source: mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsific(
Source: mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsl
Source: mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsll
Source: mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/what?indextype=1&__cfduid=
Source: mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1996061324.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269517306.0000024FE0D14000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/what?indextype=1&__cfduid=ERCCyKcKrDyrs19NX_O44h1D71-z3Hx_FKqjSXijuAMANt5NDF-

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.mode11_AKUh.exe.c000102000.5.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.mode11_AKUh.exe.24fe60a0000.6.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.mode11_AKUh.exe.24fe60a0000.6.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.mode11_AKUh.exe.24fe60a0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.mode11_AKUh.exe.24fe60a0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.mode11_AKUh.exe.24fe60a0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.mode11_AKUh.exe.24fe60a0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.mode11_AKUh.exe.c000102000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.mode11_AKUh.exe.c000102000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.mode11_AKUh.exe.c000102000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: Process Memory Space: mode11_AKUh.exe PID: 4628, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown

Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE60A9680	0_2_0000024FE60A9680
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE60CC680	0_2_0000024FE60CC680
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE60B6F38	0_2_0000024FE60B6F38
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE60CB7B0	0_2_0000024FE60CB7B0
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE60CCFF0	0_2_0000024FE60CCFF0
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE60BF5A8	0_2_0000024FE60BF5A8
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE60CE600	0_2_0000024FE60CE600
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE60ACE3C	0_2_0000024FE60ACE3C
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE60CAAB0	0_2_0000024FE60CAAB0
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE60B0334	0_2_0000024FE60B0334
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE60C0374	0_2_0000024FE60C0374
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE60C239C	0_2_0000024FE60C239C
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE60CC397	0_2_0000024FE60CC397
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE60C5914	0_2_0000024FE60C5914
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE60C1928	0_2_0000024FE60C1928
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE60A916C	0_2_0000024FE60A916C
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE60C1264	0_2_0000024FE60C1264
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE78B2F9C	0_2_0000024FE78B2F9C
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE78B1E64	0_2_0000024FE78B1E64
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE78B2528	0_2_0000024FE78B2528
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE78BDBF0	0_2_0000024FE78BDBF0
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE78A7B38	0_2_0000024FE78A7B38
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE78BD280	0_2_0000024FE78BD280
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE78B01A8	0_2_0000024FE78B01A8

Source: mode11_AKUh.exe

Static PE information: Number of sections : 15 > 10

Source: 0.2.mode11_AKUh.exe.c000102000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.mode11_AKUh.exe.24fe60a0000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.mode11_AKUh.exe.24fe60a0000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.mode11_AKUh.exe.24fe60a0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.mode11_AKUh.exe.24fe60a0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.mode11_AKUh.exe.24fe60a0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.mode11_AKUh.exe.24fe60a0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.mode11_AKUh.exe.c000102000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.mode11_AKUh.exe.c000102000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.mode11_AKUh.exe.c000102000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: Process Memory Space: mode11_AKUh.exe PID: 4628, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23

Source: mode11_AKUh.exe	Static PE information: Section: /19 ZLIB complexity 0.9983966884328358
Source: mode11_AKUh.exe	Static PE information: Section: /32 ZLIB complexity 0.9919834421641791
Source: mode11_AKUh.exe	Static PE information: Section: /65 ZLIB complexity 1.0001717032967032
Source: mode11_AKUh.exe	Static PE information: Section: /78 ZLIB complexity 0.9947857481060606

Source: classification engine

Classification label: mal100.troj.winEXE@2/0@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_03

Source: mode11_AKUh.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mode11_AKUh.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mode11_AKUh.exe

Virustotal: Detection: 22%

Source: mode11_AKUh.exe	String found in binary or memory: _cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned" not supported for cpu option "MapIter.Value called before Nextuse of closed network connectioncrypto/aes: output not full blockCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyW142108547152020037174224853515625710542735760100185871124267578125too many levels of symbolic linksslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangeGODEBUG: no value specified for "reflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangewaiting for unsupported file typecrypto/aes: invalid buffer overlapillegal base64 data at input byte CM_Get_Device_Interface_List_SizeWSetFileCompletionNotificationModes3552713678800500929355621337890625too many references: cannot spliceslice bounds out of range [:%x:%y]slice bounds out of range [%x:%y:]out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedruntime: source value is too largeVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notreflect: Field of non-struct type reflect: Field index out of boundsreflect: string index out of rangeunexpected runtime.netpoll error: encoding/hex: odd length hex stringSubscribeServiceChangeNotifications1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9network dropped connection on resettransport endpoint is not connectedpersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid
Source: mode11_AKUh.exe	String found in binary or memory: _cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned" not supported for cpu option "MapIter.Value called before Nextuse of closed network connectioncrypto/aes: output not full blockCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyW142108547152020037174224853515625710542735760100185871124267578125too many levels of symbolic linksslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangeGODEBUG: no value specified for "reflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangewaiting for unsupported file typecrypto/aes: invalid buffer overlapillegal base64 data at input byte CM_Get_Device_Interface_List_SizeWSetFileCompletionNotificationModes3552713678800500929355621337890625too many references: cannot spliceslice bounds out of range [:%x:%y]slice bounds out of range [%x:%y:]out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedruntime: source value is too largeVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notreflect: Field of non-struct type reflect: Field index out of boundsreflect: string index out of rangeunexpected runtime.netpoll error: encoding/hex: odd length hex stringSubscribeServiceChangeNotifications1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9network dropped connection on resettransport endpoint is not connectedpersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid
Source: mode11_AKUh.exe	String found in binary or memory: C:/Program Files/Go/src/net/addrselect.go

Source: unknown	Process created: C:\Users\user\Desktop\mode11_AKUh.exe "C:\Users\user\Desktop\mode11_AKUh.exe"
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\mode11_AKUh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: mode11_AKUh.exe

Static file information: File size 4936192 > 1048576

Source: mode11_AKUh.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2dc400

Source: mode11_AKUh.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: mode11_AKUh.exe	Static PE information: section name: .xdata
Source: mode11_AKUh.exe	Static PE information: section name: /4
Source: mode11_AKUh.exe	Static PE information: section name: /19
Source: mode11_AKUh.exe	Static PE information: section name: /32
Source: mode11_AKUh.exe	Static PE information: section name: /46
Source: mode11_AKUh.exe	Static PE information: section name: /65
Source: mode11_AKUh.exe	Static PE information: section name: /78
Source: mode11_AKUh.exe	Static PE information: section name: /90
Source: mode11_AKUh.exe	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE60D776C push 0000006Ah; retf	0_2_0000024FE60D7784
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE78BB84F push ebp; iretd	0_2_0000024FE78BB850
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE789A71E push cs; retf	0_2_0000024FE789A71F
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE789BD58 push ebp; iretd	0_2_0000024FE789BD59
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE78C03FC push ebp; iretd	0_2_0000024FE78C0401
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE789A35D push edi; iretd	0_2_0000024FE789A35E
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE78A0901 push ebx; iretd	0_2_0000024FE78A0902
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE789C91C pushad ; retf	0_2_0000024FE789C91D
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE78BB86F push ebp; iretd	0_2_0000024FE78BB870
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Code function: 0_2_0000024FE78BB898 push ebp; iretd	0_2_0000024FE78BB899

Source: C:\Users\user\Desktop\mode11_AKUh.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Users\user\Desktop\mode11_AKUh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mode11_AKUh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0C
Source: mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CDC000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CDC000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CDC000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CD1000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CDC000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CDC000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\mode11_AKUh.exe

Code function: 0_2_0000024FE78A5E28 GetUserNameA,strrchr,_snprintf,

0_2_0000024FE78A5E28

Source: C:\Users\user\Desktop\mode11_AKUh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: 0.2.mode11_AKUh.exe.24fe60a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mode11_AKUh.exe.c000102000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mode11_AKUh.exe PID: 4628, type: MEMORYSTR
Source: Yara match	File source: 0.2.mode11_AKUh.exe.24fe60a0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Obfuscated Files or Information	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mode11_AKUh.exe	22%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsderS	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsW	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js3011b87bd06	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js#	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js7f3eaf2d450	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js3/	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsder&	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/H	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsG	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsS	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/8	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js9	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsific(	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsO	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsD	100%	Avira URL Cloud	malware
https://632313373.xyz/	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsderl	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsl	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js3/l	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsll	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js3/0	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsgraphy	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsIp	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsder	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js3	100%	Avira URL Cloud	malware
632313373.xyz	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js0	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
632313373.xyz	188.114.96.3	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
632313373.xyz	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsderS	mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://o.pki.goog/s/we1/lk00%	mode11_AKUh.exe, 00000000.00000003.2136128323.0000024FE0D23000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2012958625.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081591268.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1995524197.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D27000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030938547.0000024FE0D20000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269477983.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D2D000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D14000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsW	mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.js#	mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://i.pki.goog/we1.crt0	mode11_AKUh.exe, 00000000.00000003.2136128323.0000024FE0D23000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2012958625.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081591268.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1995524197.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D27000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030938547.0000024FE0D20000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269477983.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D2D000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D14000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/js/jquery-3.3.1.min.js3011b87bd06	mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://c.pki.goog/r/gsr1.crl0	mode11_AKUh.exe, 00000000.00000003.2136128323.0000024FE0D23000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2012958625.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081591268.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1995524197.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D1D000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D27000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030938547.0000024FE0D20000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D2D000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D14000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/js/jquery-3.3.1.min.js7f3eaf2d450	mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsder&	mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.js3/	mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D05000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/H	mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsG	mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsS	mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/what?indextype=1&__cfduid=	mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0C4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsO	mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsific(	mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.js9	mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/8	mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.js	mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0C4C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://c.pki.goog/we1/PCUeQViQlYc.crl0	mode11_AKUh.exe, 00000000.00000003.2136128323.0000024FE0D23000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2012958625.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081591268.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1995524197.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D27000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030938547.0000024FE0D20000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269477983.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D2D000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D14000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/	mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsD	mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsderl	mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://i.pki.goog/gsr1.crt0-	mode11_AKUh.exe, 00000000.00000003.2136128323.0000024FE0D23000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2012958625.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081591268.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1995524197.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D1D000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D27000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030938547.0000024FE0D20000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D2D000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D14000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2932779080.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp	false		high
http://c.pki.goog/r/r4.crl0	mode11_AKUh.exe, 00000000.00000003.2136128323.0000024FE0D23000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2012958625.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2012806074.0000024FE0D22000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CD1000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081591268.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1995524197.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D27000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CD1000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030938547.0000024FE0D20000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D2D000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz/	mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsl	mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://i.pki.goog/r4.crt0	mode11_AKUh.exe, 00000000.00000003.2136128323.0000024FE0D23000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2012958625.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2012806074.0000024FE0D22000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CD1000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081591268.0000024FE0D21000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1995524197.0000024FE0D1F000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D25000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152650364.0000024FE0D27000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CD1000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030938547.0000024FE0D20000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0D13000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0D2D000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsll	mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0C4C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.js3/l	mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsder	mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D05000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.js3/0	mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsgraphy	mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsIp	mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0C4C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.js3	mode11_AKUh.exe, 00000000.00000003.2116987076.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2136067966.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.js0	mode11_AKUh.exe, 00000000.00000003.1994275815.0000024FE0D05000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2030777154.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000002.3180756033.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/what?indextype=1&__cfduid=ERCCyKcKrDyrs19NX_O44h1D71-z3Hx_FKqjSXijuAMANt5NDF-	mode11_AKUh.exe, 00000000.00000003.2081335569.0000024FE0CB2000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.1996061324.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269210830.0000024FE0CEB000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2269517306.0000024FE0D14000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2152785582.0000024FE0CB3000.00000004.00000020.00020000.00000000.sdmp, mode11_AKUh.exe, 00000000.00000003.2135940220.0000024FE0D15000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	632313373.xyz	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583717
Start date and time:	2025-01-03 13:04:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mode11_AKUh.exe
Detection:	MAL
Classification:	mal100.troj.winEXE@2/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:05:23	API Interceptor	65x Sleep call for process: mode11_AKUh.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
632313373.xyz	m.exe	Get hash	malicious	CobaltStrike	Browse	188.114.97.3
632313373.xyz	svchostinter.exe	Get hash	malicious	CobaltStrike	Browse	172.67.175.230

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://t1.awagama2.org	Get hash	malicious	Unknown	Browse	188.114.96.3
	m.exe	Get hash	malicious	CobaltStrike	Browse	188.114.97.3
	http://www.escudier-sas.fr	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.18.11.207
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	http://www.technoafriwave.rw	Get hash	malicious	Unknown	Browse	1.1.1.1
	dropper.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.0904122014374344
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mode11_AKUh.exe
File size:	4'936'192 bytes
MD5:	ce12295b93c314028f05184606c5e6d2
SHA1:	4a16d632eb2eedfdc4957214bb2c22e6edba186c
SHA256:	899c529454c4286185a9d3c039277ce28957590e7ed3e586ccf1487317159c22
SHA512:	0da5cc2e19fdef82e4cc7dc6e9a31b92db29a176e38228bd9102b3dd407311a090dcb9546ec39f5bcb4bb6b76878837fea3f0852cd74dcfcd804c4af979ea423
SSDEEP:	49152:DwgD2g+gqrAwijjC4mkZMyITWt1U4yP21Qsq8VT/0+2Yw22imSFXhmsjH0nVVuqI:DwNhJj6XgsjHsIJ
TLSH:	A836D007BCE119B9C4A993328AB652927B71BC090F3263D73A50B37C2F76BD49936744
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........bI......."..........n................@..............................`P...........`... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x46ec80
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	d42595b695fc008ef2c56aabd8efd68e

Entrypoint Preview

Instruction
jmp 00007F642C92A050h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
dec eax
mov ebp, esp
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
inc ebp
xorps xmm7, xmm7
dec ebp
xor esi, esi
dec eax
mov eax, dword ptr [003877F2h]
dec eax
mov eax, dword ptr [eax]
dec eax
cmp eax, 00000000h
je 00007F642C92D8F5h
dec esp
mov esi, dword ptr [eax]
dec eax
sub esp, 10h
dec eax
mov eax, ecx
dec eax
mov ebx, edx
call 00007F642C937ECBh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4e1000	0x53e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x3fa000	0x5370	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4e2000	0x499c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x39a180	0x178	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xbbbfc	0xbbc00	312bbbf22b97d64fd97a7e46b1939084	False	0.4751009071238349	data	6.266185221137177	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xbd000	0x2dc3c0	0x2dc400	690044b510abe6d640a129a6525d8aed	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x39a000	0x5fe20	0x16e00	e5838ca129a9f3fabc511ed99bb30ad0	False	0.28531634221311475	data	3.201949056230068	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x3fa000	0x5370	0x5400	6b7df8b45d2250e08eb91fb84ea19749	False	0.4015531994047619	data	4.9405195822402	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x400000	0xb4	0x200	d5a432b15ea1de5871ba1b040f244088	False	0.228515625	shared library	1.787112262798912	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
/4	0x401000	0x14c	0x200	aaf28638a5fca2ae9b61c2d0ecb5c6e7	False	0.697265625	data	5.610479515469117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x402000	0x29c7f	0x29e00	a3ea6e2ffa2f18897c371386f6f62e52	False	0.9983966884328358	data	7.995610618645513	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/32	0x42c000	0x84ff	0x8600	582b1e7243dd782f942e6c77d340b256	False	0.9919834421641791	data	7.930104690064365	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/46	0x435000	0x30	0x200	40cca7c46fc713b4f088e5d440ca7931	False	0.103515625	data	0.8556848540171443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/65	0x436000	0x71b9c	0x71c00	c24735678d61271de611d7e54b25c9c0	False	1.0001717032967032	data	7.9975421165033325	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/78	0x4a8000	0x29254	0x29400	df4dc3e2c58412dbce7562f34bd85fb9	False	0.9947857481060606	data	7.989700372903226	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/90	0x4d2000	0xee16	0xf000	e560c8c21e47c6e8d33053503c1909cc	False	0.968505859375	data	7.794718211622298	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x4e1000	0x53e	0x600	dc5f8470b7948f6f474e78602633f9c5	False	0.3776041666666667	OpenPGP Public Key	4.017189066074398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x4e2000	0x499c	0x4a00	f2f1e92cf2853b858f54be1a58a10bf5	False	0.3123416385135135	data	5.40937618793129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x4e7000	0x1eef5	0x1f000	b474977a91bef07331cb5ece744eec94	False	0.2526461693548387	data	5.090110018856009	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 13:05:23.009561062 CET	49730	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:23.014379025 CET	8443	49730	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:23.014441967 CET	49730	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:23.025661945 CET	49730	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:23.030424118 CET	8443	49730	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:23.462981939 CET	8443	49730	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:23.462996006 CET	8443	49730	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:23.463007927 CET	8443	49730	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:23.463036060 CET	49730	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:23.463069916 CET	49730	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:23.494761944 CET	49730	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:23.500215054 CET	8443	49730	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:23.588578939 CET	8443	49730	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:23.588644981 CET	49730	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:23.598397017 CET	49730	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:23.605659962 CET	8443	49730	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:24.684201002 CET	8443	49730	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:24.684215069 CET	8443	49730	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:24.684226036 CET	8443	49730	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:24.684237003 CET	8443	49730	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:24.684250116 CET	8443	49730	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:24.684262037 CET	8443	49730	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:24.684319019 CET	49730	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:24.684360981 CET	49730	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:24.838730097 CET	49731	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:24.843523979 CET	8443	49731	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:24.843597889 CET	49731	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:24.858429909 CET	49731	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:24.863221884 CET	8443	49731	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:25.353733063 CET	8443	49731	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:25.353791952 CET	49731	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:25.354540110 CET	49731	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:25.355889082 CET	49731	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:25.359318018 CET	8443	49731	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:25.360666990 CET	8443	49731	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:26.464570045 CET	8443	49731	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:26.464582920 CET	8443	49731	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:26.464636087 CET	49731	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:26.464668989 CET	8443	49731	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:26.464680910 CET	8443	49731	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:26.464693069 CET	8443	49731	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:26.464704037 CET	8443	49731	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:26.464715004 CET	8443	49731	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:26.464746952 CET	49731	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:26.464772940 CET	49731	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:26.574497938 CET	49730	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:26.575131893 CET	49732	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:26.579516888 CET	8443	49730	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:26.579572916 CET	49730	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:26.580029011 CET	8443	49732	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:26.580089092 CET	49732	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:26.580315113 CET	49732	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:26.585177898 CET	8443	49732	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:27.126956940 CET	8443	49732	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:27.130420923 CET	49732	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:27.130779028 CET	49732	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:27.131767988 CET	49732	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:27.135554075 CET	8443	49732	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:27.136626005 CET	8443	49732	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:28.232486010 CET	8443	49732	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:28.232512951 CET	8443	49732	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:28.232523918 CET	8443	49732	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:28.232534885 CET	8443	49732	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:28.232547045 CET	8443	49732	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:28.232561111 CET	8443	49732	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:28.232563019 CET	49732	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:28.232573032 CET	8443	49732	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:28.232598066 CET	49732	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:28.232635975 CET	49732	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:28.355907917 CET	49731	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:28.356535912 CET	49733	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:28.360996962 CET	8443	49731	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:28.361054897 CET	49731	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:28.361383915 CET	8443	49733	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:28.361458063 CET	49733	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:28.361682892 CET	49733	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:28.366494894 CET	8443	49733	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:28.826899052 CET	8443	49733	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:28.826994896 CET	49733	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:28.827605009 CET	49733	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:28.828696012 CET	49733	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:28.832379103 CET	8443	49733	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:28.833446980 CET	8443	49733	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:29.942069054 CET	8443	49733	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:29.942090034 CET	8443	49733	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:29.942101955 CET	8443	49733	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:29.942120075 CET	8443	49733	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:29.942131042 CET	8443	49733	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:29.942143917 CET	8443	49733	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:29.942193031 CET	49733	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:29.942249060 CET	49733	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:30.061641932 CET	49732	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:30.066813946 CET	8443	49732	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:30.066873074 CET	49732	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:30.255295038 CET	49734	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:30.260525942 CET	8443	49734	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:30.260603905 CET	49734	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:30.315710068 CET	49734	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:30.320492029 CET	8443	49734	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:30.707568884 CET	8443	49734	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:30.707629919 CET	49734	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:30.708147049 CET	49734	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:30.709475994 CET	49734	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:30.712883949 CET	8443	49734	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:30.714273930 CET	8443	49734	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:31.802656889 CET	8443	49734	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:31.802684069 CET	8443	49734	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:31.802695990 CET	8443	49734	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:31.802706957 CET	8443	49734	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:31.802722931 CET	8443	49734	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:31.802736044 CET	8443	49734	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:31.802764893 CET	49734	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:31.802819014 CET	49734	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:31.918214083 CET	49733	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:31.923326969 CET	8443	49733	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:31.923418999 CET	49733	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:31.940587997 CET	49735	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:31.945610046 CET	8443	49735	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:31.946783066 CET	49735	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:31.947103024 CET	49735	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:31.951909065 CET	8443	49735	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:32.459670067 CET	8443	49735	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:32.459748983 CET	49735	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:32.460903883 CET	49735	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:32.465677023 CET	8443	49735	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:32.467808962 CET	49735	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:32.472570896 CET	8443	49735	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:33.606117964 CET	8443	49735	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:33.606132984 CET	8443	49735	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:33.606146097 CET	8443	49735	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:33.606157064 CET	8443	49735	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:33.606168985 CET	8443	49735	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:33.606180906 CET	8443	49735	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:33.606187105 CET	49735	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:33.606230974 CET	49735	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:33.606230974 CET	49735	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:33.715157032 CET	49734	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:33.720329046 CET	8443	49734	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:33.720403910 CET	49734	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:33.733488083 CET	49736	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:33.738306046 CET	8443	49736	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:33.738369942 CET	49736	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:33.738626003 CET	49736	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:33.743448973 CET	8443	49736	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:34.186902046 CET	8443	49736	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:34.186991930 CET	49736	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:34.187390089 CET	49736	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:34.188380957 CET	49736	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:34.192114115 CET	8443	49736	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:34.193178892 CET	8443	49736	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:35.265053034 CET	8443	49736	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:35.265064001 CET	8443	49736	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:35.265075922 CET	8443	49736	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:35.265084982 CET	8443	49736	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:35.265089035 CET	8443	49736	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:35.265100956 CET	8443	49736	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:35.265137911 CET	49736	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:35.265191078 CET	49736	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:35.444371939 CET	49735	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:35.448448896 CET	49737	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:35.449440956 CET	8443	49735	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:35.449517965 CET	49735	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:35.453567028 CET	8443	49737	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:35.455401897 CET	49737	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:35.460310936 CET	49737	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:35.465146065 CET	8443	49737	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:35.901777983 CET	8443	49737	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:35.901871920 CET	49737	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:35.902211905 CET	49737	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:35.903335094 CET	49737	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:35.907016993 CET	8443	49737	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:35.908138037 CET	8443	49737	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:37.006400108 CET	8443	49737	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:37.006414890 CET	8443	49737	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:37.006421089 CET	8443	49737	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:37.006427050 CET	8443	49737	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:37.006442070 CET	8443	49737	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:37.006460905 CET	49737	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:37.006486893 CET	8443	49737	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:37.006495953 CET	49737	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:37.006544113 CET	49737	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:37.121516943 CET	49736	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:37.122037888 CET	49739	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:37.126636028 CET	8443	49736	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:37.126743078 CET	49736	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:37.126898050 CET	8443	49739	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:37.127059937 CET	49739	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:37.127289057 CET	49739	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:37.132061005 CET	8443	49739	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:37.601346970 CET	8443	49739	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:37.601416111 CET	49739	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:37.601839066 CET	49739	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:37.605627060 CET	49739	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:37.606576920 CET	8443	49739	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:37.610529900 CET	8443	49739	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:38.768389940 CET	8443	49739	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:38.768407106 CET	8443	49739	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:38.768418074 CET	8443	49739	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:38.768436909 CET	8443	49739	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:38.768449068 CET	8443	49739	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:38.768461943 CET	49739	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:38.768470049 CET	8443	49739	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:38.768481016 CET	8443	49739	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:38.768495083 CET	49739	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:38.768809080 CET	49739	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:38.902538061 CET	49737	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:38.903202057 CET	49742	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:38.907514095 CET	8443	49737	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:38.907566071 CET	49737	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:38.907958031 CET	8443	49742	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:38.908019066 CET	49742	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:38.908366919 CET	49742	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:38.913652897 CET	8443	49742	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:39.548795938 CET	8443	49742	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:39.548878908 CET	49742	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:39.549715042 CET	49742	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:39.551135063 CET	49742	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:39.557398081 CET	8443	49742	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:39.558023930 CET	8443	49742	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:40.656836033 CET	8443	49742	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:40.656864882 CET	8443	49742	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:40.656877041 CET	8443	49742	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:40.656887054 CET	8443	49742	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:40.656898975 CET	8443	49742	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:40.656909943 CET	8443	49742	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:40.656970024 CET	49742	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:40.657031059 CET	49742	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:40.778302908 CET	49744	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:40.778302908 CET	49739	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:40.783173084 CET	8443	49744	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:40.783730030 CET	49744	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:40.783730030 CET	49744	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:40.787784100 CET	8443	49739	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:40.788058043 CET	49739	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:40.788537979 CET	8443	49744	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:41.230674028 CET	8443	49744	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:41.230727911 CET	49744	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:41.231199980 CET	49744	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:41.235511065 CET	49744	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:41.235953093 CET	8443	49744	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:41.240293026 CET	8443	49744	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:42.330210924 CET	8443	49744	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:42.330229998 CET	8443	49744	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:42.330241919 CET	8443	49744	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:42.330252886 CET	8443	49744	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:42.330265045 CET	8443	49744	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:42.330275059 CET	8443	49744	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:42.330286026 CET	8443	49744	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:42.330295086 CET	49744	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:42.330322981 CET	49744	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:42.330352068 CET	49744	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:42.480940104 CET	49742	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:42.481877089 CET	49745	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:42.485989094 CET	8443	49742	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:42.486669064 CET	8443	49745	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:42.486813068 CET	49742	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:42.486886978 CET	49745	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:42.487020969 CET	49745	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:42.491802931 CET	8443	49745	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:42.933825016 CET	8443	49745	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:42.933994055 CET	49745	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:42.942605972 CET	49745	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:42.947187901 CET	49745	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:42.947402954 CET	8443	49745	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:42.951993942 CET	8443	49745	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:44.115283012 CET	8443	49745	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:44.115354061 CET	8443	49745	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:44.115365982 CET	8443	49745	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:44.115376949 CET	8443	49745	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:44.115387917 CET	8443	49745	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:44.115400076 CET	8443	49745	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:44.115439892 CET	49745	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:44.115489006 CET	49745	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:44.231441021 CET	49744	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:44.236470938 CET	8443	49744	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:44.236783028 CET	49744	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:44.258423090 CET	49746	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:44.263346910 CET	8443	49746	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:44.263411045 CET	49746	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:44.263674974 CET	49746	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:44.268429995 CET	8443	49746	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:44.732305050 CET	8443	49746	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:44.732357979 CET	49746	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:44.732865095 CET	49746	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:44.733747005 CET	49746	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:44.737622023 CET	8443	49746	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:44.738543034 CET	8443	49746	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:45.798492908 CET	8443	49746	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:45.798508883 CET	8443	49746	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:45.798521042 CET	8443	49746	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:45.798532963 CET	8443	49746	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:45.798544884 CET	8443	49746	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:45.798557043 CET	8443	49746	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:45.798557997 CET	49746	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:45.798607111 CET	49746	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:45.902657032 CET	49745	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:45.907720089 CET	8443	49745	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:45.907803059 CET	49745	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:45.939940929 CET	49747	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:45.944719076 CET	8443	49747	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:45.944849968 CET	49747	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:45.945179939 CET	49747	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:45.949922085 CET	8443	49747	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:46.409562111 CET	8443	49747	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:46.409657955 CET	49747	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:46.410206079 CET	49747	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:46.411446095 CET	49747	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:46.414963961 CET	8443	49747	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:46.416264057 CET	8443	49747	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:47.500996113 CET	8443	49747	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:47.501014948 CET	8443	49747	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:47.501025915 CET	8443	49747	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:47.501036882 CET	8443	49747	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:47.501048088 CET	8443	49747	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:47.501059055 CET	8443	49747	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:47.501085997 CET	49747	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:47.501085997 CET	49747	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:47.501156092 CET	49747	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:47.605762005 CET	49746	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:47.606360912 CET	49748	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:47.610692978 CET	8443	49746	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:47.610753059 CET	49746	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:47.611134052 CET	8443	49748	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:47.611197948 CET	49748	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:47.611558914 CET	49748	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:47.616354942 CET	8443	49748	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:48.075757980 CET	8443	49748	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:48.075810909 CET	49748	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:48.076657057 CET	49748	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:48.078054905 CET	49748	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:48.082865000 CET	8443	49748	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:48.083933115 CET	8443	49748	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:49.172180891 CET	8443	49748	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:49.172257900 CET	8443	49748	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:49.172271013 CET	8443	49748	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:49.172285080 CET	8443	49748	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:49.172296047 CET	8443	49748	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:49.172307968 CET	8443	49748	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:49.172336102 CET	49748	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:49.172377110 CET	49748	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:49.277679920 CET	49747	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:49.278181076 CET	49749	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:49.282733917 CET	8443	49747	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:49.283030033 CET	8443	49749	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:49.283155918 CET	49747	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:49.283179998 CET	49749	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:49.287420034 CET	49749	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:49.292174101 CET	8443	49749	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:49.730197906 CET	8443	49749	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:49.730266094 CET	49749	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:49.730856895 CET	49749	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:49.732019901 CET	49749	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:49.735583067 CET	8443	49749	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:49.736898899 CET	8443	49749	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:50.893656969 CET	8443	49749	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:50.893672943 CET	8443	49749	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:50.893685102 CET	8443	49749	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:50.893697023 CET	8443	49749	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:50.893707991 CET	8443	49749	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:50.893718958 CET	8443	49749	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:50.893728018 CET	8443	49749	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:50.893757105 CET	49749	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:50.893778086 CET	49749	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:51.097748995 CET	49748	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:51.102803946 CET	8443	49748	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:51.102885962 CET	49748	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:51.121855021 CET	49750	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:51.126688957 CET	8443	49750	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:51.126766920 CET	49750	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:51.151731968 CET	49750	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:51.156574011 CET	8443	49750	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:51.602698088 CET	8443	49750	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:51.602763891 CET	49750	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:51.603528023 CET	49750	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:51.604681015 CET	49750	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:51.608278990 CET	8443	49750	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:51.609462023 CET	8443	49750	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:52.739484072 CET	8443	49750	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:52.739516973 CET	8443	49750	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:52.739530087 CET	8443	49750	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:52.739540100 CET	8443	49750	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:52.739552021 CET	8443	49750	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:52.739563942 CET	8443	49750	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:52.739613056 CET	49750	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:52.739679098 CET	49750	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:57.558871984 CET	49749	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:57.563863993 CET	8443	49749	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:57.563910961 CET	49749	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:57.592442036 CET	49762	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:57.597229004 CET	8443	49762	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:57.597312927 CET	49762	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:57.597626925 CET	49762	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:57.602396965 CET	8443	49762	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:58.071126938 CET	8443	49762	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:58.071178913 CET	49762	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:58.071541071 CET	49762	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:58.072463989 CET	49762	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:58.076272964 CET	8443	49762	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:58.077203989 CET	8443	49762	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:59.182167053 CET	8443	49762	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:59.182235003 CET	8443	49762	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:59.182260036 CET	8443	49762	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:59.182275057 CET	49762	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:59.182286024 CET	8443	49762	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:59.182300091 CET	8443	49762	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:59.182311058 CET	49762	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:59.182326078 CET	8443	49762	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:59.182367086 CET	49762	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:59.293335915 CET	49750	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:59.293832064 CET	49773	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:59.298363924 CET	8443	49750	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:59.298461914 CET	49750	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:59.298598051 CET	8443	49773	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:59.298664093 CET	49773	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:59.298924923 CET	49773	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:59.303658009 CET	8443	49773	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:59.742990971 CET	8443	49773	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:59.743066072 CET	49773	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:59.743457079 CET	49773	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:59.744551897 CET	49773	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:05:59.748321056 CET	8443	49773	188.114.96.3	192.168.2.4
Jan 3, 2025 13:05:59.749466896 CET	8443	49773	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:00.825988054 CET	8443	49773	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:00.826025963 CET	8443	49773	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:00.826049089 CET	8443	49773	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:00.826060057 CET	8443	49773	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:00.826080084 CET	8443	49773	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:00.826095104 CET	8443	49773	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:00.826139927 CET	49773	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:00.826186895 CET	49773	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:01.174912930 CET	49762	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:01.175405979 CET	49784	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:01.179912090 CET	8443	49762	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:01.180226088 CET	8443	49784	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:01.180294991 CET	49762	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:01.180341005 CET	49784	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:01.180803061 CET	49784	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:01.185561895 CET	8443	49784	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:01.645064116 CET	8443	49784	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:01.645131111 CET	49784	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:01.645562887 CET	49784	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:01.646524906 CET	49784	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:01.650382996 CET	8443	49784	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:01.651386023 CET	8443	49784	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:02.753062963 CET	8443	49784	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:02.753081083 CET	8443	49784	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:02.753103971 CET	8443	49784	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:02.753117085 CET	8443	49784	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:02.753134012 CET	8443	49784	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:02.753144979 CET	8443	49784	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:02.753144026 CET	49784	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:02.753144026 CET	49784	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:02.753186941 CET	49784	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:02.855717897 CET	49773	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:02.856095076 CET	49798	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:02.860877037 CET	8443	49798	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:02.860960960 CET	49798	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:02.861254930 CET	49798	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:02.866107941 CET	8443	49798	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:02.867057085 CET	8443	49773	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:02.867115021 CET	49773	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:03.306056976 CET	8443	49798	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:03.306139946 CET	49798	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:03.306606054 CET	49798	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:03.307475090 CET	49798	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:03.311428070 CET	8443	49798	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:03.312244892 CET	8443	49798	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:04.388812065 CET	8443	49798	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:04.388828039 CET	8443	49798	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:04.388850927 CET	8443	49798	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:04.388863087 CET	8443	49798	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:04.388866901 CET	49798	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:04.388870001 CET	8443	49798	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:04.388887882 CET	8443	49798	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:04.388889074 CET	49798	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:04.388906002 CET	49798	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:04.388907909 CET	8443	49798	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:04.388936043 CET	49798	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:04.388953924 CET	49798	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:04.497816086 CET	49784	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:04.498436928 CET	49806	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:04.502789974 CET	8443	49784	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:04.502845049 CET	49784	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:04.503268957 CET	8443	49806	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:04.503331900 CET	49806	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:04.503576040 CET	49806	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:04.508379936 CET	8443	49806	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:04.956470013 CET	8443	49806	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:04.956603050 CET	49806	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:04.957818985 CET	49806	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:04.957818985 CET	49806	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:04.962631941 CET	8443	49806	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:04.962647915 CET	8443	49806	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:06.087512970 CET	8443	49806	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:06.087542057 CET	8443	49806	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:06.087563038 CET	8443	49806	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:06.087578058 CET	8443	49806	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:06.087575912 CET	49806	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:06.087603092 CET	8443	49806	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:06.087610006 CET	49806	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:06.087610006 CET	49806	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:06.087615013 CET	8443	49806	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:06.087620020 CET	49806	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:06.087654114 CET	49806	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:06.087690115 CET	49806	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:06.199769020 CET	49798	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:06.200334072 CET	49817	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:06.204787016 CET	8443	49798	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:06.204852104 CET	49798	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:06.205202103 CET	8443	49817	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:06.205284119 CET	49817	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:06.205475092 CET	49817	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:06.210225105 CET	8443	49817	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:06.672185898 CET	8443	49817	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:06.672266006 CET	49817	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:06.672636986 CET	49817	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:06.673584938 CET	49817	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:06.677364111 CET	8443	49817	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:06.678323030 CET	8443	49817	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:07.784183025 CET	8443	49817	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:07.784204006 CET	8443	49817	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:07.784215927 CET	8443	49817	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:07.784254074 CET	49817	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:07.784285069 CET	8443	49817	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:07.784297943 CET	8443	49817	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:07.784327030 CET	49817	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:07.784327030 CET	49817	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:07.784349918 CET	49817	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:07.874885082 CET	8443	49817	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:07.874943018 CET	49817	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:07.980892897 CET	49806	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:07.981508017 CET	49829	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:07.985876083 CET	8443	49806	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:07.985928059 CET	49806	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:07.986361027 CET	8443	49829	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:07.986419916 CET	49829	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:07.986674070 CET	49829	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:07.991451979 CET	8443	49829	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:08.432801962 CET	8443	49829	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:08.433824062 CET	49829	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:08.434274912 CET	49829	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:08.435355902 CET	49829	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:08.439059019 CET	8443	49829	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:08.440161943 CET	8443	49829	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:09.534607887 CET	8443	49829	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:09.534635067 CET	8443	49829	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:09.534651041 CET	8443	49829	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:09.534672976 CET	8443	49829	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:09.534689903 CET	49829	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:09.534689903 CET	49829	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:09.534696102 CET	8443	49829	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:09.534709930 CET	8443	49829	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:09.534722090 CET	8443	49829	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:09.534723043 CET	49829	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:09.534746885 CET	49829	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:09.534774065 CET	49829	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:09.637073040 CET	49817	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:09.637537956 CET	49841	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:09.642055035 CET	8443	49817	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:09.642105103 CET	49817	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:09.642276049 CET	8443	49841	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:09.642363071 CET	49841	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:09.642587900 CET	49841	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:09.647386074 CET	8443	49841	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:10.094716072 CET	8443	49841	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:10.094789982 CET	49841	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:10.095269918 CET	49841	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:10.096438885 CET	49841	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:10.100020885 CET	8443	49841	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:10.101243019 CET	8443	49841	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:11.229132891 CET	8443	49841	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:11.229150057 CET	8443	49841	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:11.229161024 CET	8443	49841	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:11.229171991 CET	8443	49841	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:11.229182959 CET	8443	49841	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:11.229196072 CET	8443	49841	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:11.229307890 CET	49841	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:11.340934038 CET	49829	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:11.341399908 CET	49853	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:11.346009970 CET	8443	49829	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:11.346292019 CET	8443	49853	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:11.346355915 CET	49829	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:11.346394062 CET	49853	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:11.346668005 CET	49853	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:11.351557970 CET	8443	49853	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:11.797087908 CET	8443	49853	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:11.797151089 CET	49853	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:11.797629118 CET	49853	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:11.798566103 CET	49853	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:11.802371025 CET	8443	49853	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:11.803320885 CET	8443	49853	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:12.934287071 CET	8443	49853	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:12.934382915 CET	8443	49853	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:12.934393883 CET	8443	49853	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:12.934417009 CET	8443	49853	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:12.934427977 CET	8443	49853	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:12.934439898 CET	8443	49853	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:12.934448957 CET	8443	49853	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:12.934487104 CET	49853	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:12.934515953 CET	49853	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:13.043332100 CET	49841	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:13.043783903 CET	49864	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:13.048320055 CET	8443	49841	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:13.048609972 CET	8443	49864	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:13.048670053 CET	49841	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:13.048711061 CET	49864	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:13.109383106 CET	49864	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:13.114229918 CET	8443	49864	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:13.503813982 CET	8443	49864	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:13.506598949 CET	49864	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:13.506902933 CET	49864	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:13.507863998 CET	49864	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:13.511692047 CET	8443	49864	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:13.512619019 CET	8443	49864	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:14.636720896 CET	8443	49864	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:14.636785030 CET	8443	49864	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:14.636790991 CET	49864	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:14.636797905 CET	8443	49864	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:14.636812925 CET	8443	49864	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:14.636820078 CET	49864	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:14.636825085 CET	8443	49864	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:14.636838913 CET	8443	49864	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:14.636842012 CET	49864	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:14.636862040 CET	49864	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:14.636879921 CET	49864	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:14.746464968 CET	49853	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:14.746990919 CET	49875	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:14.751486063 CET	8443	49853	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:14.751543999 CET	49853	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:14.751826048 CET	8443	49875	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:14.751887083 CET	49875	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:14.752134085 CET	49875	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:14.756885052 CET	8443	49875	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:15.226435900 CET	8443	49875	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:15.226609945 CET	49875	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:15.227049112 CET	49875	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:15.227996111 CET	49875	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:15.231828928 CET	8443	49875	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:15.232780933 CET	8443	49875	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:16.313330889 CET	8443	49875	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:16.313352108 CET	8443	49875	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:16.313364983 CET	8443	49875	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:16.313386917 CET	8443	49875	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:16.313402891 CET	8443	49875	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:16.313412905 CET	49875	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:16.313414097 CET	8443	49875	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:16.313438892 CET	49875	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:16.313473940 CET	49875	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:16.435172081 CET	49864	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:16.435581923 CET	49889	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:16.440089941 CET	8443	49864	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:16.440143108 CET	49864	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:16.440416098 CET	8443	49889	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:16.440484047 CET	49889	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:16.440788031 CET	49889	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:16.445534945 CET	8443	49889	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:16.906050920 CET	8443	49889	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:16.906120062 CET	49889	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:16.906924009 CET	49889	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:16.908948898 CET	49889	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:16.911725044 CET	8443	49889	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:16.913770914 CET	8443	49889	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:17.981879950 CET	8443	49889	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:17.981930971 CET	8443	49889	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:17.981946945 CET	49889	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:17.981950045 CET	8443	49889	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:17.981970072 CET	8443	49889	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:17.981971979 CET	49889	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:17.981981993 CET	8443	49889	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:17.981996059 CET	8443	49889	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:17.982002020 CET	49889	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:17.982013941 CET	49889	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:17.982026100 CET	49889	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:17.982039928 CET	49889	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:18.090261936 CET	49875	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:18.091171026 CET	49903	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:18.095310926 CET	8443	49875	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:18.095377922 CET	49875	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:18.096004963 CET	8443	49903	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:18.096066952 CET	49903	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:18.096402884 CET	49903	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:18.101222992 CET	8443	49903	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:18.559233904 CET	8443	49903	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:18.559350967 CET	49903	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:18.559721947 CET	49903	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:18.560790062 CET	49903	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:18.564552069 CET	8443	49903	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:18.565613031 CET	8443	49903	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:19.672938108 CET	8443	49903	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:19.672960043 CET	8443	49903	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:19.672974110 CET	8443	49903	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:19.672985077 CET	8443	49903	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:19.673003912 CET	8443	49903	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:19.673013926 CET	8443	49903	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:19.673026085 CET	8443	49903	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:19.673032999 CET	49903	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:19.676543951 CET	49903	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:19.777719021 CET	49889	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:19.778135061 CET	49914	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:19.782881975 CET	8443	49889	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:19.782968044 CET	49889	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:19.783003092 CET	8443	49914	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:19.783101082 CET	49914	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:19.783305883 CET	49914	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:19.788089037 CET	8443	49914	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:20.242386103 CET	8443	49914	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:20.242492914 CET	49914	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:20.242881060 CET	49914	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:20.243911028 CET	49914	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:20.247654915 CET	8443	49914	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:20.248682022 CET	8443	49914	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:21.335169077 CET	8443	49914	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:21.335184097 CET	8443	49914	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:21.335201979 CET	8443	49914	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:21.335222006 CET	8443	49914	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:21.335232973 CET	8443	49914	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:21.335243940 CET	8443	49914	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:21.335247040 CET	49914	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:21.335285902 CET	49914	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:21.425081968 CET	8443	49914	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:21.425142050 CET	49914	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:21.527760029 CET	49903	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:21.528188944 CET	49925	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:21.532784939 CET	8443	49903	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:21.533015966 CET	8443	49925	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:21.533185959 CET	49903	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:21.533236027 CET	49925	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:21.533421040 CET	49925	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:21.538165092 CET	8443	49925	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:21.998456001 CET	8443	49925	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:21.998621941 CET	49925	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:21.999001026 CET	49925	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:21.999959946 CET	49925	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:22.004118919 CET	8443	49925	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:22.004820108 CET	8443	49925	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:23.109505892 CET	8443	49925	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:23.109520912 CET	8443	49925	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:23.109539986 CET	8443	49925	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:23.109551907 CET	8443	49925	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:23.109563112 CET	8443	49925	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:23.109574080 CET	49925	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:23.109601021 CET	49925	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:23.109606981 CET	8443	49925	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:23.109626055 CET	49925	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:23.109652996 CET	49925	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:23.215794086 CET	49914	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:23.216422081 CET	49937	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:23.220767975 CET	8443	49914	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:23.220819950 CET	49914	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:23.221185923 CET	8443	49937	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:23.221256971 CET	49937	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:23.221467972 CET	49937	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:23.226229906 CET	8443	49937	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:23.685364962 CET	8443	49937	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:23.685425043 CET	49937	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:23.685839891 CET	49937	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:23.686992884 CET	49937	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:23.690617085 CET	8443	49937	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:23.691720963 CET	8443	49937	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:24.764524937 CET	8443	49937	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:24.764543056 CET	8443	49937	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:24.764555931 CET	8443	49937	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:24.764575005 CET	8443	49937	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:24.764586926 CET	8443	49937	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:24.764588118 CET	49937	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:24.764632940 CET	49937	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:24.764633894 CET	8443	49937	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:24.764664888 CET	49937	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:24.764692068 CET	49937	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:24.872145891 CET	49925	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:24.872694016 CET	49949	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:24.877206087 CET	8443	49925	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:24.877257109 CET	49925	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:24.877459049 CET	8443	49949	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:24.877573013 CET	49949	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:24.877829075 CET	49949	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:24.882642031 CET	8443	49949	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:25.339364052 CET	8443	49949	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:25.339421988 CET	49949	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:25.339791059 CET	49949	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:25.340791941 CET	49949	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:25.344556093 CET	8443	49949	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:25.345540047 CET	8443	49949	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:26.493794918 CET	8443	49949	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:26.493818045 CET	8443	49949	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:26.493833065 CET	8443	49949	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:26.493849993 CET	8443	49949	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:26.493849993 CET	49949	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:26.493861914 CET	8443	49949	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:26.493866920 CET	49949	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:26.493874073 CET	8443	49949	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:26.493885040 CET	8443	49949	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:26.493901968 CET	49949	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:26.493916988 CET	49949	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:26.616616964 CET	49937	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:26.617166996 CET	49960	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:26.621582985 CET	8443	49937	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:26.622000933 CET	8443	49960	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:26.624567986 CET	49937	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:26.624588013 CET	49960	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:26.624895096 CET	49960	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:26.629671097 CET	8443	49960	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:27.067358017 CET	8443	49960	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:27.067426920 CET	49960	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:27.067900896 CET	49960	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:27.069075108 CET	49960	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:27.072643995 CET	8443	49960	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:27.073832035 CET	8443	49960	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:28.229343891 CET	8443	49960	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:28.229370117 CET	8443	49960	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:28.229388952 CET	8443	49960	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:28.229403019 CET	8443	49960	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:28.229414940 CET	8443	49960	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:28.229425907 CET	8443	49960	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:28.229579926 CET	49960	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:28.229581118 CET	49960	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:28.341377020 CET	49949	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:28.341839075 CET	49971	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:28.346390009 CET	8443	49949	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:28.346652031 CET	8443	49971	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:28.346782923 CET	49971	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:28.346793890 CET	49949	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:28.350856066 CET	49971	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:28.355699062 CET	8443	49971	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:28.791747093 CET	8443	49971	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:28.791805983 CET	49971	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:28.792144060 CET	49971	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:28.793040037 CET	49971	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:28.796926975 CET	8443	49971	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:28.797811985 CET	8443	49971	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:29.885905027 CET	8443	49971	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:29.885970116 CET	8443	49971	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:29.885981083 CET	8443	49971	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:29.885993004 CET	8443	49971	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:29.886004925 CET	8443	49971	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:29.886014938 CET	8443	49971	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:29.886025906 CET	8443	49971	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:29.886063099 CET	49971	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:29.886104107 CET	49971	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:29.998366117 CET	49960	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:29.998743057 CET	49984	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:30.003587008 CET	8443	49984	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:30.003671885 CET	8443	49960	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:30.004609108 CET	49960	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:30.004625082 CET	49984	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:30.004776001 CET	49984	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:30.009536982 CET	8443	49984	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:30.465975046 CET	8443	49984	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:30.466042995 CET	49984	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:30.466460943 CET	49984	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:30.467466116 CET	49984	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:30.471198082 CET	8443	49984	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:30.472212076 CET	8443	49984	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:31.574136019 CET	8443	49984	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:31.574148893 CET	8443	49984	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:31.574172020 CET	8443	49984	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:31.574182987 CET	8443	49984	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:31.574193954 CET	8443	49984	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:31.574204922 CET	8443	49984	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:31.574208975 CET	49984	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:31.574217081 CET	8443	49984	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:31.574259043 CET	49984	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:31.574259043 CET	49984	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:31.684911966 CET	49971	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:31.685906887 CET	49995	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:31.689986944 CET	8443	49971	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:31.690038919 CET	49971	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:31.690855980 CET	8443	49995	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:31.690912008 CET	49995	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:31.691668987 CET	49995	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:31.696405888 CET	8443	49995	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:32.148947954 CET	8443	49995	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:32.149468899 CET	49995	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:32.149468899 CET	49995	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:32.150434971 CET	49995	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:32.154239893 CET	8443	49995	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:32.155180931 CET	8443	49995	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:33.237528086 CET	8443	49995	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:33.237561941 CET	8443	49995	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:33.237574100 CET	8443	49995	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:33.237586021 CET	8443	49995	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:33.237596989 CET	8443	49995	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:33.237607956 CET	8443	49995	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:33.237622976 CET	49995	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:33.237674952 CET	49995	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:33.237682104 CET	49995	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:33.341080904 CET	49984	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:33.341682911 CET	50007	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:33.346034050 CET	8443	49984	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:33.346090078 CET	49984	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:33.346458912 CET	8443	50007	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:33.346525908 CET	50007	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:33.346818924 CET	50007	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:33.351577997 CET	8443	50007	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:33.791194916 CET	8443	50007	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:33.791250944 CET	50007	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:33.791577101 CET	50007	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:33.792714119 CET	50007	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:33.796331882 CET	8443	50007	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:33.797576904 CET	8443	50007	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:34.866710901 CET	8443	50007	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:34.866731882 CET	8443	50007	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:34.866743088 CET	8443	50007	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:34.866755009 CET	8443	50007	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:34.866765022 CET	8443	50007	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:34.866770983 CET	8443	50007	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:34.866816998 CET	50007	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:34.866893053 CET	50007	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:34.981662989 CET	49995	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:34.982358932 CET	50019	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:34.986640930 CET	8443	49995	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:34.986701012 CET	49995	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:34.987185001 CET	8443	50019	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:34.987248898 CET	50019	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:34.987564087 CET	50019	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:34.992310047 CET	8443	50019	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:35.441406012 CET	8443	50019	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:35.441478014 CET	50019	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:35.441894054 CET	50019	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:35.442908049 CET	50019	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:35.446772099 CET	8443	50019	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:35.447751999 CET	8443	50019	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:36.564973116 CET	8443	50019	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:36.565001965 CET	8443	50019	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:36.565018892 CET	8443	50019	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:36.565032005 CET	8443	50019	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:36.565042973 CET	8443	50019	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:36.565054893 CET	8443	50019	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:36.565063953 CET	8443	50019	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:36.565073967 CET	50019	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:36.565109015 CET	50019	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:36.565160990 CET	50019	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:36.669038057 CET	50007	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:36.669548035 CET	50031	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:36.674010992 CET	8443	50007	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:36.674077034 CET	50007	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:36.674355984 CET	8443	50031	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:36.674429893 CET	50031	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:36.674757957 CET	50031	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:36.679485083 CET	8443	50031	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:37.138192892 CET	8443	50031	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:37.138243914 CET	50031	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:37.139257908 CET	50031	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:37.140647888 CET	50031	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:37.143975019 CET	8443	50031	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:37.145387888 CET	8443	50031	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:38.288569927 CET	8443	50031	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:38.288599014 CET	8443	50031	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:38.288614988 CET	8443	50031	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:38.288630962 CET	8443	50031	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:38.288640022 CET	50031	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:38.288646936 CET	8443	50031	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:38.288666964 CET	50031	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:38.288702011 CET	50031	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:38.375993013 CET	8443	50031	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:38.376060009 CET	50031	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:38.481610060 CET	50019	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:38.482070923 CET	50041	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:38.486704111 CET	8443	50019	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:38.486953974 CET	8443	50041	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:38.486989975 CET	50019	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:38.487041950 CET	50041	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:38.487246037 CET	50041	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:38.492007017 CET	8443	50041	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:38.961632013 CET	8443	50041	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:38.961689949 CET	50041	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:38.962191105 CET	50041	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:38.963188887 CET	50041	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:38.969147921 CET	8443	50041	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:38.969160080 CET	8443	50041	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:40.047907114 CET	8443	50041	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:40.047925949 CET	8443	50041	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:40.047945976 CET	8443	50041	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:40.047957897 CET	8443	50041	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:40.047967911 CET	8443	50041	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:40.047979116 CET	8443	50041	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:40.047991037 CET	8443	50041	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:40.047991037 CET	50041	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:40.048048019 CET	50041	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:40.153448105 CET	50031	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:40.153893948 CET	50042	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:40.158334970 CET	8443	50031	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:40.158663988 CET	8443	50042	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:40.158730030 CET	50031	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:40.158757925 CET	50042	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:40.159039974 CET	50042	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:40.163819075 CET	8443	50042	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:40.615420103 CET	8443	50042	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:40.616617918 CET	50042	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:40.617018938 CET	50042	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:40.618026972 CET	50042	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:40.621849060 CET	8443	50042	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:40.622762918 CET	8443	50042	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:41.767712116 CET	8443	50042	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:41.767731905 CET	8443	50042	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:41.767744064 CET	8443	50042	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:41.767755985 CET	8443	50042	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:41.767766953 CET	8443	50042	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:41.767777920 CET	8443	50042	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:41.767791986 CET	50042	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:41.767827988 CET	50042	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:41.925291061 CET	50041	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:41.926100016 CET	50043	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:41.930337906 CET	8443	50041	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:41.930392981 CET	50041	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:41.931000948 CET	8443	50043	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:41.931054115 CET	50043	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:41.931438923 CET	50043	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:41.936276913 CET	8443	50043	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:42.400634050 CET	8443	50043	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:42.400821924 CET	50043	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:42.401252985 CET	50043	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:42.402230978 CET	50043	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:42.406034946 CET	8443	50043	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:42.407013893 CET	8443	50043	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:43.518086910 CET	8443	50043	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:43.518105984 CET	8443	50043	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:43.518119097 CET	8443	50043	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:43.518130064 CET	8443	50043	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:43.518141985 CET	8443	50043	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:43.518148899 CET	50043	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:43.518153906 CET	8443	50043	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:43.518178940 CET	50043	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:43.518218040 CET	50043	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:43.622136116 CET	50042	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:43.622597933 CET	50044	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:43.627243042 CET	8443	50042	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:43.627382040 CET	8443	50044	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:43.627444029 CET	50042	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:43.627481937 CET	50044	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:43.627682924 CET	50044	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:43.632514954 CET	8443	50044	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:44.102178097 CET	8443	50044	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:44.104607105 CET	50044	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:44.104993105 CET	50044	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:44.105880022 CET	50044	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:44.109940052 CET	8443	50044	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:44.110732079 CET	8443	50044	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:45.204515934 CET	8443	50044	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:45.204538107 CET	8443	50044	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:45.204550982 CET	8443	50044	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:45.204560995 CET	8443	50044	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:45.204566002 CET	50044	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:45.204571009 CET	8443	50044	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:45.204582930 CET	8443	50044	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:45.204588890 CET	50044	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:45.204624891 CET	50044	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:45.310503006 CET	50043	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:45.311067104 CET	50045	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:45.315474033 CET	8443	50043	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:45.315526009 CET	50043	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:45.315865040 CET	8443	50045	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:45.315926075 CET	50045	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:45.316152096 CET	50045	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:45.320909977 CET	8443	50045	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:45.808892965 CET	8443	50045	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:45.808957100 CET	50045	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:45.809341908 CET	50045	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:45.810468912 CET	50045	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:45.814083099 CET	8443	50045	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:45.815330029 CET	8443	50045	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:46.900202990 CET	8443	50045	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:46.900218010 CET	8443	50045	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:46.900233984 CET	8443	50045	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:46.900244951 CET	8443	50045	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:46.900255919 CET	8443	50045	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:46.900268078 CET	8443	50045	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:46.900298119 CET	50045	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:46.900340080 CET	50045	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:47.013828993 CET	50044	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:47.014586926 CET	50046	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:47.019454002 CET	8443	50044	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:47.019469023 CET	8443	50046	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:47.019531012 CET	50044	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:47.019547939 CET	50046	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:47.019968033 CET	50046	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:47.024728060 CET	8443	50046	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:47.475075006 CET	8443	50046	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:47.475157022 CET	50046	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:47.475564003 CET	50046	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:47.476607084 CET	50046	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:47.480371952 CET	8443	50046	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:47.481408119 CET	8443	50046	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:48.536150932 CET	8443	50046	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:48.536214113 CET	8443	50046	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:48.536225080 CET	8443	50046	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:48.536235094 CET	50046	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:48.536237001 CET	8443	50046	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:48.536247969 CET	8443	50046	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:48.536252975 CET	50046	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:48.536258936 CET	8443	50046	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:48.536282063 CET	50046	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:48.536312103 CET	50046	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:48.638673067 CET	50045	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:48.639147997 CET	50047	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:48.643666983 CET	8443	50045	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:48.643749952 CET	50045	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:48.643919945 CET	8443	50047	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:48.643992901 CET	50047	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:48.644299984 CET	50047	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:48.649137020 CET	8443	50047	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:49.093667030 CET	8443	50047	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:49.093732119 CET	50047	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:49.094147921 CET	50047	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:49.095304966 CET	50047	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:49.099020004 CET	8443	50047	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:49.100162029 CET	8443	50047	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:50.214267015 CET	8443	50047	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:50.214339972 CET	8443	50047	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:50.214355946 CET	8443	50047	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:50.214363098 CET	50047	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:50.214375973 CET	8443	50047	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:50.214390039 CET	8443	50047	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:50.214392900 CET	50047	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:50.214401960 CET	8443	50047	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:50.214404106 CET	50047	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:50.214420080 CET	8443	50047	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:50.214430094 CET	50047	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:50.214463949 CET	50047	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:50.326231003 CET	50046	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:50.326751947 CET	50048	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:50.331351042 CET	8443	50046	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:50.331443071 CET	50046	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:50.331587076 CET	8443	50048	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:50.331665039 CET	50048	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:50.332024097 CET	50048	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:50.336774111 CET	8443	50048	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:50.797910929 CET	8443	50048	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:50.798722982 CET	50048	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:50.799197912 CET	50048	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:50.800095081 CET	50048	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:50.804003954 CET	8443	50048	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:50.804851055 CET	8443	50048	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:51.951277971 CET	8443	50048	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:51.951344013 CET	8443	50048	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:51.951353073 CET	50048	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:51.951358080 CET	8443	50048	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:51.951370001 CET	8443	50048	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:51.951383114 CET	8443	50048	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:51.951395035 CET	50048	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:51.951395988 CET	8443	50048	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:51.951442957 CET	50048	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:52.060688972 CET	50047	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:52.061157942 CET	50049	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:52.065789938 CET	8443	50047	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:52.065881014 CET	50047	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:52.065980911 CET	8443	50049	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:52.066051960 CET	50049	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:52.066356897 CET	50049	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:52.071254015 CET	8443	50049	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:52.512547970 CET	8443	50049	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:52.516653061 CET	50049	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:52.517015934 CET	50049	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:52.518068075 CET	50049	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:52.521822929 CET	8443	50049	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:52.522840977 CET	8443	50049	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:53.660604000 CET	8443	50049	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:53.660630941 CET	8443	50049	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:53.660641909 CET	8443	50049	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:53.660654068 CET	8443	50049	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:53.660665035 CET	8443	50049	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:53.660677910 CET	8443	50049	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:53.660702944 CET	50049	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:53.660754919 CET	50049	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:53.763639927 CET	50048	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:53.764148951 CET	50050	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:53.768708944 CET	8443	50048	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:53.768789053 CET	50048	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:53.768918037 CET	8443	50050	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:53.768980026 CET	50050	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:53.769182920 CET	50050	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:53.773921013 CET	8443	50050	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:54.265691996 CET	8443	50050	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:54.265785933 CET	50050	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:54.266268015 CET	50050	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:54.267239094 CET	50050	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:54.271051884 CET	8443	50050	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:54.272054911 CET	8443	50050	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:55.389844894 CET	8443	50050	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:55.389863014 CET	8443	50050	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:55.389874935 CET	8443	50050	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:55.389900923 CET	50050	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:55.389924049 CET	50050	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:55.389957905 CET	8443	50050	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:55.389970064 CET	8443	50050	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:55.389978886 CET	8443	50050	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:55.390036106 CET	50050	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:55.498019934 CET	50049	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:55.498486996 CET	50051	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:55.502976894 CET	8443	50049	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:55.503036976 CET	50049	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:55.503277063 CET	8443	50051	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:55.503353119 CET	50051	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:55.503639936 CET	50051	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:55.508493900 CET	8443	50051	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:55.969670057 CET	8443	50051	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:55.969747066 CET	50051	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:55.970264912 CET	50051	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:55.971139908 CET	50051	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:55.975033998 CET	8443	50051	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:55.975908995 CET	8443	50051	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:57.136878014 CET	8443	50051	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:57.136936903 CET	8443	50051	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:57.136936903 CET	50051	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:57.136949062 CET	8443	50051	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:57.136960030 CET	8443	50051	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:57.136970997 CET	8443	50051	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:57.136976957 CET	50051	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:57.136981964 CET	8443	50051	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:57.136995077 CET	50051	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:57.137033939 CET	50051	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:57.248045921 CET	50050	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:57.248833895 CET	50052	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:57.253952980 CET	8443	50050	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:57.254000902 CET	50050	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:57.254270077 CET	8443	50052	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:57.254400015 CET	50052	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:57.254616022 CET	50052	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:57.259984016 CET	8443	50052	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:57.702470064 CET	8443	50052	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:57.702544928 CET	50052	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:57.702970028 CET	50052	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:57.704046011 CET	50052	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:57.707791090 CET	8443	50052	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:57.708863974 CET	8443	50052	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:58.797344923 CET	8443	50052	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:58.797400951 CET	8443	50052	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:58.797413111 CET	8443	50052	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:58.797424078 CET	8443	50052	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:58.797435999 CET	8443	50052	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:58.797446966 CET	8443	50052	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:58.797456980 CET	8443	50052	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:58.797491074 CET	50052	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:58.797517061 CET	50052	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:58.904304028 CET	50051	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:58.904781103 CET	50053	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:58.909274101 CET	8443	50051	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:58.909354925 CET	50051	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:58.909590960 CET	8443	50053	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:58.909677982 CET	50053	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:58.910010099 CET	50053	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:58.914819956 CET	8443	50053	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:59.377893925 CET	8443	50053	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:59.377954006 CET	50053	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:59.378483057 CET	50053	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:59.379611969 CET	50053	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:06:59.383248091 CET	8443	50053	188.114.96.3	192.168.2.4
Jan 3, 2025 13:06:59.384387016 CET	8443	50053	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:00.511940002 CET	8443	50053	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:00.511964083 CET	8443	50053	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:00.511976957 CET	8443	50053	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:00.511987925 CET	8443	50053	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:00.511998892 CET	8443	50053	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:00.512010098 CET	8443	50053	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:00.512020111 CET	8443	50053	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:00.512027979 CET	50053	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:00.512077093 CET	50053	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:00.623169899 CET	50052	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:00.623709917 CET	50054	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:00.628479004 CET	8443	50052	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:00.628495932 CET	8443	50054	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:00.628577948 CET	50052	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:00.628617048 CET	50054	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:00.628823042 CET	50054	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:00.633661985 CET	8443	50054	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:01.109847069 CET	8443	50054	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:01.109975100 CET	50054	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:01.110301971 CET	50054	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:01.111561060 CET	50054	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:01.115191936 CET	8443	50054	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:01.116513968 CET	8443	50054	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:02.185199976 CET	8443	50054	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:02.185218096 CET	8443	50054	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:02.185231924 CET	8443	50054	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:02.185242891 CET	8443	50054	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:02.185254097 CET	8443	50054	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:02.185265064 CET	8443	50054	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:02.185300112 CET	50054	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:02.185496092 CET	50054	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:02.294934988 CET	50053	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:02.295350075 CET	50055	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:02.300506115 CET	8443	50055	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:02.300642967 CET	50055	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:02.300812960 CET	50055	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:02.304768085 CET	8443	50053	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:02.304824114 CET	50053	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:02.305535078 CET	8443	50055	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:02.769476891 CET	8443	50055	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:02.772645950 CET	50055	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:02.773020029 CET	50055	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:02.773890972 CET	50055	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:02.777782917 CET	8443	50055	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:02.778703928 CET	8443	50055	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:03.915566921 CET	8443	50055	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:03.915580034 CET	8443	50055	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:03.915591002 CET	8443	50055	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:03.915602922 CET	8443	50055	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:03.915613890 CET	8443	50055	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:03.915623903 CET	8443	50055	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:03.915633917 CET	8443	50055	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:03.915658951 CET	50055	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:03.915710926 CET	50055	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:04.079854012 CET	50054	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:04.080313921 CET	50056	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:04.084868908 CET	8443	50054	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:04.085099936 CET	8443	50056	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:04.085161924 CET	50054	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:04.085202932 CET	50056	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:04.087469101 CET	50056	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:04.092248917 CET	8443	50056	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:04.559063911 CET	8443	50056	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:04.559137106 CET	50056	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:04.559576035 CET	50056	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:04.560739994 CET	50056	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:04.564363956 CET	8443	50056	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:04.565574884 CET	8443	50056	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:05.681670904 CET	8443	50056	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:05.681725025 CET	8443	50056	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:05.681732893 CET	50056	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:05.681739092 CET	8443	50056	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:05.681752920 CET	8443	50056	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:05.681766033 CET	8443	50056	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:05.681773901 CET	50056	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:05.681778908 CET	8443	50056	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:05.681791067 CET	50056	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:05.681799889 CET	50056	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:05.681840897 CET	50056	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:05.794840097 CET	50055	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:05.795252085 CET	50057	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:05.799845934 CET	8443	50055	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:05.799909115 CET	50055	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:05.800054073 CET	8443	50057	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:05.800110102 CET	50057	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:05.800281048 CET	50057	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:05.805042982 CET	8443	50057	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:06.247263908 CET	8443	50057	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:06.247320890 CET	50057	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:06.247742891 CET	50057	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:06.248821020 CET	50057	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:06.252624989 CET	8443	50057	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:06.253633976 CET	8443	50057	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:07.368257999 CET	8443	50057	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:07.368273973 CET	8443	50057	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:07.368284941 CET	8443	50057	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:07.368295908 CET	8443	50057	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:07.368311882 CET	8443	50057	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:07.368321896 CET	8443	50057	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:07.368333101 CET	8443	50057	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:07.368370056 CET	50057	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:07.368412971 CET	50057	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:07.482537985 CET	50056	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:07.483067989 CET	50058	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:07.487637043 CET	8443	50056	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:07.487831116 CET	50056	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:07.487835884 CET	8443	50058	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:07.487920046 CET	50058	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:07.488090992 CET	50058	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:07.492815971 CET	8443	50058	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:07.966620922 CET	8443	50058	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:07.966717958 CET	50058	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:07.967245102 CET	50058	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:07.968238115 CET	50058	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:07.975454092 CET	8443	50058	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:07.976423979 CET	8443	50058	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:09.064460039 CET	8443	50058	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:09.064472914 CET	8443	50058	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:09.064483881 CET	8443	50058	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:09.064493895 CET	8443	50058	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:09.064508915 CET	50058	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:09.064511061 CET	8443	50058	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:09.064523935 CET	8443	50058	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:09.064532995 CET	50058	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:09.064623117 CET	50058	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:09.169966936 CET	50057	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:09.170437098 CET	50059	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:09.175010920 CET	8443	50057	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:09.175215960 CET	8443	50059	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:09.175271034 CET	50057	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:09.175327063 CET	50059	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:09.175515890 CET	50059	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:09.180250883 CET	8443	50059	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:09.622317076 CET	8443	50059	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:09.622371912 CET	50059	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:09.622787952 CET	50059	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:09.623960972 CET	50059	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:09.627518892 CET	8443	50059	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:09.628715038 CET	8443	50059	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:10.723810911 CET	8443	50059	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:10.723871946 CET	50059	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:10.724049091 CET	8443	50059	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:10.724069118 CET	8443	50059	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:10.724081039 CET	8443	50059	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:10.724092960 CET	8443	50059	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:10.724096060 CET	50059	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:10.724104881 CET	8443	50059	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:10.724107027 CET	50059	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:10.724132061 CET	50059	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:10.724162102 CET	50059	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:15.545089006 CET	50058	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:15.545537949 CET	50060	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:15.550143957 CET	8443	50058	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:15.550223112 CET	50058	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:15.550357103 CET	8443	50060	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:15.550419092 CET	50060	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:15.550615072 CET	50060	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:15.555357933 CET	8443	50060	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:16.006380081 CET	8443	50060	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:16.008704901 CET	50060	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:16.009150982 CET	50060	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:16.010193110 CET	50060	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:16.013871908 CET	8443	50060	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:16.014986038 CET	8443	50060	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:17.084227085 CET	8443	50060	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:17.084252119 CET	8443	50060	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:17.084274054 CET	8443	50060	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:17.084290981 CET	50060	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:17.084302902 CET	8443	50060	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:17.084315062 CET	8443	50060	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:17.084326029 CET	8443	50060	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:17.084336042 CET	50060	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:17.084338903 CET	8443	50060	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:17.084357977 CET	50060	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:17.084383965 CET	50060	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:17.207340956 CET	50059	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:17.207730055 CET	50061	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:17.212574959 CET	8443	50061	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:17.212698936 CET	50061	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:17.214505911 CET	50061	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:17.217500925 CET	8443	50059	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:17.218713045 CET	50059	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:17.219264984 CET	8443	50061	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:17.678941011 CET	8443	50061	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:17.680743933 CET	50061	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:17.681179047 CET	50061	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:17.682173967 CET	50061	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:17.685983896 CET	8443	50061	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:17.686934948 CET	8443	50061	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:18.770945072 CET	8443	50061	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:18.770958900 CET	8443	50061	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:18.770970106 CET	8443	50061	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:18.770982981 CET	8443	50061	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:18.770993948 CET	8443	50061	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:18.771004915 CET	8443	50061	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:18.771007061 CET	50061	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:18.771017075 CET	8443	50061	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:18.771056890 CET	50061	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:18.873226881 CET	50060	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:18.873788118 CET	50062	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:18.878254890 CET	8443	50060	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:18.878302097 CET	50060	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:18.878614902 CET	8443	50062	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:18.878705978 CET	50062	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:18.879002094 CET	50062	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:18.883812904 CET	8443	50062	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:19.331192970 CET	8443	50062	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:19.331290007 CET	50062	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:19.331924915 CET	50062	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:19.332890987 CET	50062	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:19.336725950 CET	8443	50062	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:19.337723017 CET	8443	50062	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:20.410551071 CET	8443	50062	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:20.410689116 CET	50062	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:20.410692930 CET	8443	50062	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:20.410703897 CET	8443	50062	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:20.410717010 CET	8443	50062	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:20.410727978 CET	8443	50062	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:20.410732031 CET	50062	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:20.410738945 CET	8443	50062	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:20.410749912 CET	8443	50062	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:20.410756111 CET	50062	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:20.410799980 CET	50062	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:20.513889074 CET	50061	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:20.514338017 CET	50063	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:20.519051075 CET	8443	50061	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:20.519233942 CET	8443	50063	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:20.519316912 CET	50061	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:20.519330978 CET	50063	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:20.519567966 CET	50063	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:20.524333954 CET	8443	50063	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:20.965406895 CET	8443	50063	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:20.965468884 CET	50063	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:20.965873957 CET	50063	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:20.967329979 CET	50063	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:20.970599890 CET	8443	50063	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:20.972074032 CET	8443	50063	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:22.066783905 CET	8443	50063	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:22.066824913 CET	8443	50063	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:22.066834927 CET	8443	50063	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:22.066845894 CET	8443	50063	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:22.066859007 CET	8443	50063	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:22.066870928 CET	8443	50063	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:22.066881895 CET	8443	50063	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:22.066917896 CET	50063	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:22.066946983 CET	50063	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:22.170030117 CET	50062	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:22.170500040 CET	50064	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:22.174992085 CET	8443	50062	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:22.175065041 CET	50062	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:22.175271988 CET	8443	50064	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:22.175333023 CET	50064	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:22.175561905 CET	50064	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:22.180268049 CET	8443	50064	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:22.640351057 CET	8443	50064	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:22.640418053 CET	50064	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:22.640949965 CET	50064	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:22.642004013 CET	50064	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:22.645706892 CET	8443	50064	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:22.646754980 CET	8443	50064	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:23.777707100 CET	8443	50064	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:23.777724028 CET	8443	50064	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:23.777738094 CET	8443	50064	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:23.777749062 CET	8443	50064	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:23.777760983 CET	8443	50064	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:23.777770996 CET	8443	50064	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:23.777784109 CET	8443	50064	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:23.777781963 CET	50064	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:23.777823925 CET	50064	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:23.888917923 CET	50063	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:23.889411926 CET	50065	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:23.893989086 CET	8443	50063	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:23.894047976 CET	50063	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:23.894181967 CET	8443	50065	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:23.894287109 CET	50065	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:23.894578934 CET	50065	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:23.899322987 CET	8443	50065	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:24.340105057 CET	8443	50065	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:24.340719938 CET	50065	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:24.341135979 CET	50065	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:24.342371941 CET	50065	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:24.345895052 CET	8443	50065	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:24.347116947 CET	8443	50065	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:25.450005054 CET	8443	50065	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:25.450020075 CET	8443	50065	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:25.450031042 CET	8443	50065	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:25.450037003 CET	8443	50065	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:25.450042009 CET	8443	50065	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:25.450048923 CET	8443	50065	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:25.450052977 CET	8443	50065	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:25.450067043 CET	50065	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:25.450149059 CET	50065	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:25.560698986 CET	50064	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:25.561183929 CET	50066	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:25.565973997 CET	8443	50066	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:25.566085100 CET	8443	50064	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:25.566193104 CET	50064	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:25.566212893 CET	50066	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:25.566387892 CET	50066	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:25.571122885 CET	8443	50066	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:26.013113022 CET	8443	50066	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:26.013176918 CET	50066	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:26.013747931 CET	50066	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:26.014683962 CET	50066	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:26.018439054 CET	8443	50066	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:26.019434929 CET	8443	50066	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:27.208617926 CET	8443	50066	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:27.208636045 CET	8443	50066	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:27.208650112 CET	8443	50066	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:27.208661079 CET	8443	50066	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:27.208673000 CET	8443	50066	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:27.208683968 CET	8443	50066	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:27.208695889 CET	50066	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:27.208741903 CET	50066	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:27.310628891 CET	50065	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:27.311141968 CET	50067	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:27.315557957 CET	8443	50065	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:27.315932989 CET	8443	50067	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:27.316004038 CET	50065	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:27.316061020 CET	50067	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:27.316310883 CET	50067	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:27.321131945 CET	8443	50067	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:27.787369013 CET	8443	50067	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:27.787441969 CET	50067	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:27.790916920 CET	50067	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:27.792061090 CET	50067	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:27.795773029 CET	8443	50067	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:27.796812057 CET	8443	50067	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:28.914848089 CET	8443	50067	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:28.914866924 CET	8443	50067	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:28.914877892 CET	8443	50067	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:28.914887905 CET	8443	50067	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:28.914900064 CET	8443	50067	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:28.914912939 CET	8443	50067	188.114.96.3	192.168.2.4
Jan 3, 2025 13:07:28.914947987 CET	50067	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:28.914947987 CET	50067	8443	192.168.2.4	188.114.96.3
Jan 3, 2025 13:07:28.914985895 CET	50067	8443	192.168.2.4	188.114.96.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 13:05:22.989248037 CET	51844	53	192.168.2.4	1.1.1.1
Jan 3, 2025 13:05:23.002871037 CET	53	51844	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 3, 2025 13:05:22.989248037 CET	192.168.2.4	1.1.1.1	0x1a38	Standard query (0)	632313373.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 3, 2025 13:05:23.002871037 CET	1.1.1.1	192.168.2.4	0x1a38	No error (0)	632313373.xyz		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 3, 2025 13:05:23.002871037 CET	1.1.1.1	192.168.2.4	0x1a38	No error (0)	632313373.xyz		188.114.97.3	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	07:05:21
Start date:	03/01/2025
Path:	C:\Users\user\Desktop\mode11_AKUh.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\mode11_AKUh.exe"
Imagebase:	0x700000
File size:	4'936'192 bytes
MD5 hash:	CE12295B93C314028F05184606C5E6D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3180278361.000000C000102000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	07:05:21
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.3%
Total number of Nodes:	207
Total number of Limit Nodes:	26

Executed Functions

Function 0000024FE789E68C Relevance: 9.3, APIs: 6, Instructions: 260
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_snprintf.LIBCMT ref: 0000024FE789E725

Part of subcall function 0000024FE78AF63C: _errno.LIBCMT ref: 0000024FE78AF673
Part of subcall function 0000024FE78AF63C: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE78AF67E

_snprintf.LIBCMT ref: 0000024FE789E7BD
InternetQueryDataAvailable.WININET ref: 0000024FE789E87A

Part of subcall function 0000024FE78A2D70: strchr.LIBCMT ref: 0000024FE78A2DD6
Part of subcall function 0000024FE78A2D70: _snprintf.LIBCMT ref: 0000024FE78A2E0C

Part of subcall function 0000024FE78A2C0C: strchr.LIBCMT ref: 0000024FE78A2C69
Part of subcall function 0000024FE78A2C0C: _snprintf.LIBCMT ref: 0000024FE78A2CB3

_snprintf.LIBCMT ref: 0000024FE789E7D4

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _snprintf$strchr$AvailableDataInternetQuery_errno_invalid_parameter_noinfo
String ID:
API String ID: 2459009813-0
Opcode ID: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
Instruction ID: 1d6315ae750b92e2f65250ad7b9472c292021208c66223eb88a39bbedd3f670c
Opcode Fuzzy Hash: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
Instruction Fuzzy Hash: 1D81B731718A484FEB95EB54D8897AAB7E5FBE4312F10463DE54AC31A1DF24DA028781

Function 0000024FE78A5E28 Relevance: 4.7, APIs: 3, Instructions: 190
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000024FE78A5FEC: malloc.LIBCMT ref: 0000024FE78A6008

GetUserNameA.ADVAPI32(?,?,?,?,?,?,?,-00000001,?,-00000001,?,00000002,0000024FE789CC89), ref: 0000024FE78A5EAF
strrchr.LIBCMT ref: 0000024FE78A5EED
_snprintf.LIBCMT ref: 0000024FE78A5F9B

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: NameUser_snprintfmallocstrrchr
String ID:
API String ID: 1238167203-0
Opcode ID: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
Instruction ID: 1ca66f595f0b31bf08b37bdc68a81f261a475379d32be8ad8cad093cbc53295a
Opcode Fuzzy Hash: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
Instruction Fuzzy Hash: 26516330718E084FEAC8AB68955A7B976D2E7D8311F24453EF18FC32A7EA34D9438745

Function 0000024FE789CA74 Relevance: 7.9, APIs: 6, Instructions: 411
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000024FE78A5FEC: malloc.LIBCMT ref: 0000024FE78A6008

malloc.LIBCMT ref: 0000024FE789CB3B

Part of subcall function 0000024FE78AF284: _FF_MSGBANNER.LIBCMT ref: 0000024FE78AF2B4
Part of subcall function 0000024FE78AF284: _NMSG_WRITE.LIBCMT ref: 0000024FE78AF2BE
Part of subcall function 0000024FE78AF284: _callnewh.LIBCMT ref: 0000024FE78AF2F2
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF2FD
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF308

Part of subcall function 0000024FE78AC230: malloc.LIBCMT ref: 0000024FE78AC29C

Part of subcall function 0000024FE78AEAA8: malloc.LIBCMT ref: 0000024FE78AEAF8

Part of subcall function 0000024FE78AEAA8: realloc.LIBCMT ref: 0000024FE78AEB07

malloc.LIBCMT ref: 0000024FE789CC4A
_snprintf.LIBCMT ref: 0000024FE789CCC1
_snprintf.LIBCMT ref: 0000024FE789CCE7
_snprintf.LIBCMT ref: 0000024FE789CD0E
free.LIBCMT ref: 0000024FE789CEC6

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errno$_callnewhfreerealloc
String ID:
API String ID: 74200508-0
Opcode ID: fd4b1ce187cf5d2c7b3c7d1d5f2f485ec143d87fcb2d796d9dd721ce5a89571b
Instruction ID: baadaed0f54a75f190610ab6331c8cdaa4acbb4f52089c4172953044cc1958c4
Opcode Fuzzy Hash: fd4b1ce187cf5d2c7b3c7d1d5f2f485ec143d87fcb2d796d9dd721ce5a89571b
Instruction Fuzzy Hash: ADD18030715E054BEBD8BB748A5A3A976D1EBE4343F60453DA64AC32F3DE24DA078781

Function 0000024FE789F014 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketA.WS2_32 ref: 0000024FE789F042
WSAIoctl.WS2_32 ref: 0000024FE789F08F
closesocket.WS2_32 ref: 0000024FE789F0EE

Strings

_Cy, xrefs: 0000024FE789F0A1

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: IoctlSocketclosesocket
String ID: _Cy
API String ID: 3445158922-1085951347
Opcode ID: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
Instruction ID: 933e2f6182608fef39832805b33d18cc0a18d3741b1ed8732ccde67a2a59da0d
Opcode Fuzzy Hash: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
Instruction Fuzzy Hash: 96318730618E484BDBD8DF289588766B7D5FBE8316F21463EE58EC32B1DB34C9428741

Function 0000024FE789EA48 Relevance: 3.2, APIs: 2, Instructions: 159
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET ref: 0000024FE789EB0C
InternetConnectA.WININET ref: 0000024FE789EB7A

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: Internet$ConnectOpen
String ID:
API String ID: 2790792615-0
Opcode ID: c02896be98f17698b461471e8597e5ae08ffedd86d74317b17a8770a829ca45e
Instruction ID: 13923569b09693ce5c064ef9403991ab73aba17ab1ffa63bd19716368cd2a600
Opcode Fuzzy Hash: c02896be98f17698b461471e8597e5ae08ffedd86d74317b17a8770a829ca45e
Instruction Fuzzy Hash: BC51C430319F054FEB88DB28D59A76977D1FB98302F21553DE18BC32B2DA389A038742

Function 0000024FE60B96B4 Relevance: 1.6, APIs: 1, Instructions: 149
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000024FE60B977B

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
Instruction ID: 11c8782784c41b3aff9438896dd6f787ccfa2a369bd7d69f6f4f53a3b0d40496
Opcode Fuzzy Hash: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
Instruction Fuzzy Hash: 0D719B36319B8886DAA0CB09E49035AB7A0F7C9B94F508125EFCE83B69DF3DD555CB00

Function 0000024FE60B9324 Relevance: 1.3, APIs: 1, Instructions: 87
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000024FE60B9471

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
Instruction ID: 07d63aa6bc948d181d1d3817951ed187b651635ee854a7660d6911b4c5625196
Opcode Fuzzy Hash: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
Instruction Fuzzy Hash: C441A972618B8887DB90CF19E44471AB7A1F7C9B94F505125FB9E87BA8DB3CD8518B00

Function 0076F220 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3178766454.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.3178741591.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3178839174.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179036662.0000000000A9A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179055452.0000000000A9C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179075161.0000000000AA1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179097063.0000000000AAE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179113754.0000000000AAF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179113754.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179113754.0000000000ACB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179113754.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179113754.0000000000AF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179212312.0000000000AFA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179212312.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179294118.0000000000BE1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179311530.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_mode11_AKUh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a83c295b55d1fb3924cfc6086ff6026e810ee76d85704118357723c5304dc2
Instruction ID: 01966aa79e86d91eb722a9610200211852e096f4bb503193d254ad2d59ca95ff
Opcode Fuzzy Hash: a2a83c295b55d1fb3924cfc6086ff6026e810ee76d85704118357723c5304dc2
Instruction Fuzzy Hash: 0B319A6391CFC482D3218B24F5413AAB364F7A9784F15A715EFC912A1ADF38E2E5CB40

Function 0076B5C0 Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3178766454.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.3178741591.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3178839174.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179036662.0000000000A9A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179055452.0000000000A9C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179075161.0000000000AA1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179097063.0000000000AAE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179113754.0000000000AAF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179113754.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179113754.0000000000ACB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179113754.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179113754.0000000000AF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179212312.0000000000AFA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179212312.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179294118.0000000000BE1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179311530.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_mode11_AKUh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f426410239744f5ba57e2b78151ac65bfe157d6a2c0a85e8369f5e0dce230c44
Instruction ID: 785c79c80471a00a1a60fcfd7c5bed8a2a7ad5feac02c231ea77763dea1a261f
Opcode Fuzzy Hash: f426410239744f5ba57e2b78151ac65bfe157d6a2c0a85e8369f5e0dce230c44
Instruction Fuzzy Hash:

Non-executed Functions

Function 0000024FE60C239C Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 694COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000024FE60C23FD

Part of subcall function 0000024FE60C0A00: _getptd.LIBCMT ref: 0000024FE60C0A16
Part of subcall function 0000024FE60C0A00: __updatetlocinfo.LIBCMT ref: 0000024FE60C0A4B
Part of subcall function 0000024FE60C0A00: __updatetmbcinfo.LIBCMT ref: 0000024FE60C0A72

_errno.LIBCMT ref: 0000024FE60C2402

Part of subcall function 0000024FE60C1118: _getptd_noexit.LIBCMT ref: 0000024FE60C111C

_fileno.LIBCMT ref: 0000024FE60C242F

Part of subcall function 0000024FE60C4E54: _errno.LIBCMT ref: 0000024FE60C4E5D
Part of subcall function 0000024FE60C4E54: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE60C4E68

write_multi_char.LIBCMT ref: 0000024FE60C2A6B
write_string.LIBCMT ref: 0000024FE60C2A88
write_multi_char.LIBCMT ref: 0000024FE60C2AA5
write_string.LIBCMT ref: 0000024FE60C2B04
write_string.LIBCMT ref: 0000024FE60C2B3B
write_multi_char.LIBCMT ref: 0000024FE60C2B5D
free.LIBCMT ref: 0000024FE60C2B71
_isleadbyte_l.LIBCMT ref: 0000024FE60C2C42
write_char.LIBCMT ref: 0000024FE60C2C58
write_char.LIBCMT ref: 0000024FE60C2C79
_errno.LIBCMT ref: 0000024FE60C2D7C
_invalid_parameter_noinfo.LIBCMT ref: 0000024FE60C2D87

Strings

@, xrefs: 0000024FE60C241B
, xrefs: 0000024FE60C2A3F

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3318157856-1077428164
Opcode ID: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
Instruction ID: d1698d2e1acd8ee0d012543ba3ca21beaa4679e2f056c9b9ad2c0197c4485c76
Opcode Fuzzy Hash: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
Instruction Fuzzy Hash: 2752C2227046AC86FBE58B15974C36E6BA0BFC5F86F941125DB4607EF6DB78C840CB02

Function 0000024FE78B2F9C Relevance: 30.8, APIs: 15, Strings: 2, Instructions: 1030COMMON

Download Yara Rule

APIs

Part of subcall function 0000024FE78B1600: _getptd.LIBCMT ref: 0000024FE78B1616
Part of subcall function 0000024FE78B1600: __updatetlocinfo.LIBCMT ref: 0000024FE78B164B
Part of subcall function 0000024FE78B1600: __updatetmbcinfo.LIBCMT ref: 0000024FE78B1672

_errno.LIBCMT ref: 0000024FE78B3002

Part of subcall function 0000024FE78B1D18: _getptd_noexit.LIBCMT ref: 0000024FE78B1D1C

_fileno.LIBCMT ref: 0000024FE78B302F

Part of subcall function 0000024FE78B5A54: _errno.LIBCMT ref: 0000024FE78B5A5D
Part of subcall function 0000024FE78B5A54: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE78B5A68

write_multi_char.LIBCMT ref: 0000024FE78B366B
write_string.LIBCMT ref: 0000024FE78B3688
write_multi_char.LIBCMT ref: 0000024FE78B36A5
write_string.LIBCMT ref: 0000024FE78B3704
write_multi_char.LIBCMT ref: 0000024FE78B375D
free.LIBCMT ref: 0000024FE78B3771
_isleadbyte_l.LIBCMT ref: 0000024FE78B3842
write_char.LIBCMT ref: 0000024FE78B3858
write_char.LIBCMT ref: 0000024FE78B3879
_errno.LIBCMT ref: 0000024FE78B397C
_invalid_parameter_noinfo.LIBCMT ref: 0000024FE78B3987

Strings

, xrefs: 0000024FE78B363F
@, xrefs: 0000024FE78B301B

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3613058218-1077428164
Opcode ID: 0599035506f01076b605f9026c3628a483f4ccd483033c44f83e2593a1d2db07
Instruction ID: 35750fbf733dbc6ee1d013ac8408e6b2cc2772f486a776ec964b41fb84f5c315
Opcode Fuzzy Hash: 0599035506f01076b605f9026c3628a483f4ccd483033c44f83e2593a1d2db07
Instruction Fuzzy Hash: 0562E938B18E458AF7A98E18D949379B7D1FBF6312F34023DD687C39E1DA24DA078641

Function 0000024FE78B2528 Relevance: 29.0, APIs: 15, Strings: 1, Instructions: 1022COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000024FE78B1600: _getptd.LIBCMT ref: 0000024FE78B1616
Part of subcall function 0000024FE78B1600: __updatetlocinfo.LIBCMT ref: 0000024FE78B164B
Part of subcall function 0000024FE78B1600: __updatetmbcinfo.LIBCMT ref: 0000024FE78B1672

_errno.LIBCMT ref: 0000024FE78B258E

Part of subcall function 0000024FE78B1D18: _getptd_noexit.LIBCMT ref: 0000024FE78B1D1C

_fileno.LIBCMT ref: 0000024FE78B25BB

Part of subcall function 0000024FE78B5A54: _errno.LIBCMT ref: 0000024FE78B5A5D
Part of subcall function 0000024FE78B5A54: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE78B5A68

write_multi_char.LIBCMT ref: 0000024FE78B2BEB
write_string.LIBCMT ref: 0000024FE78B2C08
write_multi_char.LIBCMT ref: 0000024FE78B2C25
write_string.LIBCMT ref: 0000024FE78B2C84
write_multi_char.LIBCMT ref: 0000024FE78B2CDD
free.LIBCMT ref: 0000024FE78B2CF1
_isleadbyte_l.LIBCMT ref: 0000024FE78B2DC2
write_char.LIBCMT ref: 0000024FE78B2DD8
write_char.LIBCMT ref: 0000024FE78B2DF9
_errno.LIBCMT ref: 0000024FE78B2EF3
_invalid_parameter_noinfo.LIBCMT ref: 0000024FE78B2EFE

Strings

, xrefs: 0000024FE78B2BBF

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID:
API String ID: 3613058218-3916222277
Opcode ID: 99560b4e6a3ba651302837abcdacc877c80be0c82fbf8e81c16206e006ab6ccb
Instruction ID: f36093320662f05a128a6b1a07670e27f85f39ed343a0600740f17f6e53c46c9
Opcode Fuzzy Hash: 99560b4e6a3ba651302837abcdacc877c80be0c82fbf8e81c16206e006ab6ccb
Instruction Fuzzy Hash: 28620939B18E498AF7AC9E58855D3A977D1FBF5312F34023DD687C31F2DA249A038642

Function 0000024FE60C1928 Relevance: 28.6, APIs: 14, Strings: 2, Instructions: 645COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000024FE60C1989

Part of subcall function 0000024FE60C0A00: _getptd.LIBCMT ref: 0000024FE60C0A16
Part of subcall function 0000024FE60C0A00: __updatetlocinfo.LIBCMT ref: 0000024FE60C0A4B
Part of subcall function 0000024FE60C0A00: __updatetmbcinfo.LIBCMT ref: 0000024FE60C0A72

_errno.LIBCMT ref: 0000024FE60C198E

Part of subcall function 0000024FE60C1118: _getptd_noexit.LIBCMT ref: 0000024FE60C111C

_fileno.LIBCMT ref: 0000024FE60C19BB

Part of subcall function 0000024FE60C4E54: _errno.LIBCMT ref: 0000024FE60C4E5D
Part of subcall function 0000024FE60C4E54: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE60C4E68

write_multi_char.LIBCMT ref: 0000024FE60C1FEB
write_string.LIBCMT ref: 0000024FE60C2008
_errno.LIBCMT ref: 0000024FE60C22F3
_invalid_parameter_noinfo.LIBCMT ref: 0000024FE60C22FE

Strings

-, xrefs: 0000024FE60C1F9C
0, xrefs: 0000024FE60C1D28

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno$Locale_invalid_parameter_noinfo$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexitwrite_multi_charwrite_string
String ID: -$0
API String ID: 3246410048-417717675
Opcode ID: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
Instruction ID: 00af4e9c304f8b1e8b1392b49fb46116c6e0e6b8fc8d6fd5ba419cec87c0da58
Opcode Fuzzy Hash: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
Instruction Fuzzy Hash: 1B42E4227086BC86FBE58B19975C36D6BA0BFC1F46F940025DF4646AF6D739C841CB02

Function 0000024FE60C5914 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 460COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000024FE60C596A
_errno.LIBCMT ref: 0000024FE60C5971
_invalid_parameter_noinfo.LIBCMT ref: 0000024FE60C597C

Strings

U, xrefs: 0000024FE60C5EDE

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
Instruction ID: 417090e840306cf30d3e67138d63298ec85dc8ed9d1ed5d4901f6181c0507874
Opcode Fuzzy Hash: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
Instruction Fuzzy Hash: BA1203363146698AFBA18F24D68C35EB7A0FBC4F56F900122EB49436B7DB39C455CB12

Function 0000024FE78A7B38 Relevance: 13.3, APIs: 10, Instructions: 790COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000024FE78A7CA5
_snprintf.LIBCMT ref: 0000024FE78A7D66
_snprintf.LIBCMT ref: 0000024FE78A7D83
_snprintf.LIBCMT ref: 0000024FE78A7FD8
_snprintf.LIBCMT ref: 0000024FE78A80E8
_snprintf.LIBCMT ref: 0000024FE78A81A6
_snprintf.LIBCMT ref: 0000024FE78A825E
_snprintf.LIBCMT ref: 0000024FE78A8002

Part of subcall function 0000024FE78AF63C: _errno.LIBCMT ref: 0000024FE78AF673
Part of subcall function 0000024FE78AF63C: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE78AF67E

_snprintf.LIBCMT ref: 0000024FE78A8276
_snprintf.LIBCMT ref: 0000024FE78A8334

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID:
API String ID: 3442832105-0
Opcode ID: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
Instruction ID: 37ebf3b6130f13254fb2311b252fbf0d74f270ecb58f14abb8e8c874177c17aa
Opcode Fuzzy Hash: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
Instruction Fuzzy Hash: 5B52B520618D899BE7DAAB2CD5467E1F3E0FFB4306F545228DA85C7162FB34D6838781

Function 0000024FE60B6F38 Relevance: 13.0, APIs: 10, Instructions: 545COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000024FE60B7166
_snprintf.LIBCMT ref: 0000024FE60B7183
_snprintf.LIBCMT ref: 0000024FE60B70A5

Part of subcall function 0000024FE60BEA3C: _errno.LIBCMT ref: 0000024FE60BEA73
Part of subcall function 0000024FE60BEA3C: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE60BEA7E

_snprintf.LIBCMT ref: 0000024FE60B73D8
_snprintf.LIBCMT ref: 0000024FE60B7734

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID:
API String ID: 3442832105-0
Opcode ID: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
Instruction ID: 1d92c7208941d4915e2cbc6c636778d58ca2bf50e03086d3165bab00c4ef9fc0
Opcode Fuzzy Hash: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
Instruction Fuzzy Hash: 8942CA61714E9992F6568F29D1053E8A3B0FFD8B9AF449511DF8A17B72EF38D1A2C300

Function 0000024FE60CB7B0 Relevance: 5.9, Strings: 4, Instructions: 884COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 0000024FE60CBE63
ailure #%d - %s, xrefs: 0000024FE60CC41F, 0000024FE60CC498, 0000024FE60CC511, 0000024FE60CC58A
e ', xrefs: 0000024FE60CC405, 0000024FE60CC47E, 0000024FE60CC4F7, 0000024FE60CC570
<, xrefs: 0000024FE60CBE6E

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID:
String ID: $<$ailure #%d - %s$e '
API String ID: 0-963976815
Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
Instruction ID: aa59c8c218075c93036b27ae37df56e3032c45083b233f267a399d516524cf46
Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
Instruction Fuzzy Hash: 6F92E0B2325A8087DB58CB1DE4A573AB7A1F3C8B84F54513AE79B877A5CA3CC451CB04

Function 0000024FE60CC397 Relevance: 2.6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

ailure #%d - %s, xrefs: 0000024FE60CC41F, 0000024FE60CC498, 0000024FE60CC511, 0000024FE60CC58A
e ', xrefs: 0000024FE60CC405, 0000024FE60CC47E, 0000024FE60CC4F7, 0000024FE60CC570

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID:
String ID: ailure #%d - %s$e '
API String ID: 0-4163927988
Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
Instruction ID: 7acc3f8d10c4476d8594f9759ee1b23e0e57f056eb5954368cab3ca291b4a62a
Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
Instruction Fuzzy Hash: 8D612AB6314A548BD794CB09E49462AB7E1F3CCBC5F84522AE38A8B768CA3CD545CB44

Function 0000024FE78B01A8 Relevance: 1.8, APIs: 1, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

_initp_misc_winsig.LIBCMT ref: 0000024FE78B01DC

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _initp_misc_winsig
String ID:
API String ID: 2710132595-0
Opcode ID: c8c90554330dcabd03fa81e8dd660722591610607187a6cda5de2b4df199049a
Instruction ID: bfd694f76686a375cf86cd7b8077fe05fb987f9a377790fc4f2b26e15ec897d9
Opcode Fuzzy Hash: c8c90554330dcabd03fa81e8dd660722591610607187a6cda5de2b4df199049a
Instruction Fuzzy Hash: A3A1DE71619E098FEF94FF75E898AAA37B2F764301721893A904AC3174DABCD545CF40

Function 0000024FE78BDBF0 Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction ID: 3473b8f48d5e0111febf9e057b751f1f19857a8ad0dcd1a44958f8faf3b15d25
Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction Fuzzy Hash: F2620A31228A558FD31CCB1CC5B1B7AB7E1FB89340F44896DE287CB692C639DA45CB91

Function 0000024FE78BD280 Relevance: .8, Instructions: 761COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction ID: 55e54cc0dbbe4fe29579a6030464985dd874fd1ff1029c5b1ecb610bcefb36bf
Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction Fuzzy Hash: 0752EE312286558FD31CCF1CC5A1E7AB7E1FB8D340F448A6DE28ACB692C639D645CB91

Function 0000024FE60CCFF0 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction ID: 9b93e89b4cfde290556060be8ad1fe98644cffca0019148f6166247a13b43ab0
Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction Fuzzy Hash: FA5261B231495587E708CB1CE4A573AB7A1F3C9B81F44862AE7878B7A9CE3CD554CB04

Function 0000024FE60CC680 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction ID: fbc67e681633897c9daa589ed0ee17827b55095e09d5055edef598d44706cfad
Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction Fuzzy Hash: 385264B23045948BD708CF1DE4A573AB7E1F3C9B80F44862AE7868B7A9CA3DD545CB40

Function 0000024FE60A9680 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
Instruction ID: d606cff2abaffa31e86a382c8412d756457c9b73401ada1d24691db143342a64
Opcode Fuzzy Hash: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
Instruction Fuzzy Hash: 48F1C63332466A86FBA0DB15E6983AE63A1F7D4BC5FD00131DB4D877A6EA34C901CB40

Function 0000024FE60ACE3C Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74bee57ece39a3ee739721ddd6b8b7c874878cbec99e002ba7fd2a6b2694298
Instruction ID: 414fe35f67f652f683f5108aec09cdab2bb64b507ffc06acbfb6e3779a7d49e2
Opcode Fuzzy Hash: f74bee57ece39a3ee739721ddd6b8b7c874878cbec99e002ba7fd2a6b2694298
Instruction Fuzzy Hash: 9EE1747371066587FBA4CF25EA453A963A1F7C8B96F848135DB8A976A3DA3CE441C300

Function 0000024FE60A916C Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
Instruction ID: d593f699d5710a0fccaaf18afcf1d744ce22c9a825db8e4a3d7342c152f6eeb2
Opcode Fuzzy Hash: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
Instruction Fuzzy Hash: A2E1D433324A6A91FFA09F64D5943AE67A1F7D4BC9FD00131DB4D876AAEA34C905C740

Function 0000024FE60B0334 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
Instruction ID: 51f807071c990afb7ffac17d0f478d29baca69ccae82a91d08aaa92159410c89
Opcode Fuzzy Hash: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
Instruction Fuzzy Hash: 79715B32714A6886FBA08F61E64C35E73A1F7C8F86F809135DB4A437A6DF78C5458B40

Function 0000024FE78B6E1C Relevance: 16.6, APIs: 11, Instructions: 108COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE78B6E4E

Part of subcall function 0000024FE78B1D18: _getptd_noexit.LIBCMT ref: 0000024FE78B1D1C

__doserrno.LIBCMT ref: 0000024FE78B6E45

Part of subcall function 0000024FE78B1CA8: _getptd_noexit.LIBCMT ref: 0000024FE78B1CAC

__doserrno.LIBCMT ref: 0000024FE78B6EAB
_errno.LIBCMT ref: 0000024FE78B6EB2
_invalid_parameter_noinfo.LIBCMT ref: 0000024FE78B6F16

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: f569b21a01fad2a92039226acf8a97d91cb16fac7f3924a9cc2c8e1a455bf938
Instruction ID: a644b84df581468dbb5291f3f318e5ec661bbb3eb40b63a934dfd35645e67e7f
Opcode Fuzzy Hash: f569b21a01fad2a92039226acf8a97d91cb16fac7f3924a9cc2c8e1a455bf938
Instruction Fuzzy Hash: 1B31EA35718F054FE399AF68898A36D32D0EBD2322F750279E6168B2F7D670AA034351

Function 0000024FE60C1B48 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 227COMMON

Download Yara Rule

APIs

write_multi_char.LIBCMT ref: 0000024FE60C1FEB
write_string.LIBCMT ref: 0000024FE60C2008
write_multi_char.LIBCMT ref: 0000024FE60C2025
write_string.LIBCMT ref: 0000024FE60C2084
write_multi_char.LIBCMT ref: 0000024FE60C20DD
free.LIBCMT ref: 0000024FE60C20F1

Strings

, xrefs: 0000024FE60C1FBF

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: write_multi_char$write_string$free
String ID:
API String ID: 2630409672-3916222277
Opcode ID: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
Instruction ID: 3ddd64fb952e190cb19ae69984ca98c09bdc5a88483a470f135110550d45cc92
Opcode Fuzzy Hash: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
Instruction Fuzzy Hash: 60A1E62270466886FBA1CB55E60C3AE6BB0BBC5F95F940026DF4957BF6DB34C941C702

Function 0000024FE78B7C08 Relevance: 15.1, APIs: 10, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE78B7C33

Part of subcall function 0000024FE78B1D18: _getptd_noexit.LIBCMT ref: 0000024FE78B1D1C

__doserrno.LIBCMT ref: 0000024FE78B7C2B

Part of subcall function 0000024FE78B1CA8: _getptd_noexit.LIBCMT ref: 0000024FE78B1CAC

__lock_fhandle.LIBCMT ref: 0000024FE78B7C77
_lseeki64_nolock.LIBCMT ref: 0000024FE78B7C90
_unlock_fhandle.LIBCMT ref: 0000024FE78B7CB3

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
String ID:
API String ID: 2644381645-0
Opcode ID: 1a0056bbafc3a7faafb75a0a5683c60387dc6450d26c6e1c9b28f7a797692c5c
Instruction ID: e57da53d29be7e868bce4066b0d5a01c55087ffffa974eef716454939a910a2c
Opcode Fuzzy Hash: 1a0056bbafc3a7faafb75a0a5683c60387dc6450d26c6e1c9b28f7a797692c5c
Instruction Fuzzy Hash: 42213734B18F040FF399AF18995A36D72D0EBE5333F75026EE256872F3C6605A0342A2

Function 0000024FE78B7A90 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE78B7ABB

Part of subcall function 0000024FE78B1D18: _getptd_noexit.LIBCMT ref: 0000024FE78B1D1C

__doserrno.LIBCMT ref: 0000024FE78B7AB3

Part of subcall function 0000024FE78B1CA8: _getptd_noexit.LIBCMT ref: 0000024FE78B1CAC

__lock_fhandle.LIBCMT ref: 0000024FE78B7AFF
_lseek_nolock.LIBCMT ref: 0000024FE78B7B18
_unlock_fhandle.LIBCMT ref: 0000024FE78B7B39

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock_unlock_fhandle
String ID:
API String ID: 1078912150-0
Opcode ID: af586274eb7c0247a5ed565ce490a43ddd2b1adc4c580e4a875ff27a69eb19f0
Instruction ID: 7a7ff81b4b4c50248781b0cdb5cb198f9a1107d77ce0925ebcc6fd830a4b7ede
Opcode Fuzzy Hash: af586274eb7c0247a5ed565ce490a43ddd2b1adc4c580e4a875ff27a69eb19f0
Instruction Fuzzy Hash: 71212934B08B000FF3996F18D95A3BD76D0DBE2332F750269E296871F3D7645A034696

Function 0000024FE60C621C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE60C624E

Part of subcall function 0000024FE60C1118: _getptd_noexit.LIBCMT ref: 0000024FE60C111C

__doserrno.LIBCMT ref: 0000024FE60C6245

Part of subcall function 0000024FE60C10A8: _getptd_noexit.LIBCMT ref: 0000024FE60C10AC

__doserrno.LIBCMT ref: 0000024FE60C62AB
_errno.LIBCMT ref: 0000024FE60C62B2
_invalid_parameter_noinfo.LIBCMT ref: 0000024FE60C6316

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
Instruction ID: aecf3bb4b52b687db1746c2a1cfa24cb4907cad90c76c98092baf22448b06b8d
Opcode Fuzzy Hash: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
Instruction Fuzzy Hash: 9E31033132077886F7A26F659A5D35D2650AFC1FA2FD44135AF11173F3CA78C8428702

Function 0000024FE60CF150 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000024FE60CF176
_errno.LIBCMT ref: 0000024FE60CF16B

Part of subcall function 0000024FE60C1118: _getptd_noexit.LIBCMT ref: 0000024FE60C111C

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1812809483-0
Opcode ID: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
Instruction ID: 69e04489506d832d170413e52afeb337b5075801814d96e4425cb23b5a62a905
Opcode Fuzzy Hash: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
Instruction Fuzzy Hash: 9341F3B57102B982FBE0AB1586183AD72A0EFD4F96FE05231EF94436E7D728CD419603

Function 0000024FE78B6434 Relevance: 13.6, APIs: 9, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE78B645F

Part of subcall function 0000024FE78B1D18: _getptd_noexit.LIBCMT ref: 0000024FE78B1D1C

__doserrno.LIBCMT ref: 0000024FE78B6457

Part of subcall function 0000024FE78B1CA8: _getptd_noexit.LIBCMT ref: 0000024FE78B1CAC

__lock_fhandle.LIBCMT ref: 0000024FE78B64A3
_unlock_fhandle.LIBCMT ref: 0000024FE78B64DD

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 2464146582-0
Opcode ID: c89056d156aae0bb9c491ae48c02d203d405bbf82af9f534bcd04b22b5544d86
Instruction ID: 60a69fe94ab6c52872c27455d5014dee3f1b3904f0da1f154129e44fee6c7c63
Opcode Fuzzy Hash: c89056d156aae0bb9c491ae48c02d203d405bbf82af9f534bcd04b22b5544d86
Instruction Fuzzy Hash: CE210734B08E004EF399AF18DA9A36D72D0DBE1323F750278E215871F7D66459034296

Function 0000024FE78B5C58 Relevance: 13.6, APIs: 9, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE78B5C79

Part of subcall function 0000024FE78B1D18: _getptd_noexit.LIBCMT ref: 0000024FE78B1D1C

__doserrno.LIBCMT ref: 0000024FE78B5C71

Part of subcall function 0000024FE78B1CA8: _getptd_noexit.LIBCMT ref: 0000024FE78B1CAC

__lock_fhandle.LIBCMT ref: 0000024FE78B5CBD
_close_nolock.LIBCMT ref: 0000024FE78B5CD0
_unlock_fhandle.LIBCMT ref: 0000024FE78B5CE9

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 2140805544-0
Opcode ID: d63a0d9a057a00514656f61d256491cfcc4309f98023220473e92bade8306c33
Instruction ID: 2f0ed4ec3865831f0c3c437ba254bdee7f91e10c7c2326d71629ef447ceee298
Opcode Fuzzy Hash: d63a0d9a057a00514656f61d256491cfcc4309f98023220473e92bade8306c33
Instruction Fuzzy Hash: FD21F339708E004EF395AF6489AD36976D1EBE1322F79063AE2168B1F3C6748A024761

Function 0000024FE60C6E90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE60C6EBB

Part of subcall function 0000024FE60C1118: _getptd_noexit.LIBCMT ref: 0000024FE60C111C

__doserrno.LIBCMT ref: 0000024FE60C6EB3

Part of subcall function 0000024FE60C10A8: _getptd_noexit.LIBCMT ref: 0000024FE60C10AC

__lock_fhandle.LIBCMT ref: 0000024FE60C6EFF
_lseek_nolock.LIBCMT ref: 0000024FE60C6F18

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
String ID:
API String ID: 310312816-0
Opcode ID: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
Instruction ID: 10230e32206729720791a045f1a543fcbe2c0b921bb1a99e5a1bd8cc159d4652
Opcode Fuzzy Hash: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
Instruction Fuzzy Hash: 7F21F02272066849F7A12F259A4D3AD6660AFC0FA3FD94175AB15073F3CB78C8428726

Function 0000024FE60C7008 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE60C7033

Part of subcall function 0000024FE60C1118: _getptd_noexit.LIBCMT ref: 0000024FE60C111C

__doserrno.LIBCMT ref: 0000024FE60C702B

Part of subcall function 0000024FE60C10A8: _getptd_noexit.LIBCMT ref: 0000024FE60C10AC

__lock_fhandle.LIBCMT ref: 0000024FE60C7077
_lseeki64_nolock.LIBCMT ref: 0000024FE60C7090

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
String ID:
API String ID: 4140391395-0
Opcode ID: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
Instruction ID: 07a553054b015dc128ef465cc87fcb8d3eff1e48a8bb8aa85e0d042c1f91d3b2
Opcode Fuzzy Hash: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
Instruction Fuzzy Hash: F421B32270066885F7922F259A0E3AD6A50AFC0FB3FA94734AB35073F3C77984518762

Function 0000024FE78AFF6C Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000024FE78AFF9A

Part of subcall function 0000024FE78AF244: RtlFreeHeap.NTDLL ref: 0000024FE78AF25A
Part of subcall function 0000024FE78AF244: _errno.LIBCMT ref: 0000024FE78AF264

free.LIBCMT ref: 0000024FE78AFFAF
free.LIBCMT ref: 0000024FE78AFFD0
free.LIBCMT ref: 0000024FE78AFFE5
free.LIBCMT ref: 0000024FE78AFFF9
free.LIBCMT ref: 0000024FE78B0005
free.LIBCMT ref: 0000024FE78B0030
free.LIBCMT ref: 0000024FE78B0051
free.LIBCMT ref: 0000024FE78B006A
free.LIBCMT ref: 0000024FE78B009B

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: free$FreeHeap_errno
String ID:
API String ID: 2737118440-0
Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction ID: 4b51176bc3818b47e7306e7b8d9b2515a8765c970da03d791763502c6a041ef4
Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction Fuzzy Hash: 52413B34356E0A8FFBE4EB58E999B6472D0E7A8317F6441799606C21E1CB6CCE468710

Function 0000024FE60BF36C Relevance: 12.6, APIs: 10, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000024FE60BF39A

Part of subcall function 0000024FE60BE644: _errno.LIBCMT ref: 0000024FE60BE664

free.LIBCMT ref: 0000024FE60BF3AF
free.LIBCMT ref: 0000024FE60BF3D0
free.LIBCMT ref: 0000024FE60BF3E5
free.LIBCMT ref: 0000024FE60BF3F9
free.LIBCMT ref: 0000024FE60BF405
free.LIBCMT ref: 0000024FE60BF430
free.LIBCMT ref: 0000024FE60BF451
free.LIBCMT ref: 0000024FE60BF46A
free.LIBCMT ref: 0000024FE60BF49B

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
Instruction ID: 8d4a7e819748616e8cd18063805d7af91382cbf81ee0a68607f35a4fa8de632f
Opcode Fuzzy Hash: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
Instruction Fuzzy Hash: 5B31C621341A7981FED59F51EB6D36423A0ABD8F92FC89535EB2B066F3CF2884448201

Function 0000024FE78BFD50 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000024FE78BFD76
_errno.LIBCMT ref: 0000024FE78BFD6B

Part of subcall function 0000024FE78B1D18: _getptd_noexit.LIBCMT ref: 0000024FE78B1D1C

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1812809483-0
Opcode ID: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
Instruction ID: ce35f33f5432092e6ead8ffea8197341bd5feded1a9628b5f5e264174cd8c7fc
Opcode Fuzzy Hash: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
Instruction Fuzzy Hash: D351E838714E1A4AEBE4AF58464D3B973D0EBB4323FB4017AA655CB1F6D7248E438741

Function 0000024FE60C5834 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE60C585F

Part of subcall function 0000024FE60C1118: _getptd_noexit.LIBCMT ref: 0000024FE60C111C

__doserrno.LIBCMT ref: 0000024FE60C5857

Part of subcall function 0000024FE60C10A8: _getptd_noexit.LIBCMT ref: 0000024FE60C10AC

__lock_fhandle.LIBCMT ref: 0000024FE60C58A3

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
String ID:
API String ID: 2611593033-0
Opcode ID: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
Instruction ID: b4d948f3f7c1c61868a1f37dd765080c62a913606e9424a3415479d3dd4d7107
Opcode Fuzzy Hash: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
Instruction Fuzzy Hash: F821262271027842F7822F259A4E7AD6660AFC0FA3FD54134AB15173F3CBB88851D722

Function 0000024FE60C5058 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE60C5079

Part of subcall function 0000024FE60C1118: _getptd_noexit.LIBCMT ref: 0000024FE60C111C

__doserrno.LIBCMT ref: 0000024FE60C5071

Part of subcall function 0000024FE60C10A8: _getptd_noexit.LIBCMT ref: 0000024FE60C10AC

__lock_fhandle.LIBCMT ref: 0000024FE60C50BD
_close_nolock.LIBCMT ref: 0000024FE60C50D0

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
String ID:
API String ID: 4060740672-0
Opcode ID: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
Instruction ID: 25511ba1db1af479313653a5bd5b1fc81948ba098c4073a9f2aeb289e65ebf3b
Opcode Fuzzy Hash: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
Instruction Fuzzy Hash: 621100223006AC45F3966F699F8D3AC6650AFC0F63FE94634AB15472F3C6B888618352

Function 0000024FE789460C Relevance: 11.6, APIs: 9, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024FE78946A9

Part of subcall function 0000024FE78AF284: _FF_MSGBANNER.LIBCMT ref: 0000024FE78AF2B4
Part of subcall function 0000024FE78AF284: _NMSG_WRITE.LIBCMT ref: 0000024FE78AF2BE
Part of subcall function 0000024FE78AF284: _callnewh.LIBCMT ref: 0000024FE78AF2F2
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF2FD
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF308

malloc.LIBCMT ref: 0000024FE78946B3

Part of subcall function 0000024FE78AF284: _callnewh.LIBCMT ref: 0000024FE78AF318
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF31D

malloc.LIBCMT ref: 0000024FE78946BE
free.LIBCMT ref: 0000024FE789487E
free.LIBCMT ref: 0000024FE7894886
free.LIBCMT ref: 0000024FE789488E

Part of subcall function 0000024FE78954F0: malloc.LIBCMT ref: 0000024FE789553A
Part of subcall function 0000024FE78954F0: malloc.LIBCMT ref: 0000024FE7895545
Part of subcall function 0000024FE78954F0: free.LIBCMT ref: 0000024FE789562C
Part of subcall function 0000024FE78954F0: free.LIBCMT ref: 0000024FE7895634

free.LIBCMT ref: 0000024FE789489A
free.LIBCMT ref: 0000024FE78948A7
free.LIBCMT ref: 0000024FE78948B4

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh
String ID:
API String ID: 4160633307-0
Opcode ID: 78c5723810e6e6d18fab4a62d391ea0db65c57382cb75ed74f6abc212771b6cb
Instruction ID: b981ef9eec078191d54315959c4d78f90c7ef3023e425284d5427cc8327b86e4
Opcode Fuzzy Hash: 78c5723810e6e6d18fab4a62d391ea0db65c57382cb75ed74f6abc212771b6cb
Instruction Fuzzy Hash: C391CA30318F8C4BD7A99A5C955577AB3D1E7E5303F60126ED54ED32A2DE20DD038686

Function 0000024FE60A3A0C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024FE60A3AA9

Part of subcall function 0000024FE60BE684: _FF_MSGBANNER.LIBCMT ref: 0000024FE60BE6B4
Part of subcall function 0000024FE60BE684: _NMSG_WRITE.LIBCMT ref: 0000024FE60BE6BE
Part of subcall function 0000024FE60BE684: _callnewh.LIBCMT ref: 0000024FE60BE6F2
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE6FD
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE708

malloc.LIBCMT ref: 0000024FE60A3AB3

Part of subcall function 0000024FE60BE684: _callnewh.LIBCMT ref: 0000024FE60BE718
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE71D

malloc.LIBCMT ref: 0000024FE60A3ABE
free.LIBCMT ref: 0000024FE60A3C7E
free.LIBCMT ref: 0000024FE60A3C86
free.LIBCMT ref: 0000024FE60A3C8E

Part of subcall function 0000024FE60A48F0: malloc.LIBCMT ref: 0000024FE60A493A
Part of subcall function 0000024FE60A48F0: malloc.LIBCMT ref: 0000024FE60A4945
Part of subcall function 0000024FE60A48F0: free.LIBCMT ref: 0000024FE60A4A2C
Part of subcall function 0000024FE60A48F0: free.LIBCMT ref: 0000024FE60A4A34

free.LIBCMT ref: 0000024FE60A3C9A
free.LIBCMT ref: 0000024FE60A3CA7
free.LIBCMT ref: 0000024FE60A3CB4

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh
String ID:
API String ID: 4160633307-0
Opcode ID: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
Instruction ID: 8de22e159fcd04a4bb1d5d9946981dbd10e321f1f74a7269535b5114cb462c8d
Opcode Fuzzy Hash: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
Instruction Fuzzy Hash: 5B71F8333047A84AFB949F2699487AA7791B7E4FC9F8445359F4687BA7DB38C405CB00

Function 0000024FE78AFE10 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE78AFE36

Part of subcall function 0000024FE78B1D18: _getptd_noexit.LIBCMT ref: 0000024FE78B1D1C

_invalid_parameter_noinfo.LIBCMT ref: 0000024FE78AFE42
__crtIsPackagedApp.LIBCMT ref: 0000024FE78AFE53
_dosmaperr.LIBCMT ref: 0000024FE78AFE9D

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2917016420-0
Opcode ID: cfbfe809ff06962f400f8854e8dfaca57605153f463412cb5835124c7fa4a529
Instruction ID: 1846055c43e9d839ea0d332536dbbce87f1b874c2e5d4f86a4eb771ba762bc52
Opcode Fuzzy Hash: cfbfe809ff06962f400f8854e8dfaca57605153f463412cb5835124c7fa4a529
Instruction Fuzzy Hash: FA31B330714E094FEBC8AF68994936976D1FBE8322F24426DA54AC72F2D778CD528742

Function 0000024FE78BA73C Relevance: 10.6, APIs: 7, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE78BA755

Part of subcall function 0000024FE78B1D18: _getptd_noexit.LIBCMT ref: 0000024FE78B1D1C

__lock_fhandle.LIBCMT ref: 0000024FE78BA79D
__doserrno.LIBCMT ref: 0000024FE78BA7D2
_errno.LIBCMT ref: 0000024FE78BA7D9
_unlock_fhandle.LIBCMT ref: 0000024FE78BA7E9

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 4120058822-0
Opcode ID: 9341880fa3ae8ea43da77f4714028596b22b009dd5c4526b8d460d71b2af8a07
Instruction ID: d0e8cd0e9dbb4854caa4eaf700d6141c567711a30af56dd3cdfcce44084374e1
Opcode Fuzzy Hash: 9341880fa3ae8ea43da77f4714028596b22b009dd5c4526b8d460d71b2af8a07
Instruction Fuzzy Hash: C4213A28708E044EF394EF689A9D36D76E0EBD1312F74013CE3568B1F3D6645E424396

Function 0000024FE60BF210 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE60BF236

Part of subcall function 0000024FE60C1118: _getptd_noexit.LIBCMT ref: 0000024FE60C111C

_invalid_parameter_noinfo.LIBCMT ref: 0000024FE60BF242
__crtIsPackagedApp.LIBCMT ref: 0000024FE60BF253
_dosmaperr.LIBCMT ref: 0000024FE60BF29D

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2917016420-0
Opcode ID: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
Instruction ID: c912d7056e6e98d1d8df6aad8fb7bc783eb04b035c0d341418a41cf119f5fbff
Opcode Fuzzy Hash: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
Instruction Fuzzy Hash: B331A035300BA886FB949F669A0D36D66E1ABC9F96F9486349B46437F7DF38C8008701

Function 0000024FE60CEFD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000024FE60CF004

Part of subcall function 0000024FE60C0A00: _getptd.LIBCMT ref: 0000024FE60C0A16
Part of subcall function 0000024FE60C0A00: __updatetlocinfo.LIBCMT ref: 0000024FE60C0A4B
Part of subcall function 0000024FE60C0A00: __updatetmbcinfo.LIBCMT ref: 0000024FE60C0A72

_errno.LIBCMT ref: 0000024FE60CF01F
_invalid_parameter_noinfo.LIBCMT ref: 0000024FE60CF02A

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
Instruction ID: 0e9febd4511cba8fef290614ae919228239671b1c37a359aea0eb78b75b6abf0
Opcode Fuzzy Hash: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
Instruction Fuzzy Hash: B6317F723047A886F7A09B11964879DA6A4FFD4FE2FA49131AF5407BA6CB34C941D702

Function 0000024FE78B0B10 Relevance: 9.3, APIs: 6, Instructions: 257COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE78B0B4C

Part of subcall function 0000024FE78B1D18: _getptd_noexit.LIBCMT ref: 0000024FE78B1D1C

_invalid_parameter_noinfo.LIBCMT ref: 0000024FE78B0B57
memcpy_s.LIBCMT ref: 0000024FE78B0C1C
_fileno.LIBCMT ref: 0000024FE78B0C87
_filbuf.LIBCMT ref: 0000024FE78B0CB5
_errno.LIBCMT ref: 0000024FE78B0D05

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
Instruction ID: 46be2e9416b2053b923142aa287de9b676bc98c5d7cc14c426af429da44c6a33
Opcode Fuzzy Hash: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
Instruction Fuzzy Hash: 64618F34318F094AE6B85E2C655E33A72D1E7E5722F74033EA656C32E6DB60E95342C1

Function 0000024FE60BFF10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE60BFF4C

Part of subcall function 0000024FE60C1118: _getptd_noexit.LIBCMT ref: 0000024FE60C111C

_invalid_parameter_noinfo.LIBCMT ref: 0000024FE60BFF57
memcpy_s.LIBCMT ref: 0000024FE60C001C
_fileno.LIBCMT ref: 0000024FE60C0087
_filbuf.LIBCMT ref: 0000024FE60C00B5
_errno.LIBCMT ref: 0000024FE60C0105

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
Instruction ID: 64da6851332f311e1f637563146712c43a5348a24996d960308f5e27fe30195b
Opcode Fuzzy Hash: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
Instruction Fuzzy Hash: 3751272130426882FAA48E665608769A590BBC5FF5FA49730AF3A43BF7CB35C591C241

Function 0000024FE78BFBD0 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 0000024FE78B1600: _getptd.LIBCMT ref: 0000024FE78B1616
Part of subcall function 0000024FE78B1600: __updatetlocinfo.LIBCMT ref: 0000024FE78B164B
Part of subcall function 0000024FE78B1600: __updatetmbcinfo.LIBCMT ref: 0000024FE78B1672

_errno.LIBCMT ref: 0000024FE78BFC1F
_invalid_parameter_noinfo.LIBCMT ref: 0000024FE78BFC2A

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: __updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 2808835054-0
Opcode ID: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
Instruction ID: 128a3ebd83c6f2a9b972f85b72480b0e6ae5db83af6adedf40456023cc238d0a
Opcode Fuzzy Hash: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
Instruction Fuzzy Hash: CE31AF34708E184FD794DF18919876AB3D0FBA8322F7006B9A949C72E6CB30DD828781

Function 0000024FE78B0620 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE78B0577

Part of subcall function 0000024FE78B1D18: _getptd_noexit.LIBCMT ref: 0000024FE78B1D1C

_invalid_parameter_noinfo.LIBCMT ref: 0000024FE78B0582
_getstream.LIBCMT ref: 0000024FE78B05A2
_errno.LIBCMT ref: 0000024FE78B05B4
_errno.LIBCMT ref: 0000024FE78B05C6
_openfile.LIBCMT ref: 0000024FE78B05F4

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: 25a8bf288fd42ce426ab2ae56b53d18e2e8359fd32586f4ae3706e9ff750b65b
Instruction ID: 4e3ea423fea417b87a9e299d39f384e74e2d7f695ce004fb00a2fc1fbc5c057c
Opcode Fuzzy Hash: 25a8bf288fd42ce426ab2ae56b53d18e2e8359fd32586f4ae3706e9ff750b65b
Instruction Fuzzy Hash: 2D21C174708F0A8FF7E4AF28554936E76D1EBE9312F24057AA549D32B2DB34CE424381

Function 0000024FE60BFA20 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE60BF977

Part of subcall function 0000024FE60C1118: _getptd_noexit.LIBCMT ref: 0000024FE60C111C

_invalid_parameter_noinfo.LIBCMT ref: 0000024FE60BF982
_getstream.LIBCMT ref: 0000024FE60BF9A2
_errno.LIBCMT ref: 0000024FE60BF9B4
_errno.LIBCMT ref: 0000024FE60BF9C6
_openfile.LIBCMT ref: 0000024FE60BF9F4

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
Instruction ID: e5986c9aa73a9c71b3a70cb83556b344c752ab597cabd65ec0da1b03ed6cc69b
Opcode Fuzzy Hash: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
Instruction Fuzzy Hash: 3921D5213147AA91FBA15F21AA0935EA290BBC9FC1FC494319F4A97BB7DF3CC4518701

Function 0000024FE60C9B3C Relevance: 9.1, APIs: 6, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE60C9B55

Part of subcall function 0000024FE60C1118: _getptd_noexit.LIBCMT ref: 0000024FE60C111C

__lock_fhandle.LIBCMT ref: 0000024FE60C9B9D
__doserrno.LIBCMT ref: 0000024FE60C9BD2
_errno.LIBCMT ref: 0000024FE60C9BD9

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno__lock_fhandle_getptd_noexit
String ID:
API String ID: 2102446242-0
Opcode ID: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
Instruction ID: 85f9ec036161d8ae302aa362d3025e67161cd74431f231d3c665bdb421720819
Opcode Fuzzy Hash: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
Instruction Fuzzy Hash: 2F21D2213006BC95FB956F699B9D3AD6650EFC0F62FD94238AB16073F3CA78C8418316

Function 0000024FE60BE3EC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024FE60BE40F

Part of subcall function 0000024FE60BE684: _FF_MSGBANNER.LIBCMT ref: 0000024FE60BE6B4
Part of subcall function 0000024FE60BE684: _NMSG_WRITE.LIBCMT ref: 0000024FE60BE6BE
Part of subcall function 0000024FE60BE684: _callnewh.LIBCMT ref: 0000024FE60BE6F2
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE6FD
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE708

malloc.LIBCMT ref: 0000024FE60BE41D

Part of subcall function 0000024FE60BE684: _callnewh.LIBCMT ref: 0000024FE60BE718
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE71D

malloc.LIBCMT ref: 0000024FE60BE43F
_snprintf.LIBCMT ref: 0000024FE60BE45A

Part of subcall function 0000024FE60BEA3C: _errno.LIBCMT ref: 0000024FE60BEA73
Part of subcall function 0000024FE60BEA3C: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE60BEA7E

malloc.LIBCMT ref: 0000024FE60BE475

Strings

dpoolWait, xrefs: 0000024FE60BE444

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
String ID: dpoolWait
API String ID: 2026495703-1875951006
Opcode ID: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
Instruction ID: 6aee52c922aa806952a301b4dae8c21b1b2b197e07c00fa8e42310b761690b2b
Opcode Fuzzy Hash: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
Instruction Fuzzy Hash: 0E018B71700BA441EA84DF12B9087596799E7DCFE1F85822AEFAA477E6CA38C0418780

Function 0000024FE78A31F4 Relevance: 9.0, APIs: 7, Instructions: 264stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strchr.LIBCMT ref: 0000024FE78A322E
strchr.LIBCMT ref: 0000024FE78A324C
malloc.LIBCMT ref: 0000024FE78A3264
malloc.LIBCMT ref: 0000024FE78A3271
rand.LIBCMT ref: 0000024FE78A333D
free.LIBCMT ref: 0000024FE78A345B
free.LIBCMT ref: 0000024FE78A3463

Part of subcall function 0000024FE78AF244: RtlFreeHeap.NTDLL ref: 0000024FE78AF25A
Part of subcall function 0000024FE78AF244: _errno.LIBCMT ref: 0000024FE78AF264

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: freemallocstrchr$FreeHeap_errnorand
String ID:
API String ID: 3504763109-0
Opcode ID: f35e4bf4a30ec4413237561f10dac7197b8990473e0b46e11b580f4fb44e5963
Instruction ID: 648e075a529d06e4a42b195216e67a008a7c48820fa2f7cf1d92789610c733af
Opcode Fuzzy Hash: f35e4bf4a30ec4413237561f10dac7197b8990473e0b46e11b580f4fb44e5963
Instruction Fuzzy Hash: 3981C720719E984BE7E6AB2C99153F6B3D0FFF9306F14027DD689C71A2DA248A478741

Function 0000024FE7894170 Relevance: 8.9, APIs: 7, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024FE78941BD

Part of subcall function 0000024FE78AF284: _FF_MSGBANNER.LIBCMT ref: 0000024FE78AF2B4
Part of subcall function 0000024FE78AF284: _NMSG_WRITE.LIBCMT ref: 0000024FE78AF2BE
Part of subcall function 0000024FE78AF284: _callnewh.LIBCMT ref: 0000024FE78AF2F2
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF2FD
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF308

malloc.LIBCMT ref: 0000024FE78941C8

Part of subcall function 0000024FE78AF284: _callnewh.LIBCMT ref: 0000024FE78AF318
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF31D

free.LIBCMT ref: 0000024FE78942AF
free.LIBCMT ref: 0000024FE78942B7
free.LIBCMT ref: 0000024FE78942BF
free.LIBCMT ref: 0000024FE78942CB
free.LIBCMT ref: 0000024FE78942D8

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: a46d6df1e63736bbf5e6f8efd513222b2720334364c4a35ae3722e37f335d37b
Instruction ID: c2a600fad0316ddef0fdb479f1bc2676793258573ab5c544346a3afe24ba5bb0
Opcode Fuzzy Hash: a46d6df1e63736bbf5e6f8efd513222b2720334364c4a35ae3722e37f335d37b
Instruction Fuzzy Hash: 0651D634718E494BE7D9AB6895492BA73D0FB99302F60127DDA4FC32A7EB50DD038684

Function 0000024FE60B25F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strchr.LIBCMT ref: 0000024FE60B262E
strchr.LIBCMT ref: 0000024FE60B264C
malloc.LIBCMT ref: 0000024FE60B2664
malloc.LIBCMT ref: 0000024FE60B2671
rand.LIBCMT ref: 0000024FE60B273D
free.LIBCMT ref: 0000024FE60B285B
free.LIBCMT ref: 0000024FE60B2863

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: freemallocstrchr$rand
String ID:
API String ID: 1305919620-0
Opcode ID: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
Instruction ID: c6115df9a518f8b6f4dfb69c0336b85c49038a6623fa667cf68adf9acea05106
Opcode Fuzzy Hash: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
Instruction Fuzzy Hash: 11711861704AD841FAA69F29A5183FA6390EFD9FC5F889130DB8B177B7DE2DC1468700

Function 0000024FE60A3570 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024FE60A35BD

Part of subcall function 0000024FE60BE684: _FF_MSGBANNER.LIBCMT ref: 0000024FE60BE6B4
Part of subcall function 0000024FE60BE684: _NMSG_WRITE.LIBCMT ref: 0000024FE60BE6BE
Part of subcall function 0000024FE60BE684: _callnewh.LIBCMT ref: 0000024FE60BE6F2
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE6FD
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE708

malloc.LIBCMT ref: 0000024FE60A35C8

Part of subcall function 0000024FE60BE684: _callnewh.LIBCMT ref: 0000024FE60BE718
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE71D

free.LIBCMT ref: 0000024FE60A36AF
free.LIBCMT ref: 0000024FE60A36B7
free.LIBCMT ref: 0000024FE60A36BF
free.LIBCMT ref: 0000024FE60A36CB
free.LIBCMT ref: 0000024FE60A36D8

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
Instruction ID: 3107902726b41b484c015771b270316cc7529615f028cf29b63dcb7bc2639d0f
Opcode Fuzzy Hash: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
Instruction Fuzzy Hash: 884190223007A99BFA99DF269A5825967A0B7A9FC2FC48134DF5687763DF34D422C700

Function 0000024FE60BB630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_time64.LIBCMT ref: 0000024FE60BB654

Part of subcall function 0000024FE60BF84C: _getptd.LIBCMT ref: 0000024FE60BF854

malloc.LIBCMT ref: 0000024FE60BB69C
strtok.LIBCMT ref: 0000024FE60BB700
strtok.LIBCMT ref: 0000024FE60BB711

Strings

eThreadpoolTimer, xrefs: 0000024FE60BB6DA

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: strtok$_getptd_time64malloc
String ID: eThreadpoolTimer
API String ID: 1522986614-2707337283
Opcode ID: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
Instruction ID: 54f0d4c27a3dd9849bc803a238975176a1bf85196581261c953e4dd4b2da7334
Opcode Fuzzy Hash: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
Instruction Fuzzy Hash: 1F2193727007A882FB40DF12A18866D37A8F798FD5F568225EF5B43792CF34C4418740

Function 0000024FE60ABE74 Relevance: 7.8, APIs: 6, Instructions: 296COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000024FE60B53EC: malloc.LIBCMT ref: 0000024FE60B5408

malloc.LIBCMT ref: 0000024FE60ABF3B

Part of subcall function 0000024FE60BE684: _FF_MSGBANNER.LIBCMT ref: 0000024FE60BE6B4
Part of subcall function 0000024FE60BE684: _NMSG_WRITE.LIBCMT ref: 0000024FE60BE6BE
Part of subcall function 0000024FE60BE684: _callnewh.LIBCMT ref: 0000024FE60BE6F2
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE6FD
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE708

Part of subcall function 0000024FE60BB630: _time64.LIBCMT ref: 0000024FE60BB654
Part of subcall function 0000024FE60BB630: malloc.LIBCMT ref: 0000024FE60BB69C
Part of subcall function 0000024FE60BB630: strtok.LIBCMT ref: 0000024FE60BB700
Part of subcall function 0000024FE60BB630: strtok.LIBCMT ref: 0000024FE60BB711

Part of subcall function 0000024FE60B28A0: _time64.LIBCMT ref: 0000024FE60B28AE

Part of subcall function 0000024FE60BDEA8: malloc.LIBCMT ref: 0000024FE60BDEF8

Part of subcall function 0000024FE60BDEA8: realloc.LIBCMT ref: 0000024FE60BDF07

malloc.LIBCMT ref: 0000024FE60AC04A
_snprintf.LIBCMT ref: 0000024FE60AC0C1
_snprintf.LIBCMT ref: 0000024FE60AC0E7
_snprintf.LIBCMT ref: 0000024FE60AC10E
free.LIBCMT ref: 0000024FE60AC2C6

Part of subcall function 0000024FE60BA144: malloc.LIBCMT ref: 0000024FE60BA178
Part of subcall function 0000024FE60BA144: free.LIBCMT ref: 0000024FE60BA32F

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errno_time64freestrtok$_callnewhrealloc
String ID:
API String ID: 1314452303-0
Opcode ID: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
Instruction ID: 31c61f81b17e18b64715272ef36a758ec203f68c108518772b54bdb0397b6f2c
Opcode Fuzzy Hash: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
Instruction Fuzzy Hash: 60C180323002A946FAD4EF619A5D7AD6391ABC9FC6FC18135AB16477F7DE38C8068700

Function 0000024FE78A1694 Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0000024FE78A5FEC: malloc.LIBCMT ref: 0000024FE78A6008

Part of subcall function 0000024FE78B0620: _errno.LIBCMT ref: 0000024FE78B0577
Part of subcall function 0000024FE78B0620: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE78B0582

fseek.LIBCMT ref: 0000024FE78A1730

Part of subcall function 0000024FE78B0EA4: _errno.LIBCMT ref: 0000024FE78B0ECC
Part of subcall function 0000024FE78B0EA4: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE78B0ED7

_ftelli64.LIBCMT ref: 0000024FE78A1738

Part of subcall function 0000024FE78B0F18: _errno.LIBCMT ref: 0000024FE78B0F36
Part of subcall function 0000024FE78B0F18: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE78B0F41

fseek.LIBCMT ref: 0000024FE78A1748

Part of subcall function 0000024FE78B0EA4: _fseek_nolock.LIBCMT ref: 0000024FE78B0EF5

malloc.LIBCMT ref: 0000024FE78A1788

Part of subcall function 0000024FE78AF284: _FF_MSGBANNER.LIBCMT ref: 0000024FE78AF2B4
Part of subcall function 0000024FE78AF284: _NMSG_WRITE.LIBCMT ref: 0000024FE78AF2BE
Part of subcall function 0000024FE78AF284: _callnewh.LIBCMT ref: 0000024FE78AF2F2
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF2FD
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF308

fclose.LIBCMT ref: 0000024FE78A1845

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo$fseekmalloc$_callnewh_fseek_nolock_ftelli64fclose
String ID:
API String ID: 2887643383-0
Opcode ID: f1c4e02295faa99f8843714657dd5281141177bf23df19fa39898597ddf49910
Instruction ID: 1cbd877936b4211eda89d35b375224918d8cab321205e5632523cf51d65b816d
Opcode Fuzzy Hash: f1c4e02295faa99f8843714657dd5281141177bf23df19fa39898597ddf49910
Instruction Fuzzy Hash: 62519431718E084BE7D9EB2894597B972D1EBE8311F60427EE54FC32E7DD249A038681

Function 0000024FE78BA348 Relevance: 7.7, APIs: 5, Instructions: 201COMMON

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 0000024FE78BA375

Part of subcall function 0000024FE78B3E58: _FF_MSGBANNER.LIBCMT ref: 0000024FE78B3E75
Part of subcall function 0000024FE78B3E58: _NMSG_WRITE.LIBCMT ref: 0000024FE78B3E7F

_lock.LIBCMT ref: 0000024FE78BA388
_lock.LIBCMT ref: 0000024FE78BA3E3
_calloc_crt.LIBCMT ref: 0000024FE78BA49A

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _lock$_calloc_crt_mtinitlocknum
String ID:
API String ID: 3962633935-0
Opcode ID: b1e94c722dda090378a8e761eed7513b06593d91ccd6790d0d4411b736f80c7c
Instruction ID: 93fc8d64b22ab314ef68cb5825370d2ac57a4a3735c8ed9aeb141b9d130df9a9
Opcode Fuzzy Hash: b1e94c722dda090378a8e761eed7513b06593d91ccd6790d0d4411b736f80c7c
Instruction Fuzzy Hash: C2510674618F088FE7A4DF58C98E365B7D0FBA4311F61026DD94AC32B2D674DA438782

Function 0000024FE78954F0 Relevance: 7.7, APIs: 6, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024FE789553A

Part of subcall function 0000024FE78AF284: _FF_MSGBANNER.LIBCMT ref: 0000024FE78AF2B4
Part of subcall function 0000024FE78AF284: _NMSG_WRITE.LIBCMT ref: 0000024FE78AF2BE
Part of subcall function 0000024FE78AF284: _callnewh.LIBCMT ref: 0000024FE78AF2F2
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF2FD
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF308

malloc.LIBCMT ref: 0000024FE7895545

Part of subcall function 0000024FE78AF284: _callnewh.LIBCMT ref: 0000024FE78AF318
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF31D

free.LIBCMT ref: 0000024FE789562C
free.LIBCMT ref: 0000024FE7895634
free.LIBCMT ref: 0000024FE7895640
free.LIBCMT ref: 0000024FE789564D

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 9dd44889f23309e2c133c4e883ac3d7c03cf28f4ebc62bcd805b5d39935d1e2d
Instruction ID: 2ff27b8d34c7fa3117d83bb681f55a49109f3758c73290dd8fd919ba81731444
Opcode Fuzzy Hash: 9dd44889f23309e2c133c4e883ac3d7c03cf28f4ebc62bcd805b5d39935d1e2d
Instruction Fuzzy Hash: 7541E930318F0D4BE7A99A68494927677D5E7E6352F24413ED98BC32B3EE20D90787C1

Function 0000024FE78B239C Relevance: 7.6, APIs: 5, Instructions: 149COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 0000024FE78B23B9

Part of subcall function 0000024FE78B5A54: _errno.LIBCMT ref: 0000024FE78B5A5D
Part of subcall function 0000024FE78B5A54: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE78B5A68

_errno.LIBCMT ref: 0000024FE78B23C9

Part of subcall function 0000024FE78B1D18: _getptd_noexit.LIBCMT ref: 0000024FE78B1D1C

_errno.LIBCMT ref: 0000024FE78B23E5
_isatty.LIBCMT ref: 0000024FE78B2446
_getbuf.LIBCMT ref: 0000024FE78B2452

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty
String ID:
API String ID: 304646821-0
Opcode ID: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
Instruction ID: 141a595468ba96de6dc672388c2e5b8de3d5e18c633ba49dbe9ce35136d8f130
Opcode Fuzzy Hash: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
Instruction Fuzzy Hash: B351E334314E088FEBECEF28C59976577D0FBA8311F640669DA55CB2E6D634CA82C781

Function 0000024FE78A9220 Relevance: 7.6, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024FE78A924F

Part of subcall function 0000024FE78AF284: _FF_MSGBANNER.LIBCMT ref: 0000024FE78AF2B4
Part of subcall function 0000024FE78AF284: _NMSG_WRITE.LIBCMT ref: 0000024FE78AF2BE
Part of subcall function 0000024FE78AF284: _callnewh.LIBCMT ref: 0000024FE78AF2F2
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF2FD
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF308

_snprintf.LIBCMT ref: 0000024FE78A9267

Part of subcall function 0000024FE78AF63C: _errno.LIBCMT ref: 0000024FE78AF673
Part of subcall function 0000024FE78AF63C: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE78AF67E

free.LIBCMT ref: 0000024FE78A927E

Part of subcall function 0000024FE78AF244: RtlFreeHeap.NTDLL ref: 0000024FE78AF25A
Part of subcall function 0000024FE78AF244: _errno.LIBCMT ref: 0000024FE78AF264

malloc.LIBCMT ref: 0000024FE78A92CE
_snprintf.LIBCMT ref: 0000024FE78A92E6
free.LIBCMT ref: 0000024FE78A930E

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno$_snprintffreemalloc$FreeHeap_callnewh_invalid_parameter_noinfo
String ID:
API String ID: 343393124-0
Opcode ID: faf2166294d0965833cb84c6e7fe882f3c5ed13ceeefabe40a4c11aee224dca5
Instruction ID: c74fbfe6d038412f91b21894de2da66afa212a33b4bae42649407228f85bd2e7
Opcode Fuzzy Hash: faf2166294d0965833cb84c6e7fe882f3c5ed13ceeefabe40a4c11aee224dca5
Instruction Fuzzy Hash: 5041A22070CE480FE7E8AB6C65593B477D2E7E9311F6452ADE18EC32A6DE249D038781

Function 0000024FE60B0A94 Relevance: 7.6, APIs: 5, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0000024FE60B53EC: malloc.LIBCMT ref: 0000024FE60B5408

Part of subcall function 0000024FE60BFA20: _errno.LIBCMT ref: 0000024FE60BF977
Part of subcall function 0000024FE60BFA20: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE60BF982

fseek.LIBCMT ref: 0000024FE60B0B30

Part of subcall function 0000024FE60C02A4: _errno.LIBCMT ref: 0000024FE60C02CC
Part of subcall function 0000024FE60C02A4: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE60C02D7

_ftelli64.LIBCMT ref: 0000024FE60B0B38

Part of subcall function 0000024FE60C0318: _errno.LIBCMT ref: 0000024FE60C0336
Part of subcall function 0000024FE60C0318: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE60C0341

fseek.LIBCMT ref: 0000024FE60B0B48

Part of subcall function 0000024FE60C02A4: _fseek_nolock.LIBCMT ref: 0000024FE60C02F5

malloc.LIBCMT ref: 0000024FE60B0B88

Part of subcall function 0000024FE60BE684: _FF_MSGBANNER.LIBCMT ref: 0000024FE60BE6B4
Part of subcall function 0000024FE60BE684: _NMSG_WRITE.LIBCMT ref: 0000024FE60BE6BE
Part of subcall function 0000024FE60BE684: _callnewh.LIBCMT ref: 0000024FE60BE6F2
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE6FD
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE708

Part of subcall function 0000024FE60AC444: malloc.LIBCMT ref: 0000024FE60AC457

fclose.LIBCMT ref: 0000024FE60B0C45

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfomalloc$fseek$_callnewh_fseek_nolock_ftelli64fclose
String ID:
API String ID: 1756087678-0
Opcode ID: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
Instruction ID: fcb5749ec4f7939d4f804fe832ef2a062fa1a89888377dd79a41db8f8fbe5d19
Opcode Fuzzy Hash: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
Instruction Fuzzy Hash: 9941702231466882FA94EF12AA593A96251F7C9FD1FC48135AF5B47BE7DE38C6058700

Function 0000024FE60BFA2C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE60BFA64

Part of subcall function 0000024FE60C1118: _getptd_noexit.LIBCMT ref: 0000024FE60C111C

_invalid_parameter_noinfo.LIBCMT ref: 0000024FE60BFA6F
_flush.LIBCMT ref: 0000024FE60BFB21
_fileno.LIBCMT ref: 0000024FE60BFB42
_flsbuf.LIBCMT ref: 0000024FE60BFB85

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1640621425-0
Opcode ID: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
Instruction ID: 23885b9bc7d37024672a920d35b82bc96b5d3b7016838e98d4ea5c8dd08e56c3
Opcode Fuzzy Hash: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
Instruction Fuzzy Hash: E041F56130026886FAE89E22575C75DB691BBC8FE1F98D2309F5747BF3D678C8418600

Function 0000024FE60A48F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024FE60A493A

Part of subcall function 0000024FE60BE684: _FF_MSGBANNER.LIBCMT ref: 0000024FE60BE6B4
Part of subcall function 0000024FE60BE684: _NMSG_WRITE.LIBCMT ref: 0000024FE60BE6BE
Part of subcall function 0000024FE60BE684: _callnewh.LIBCMT ref: 0000024FE60BE6F2
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE6FD
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE708

malloc.LIBCMT ref: 0000024FE60A4945

Part of subcall function 0000024FE60BE684: _callnewh.LIBCMT ref: 0000024FE60BE718
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE71D

free.LIBCMT ref: 0000024FE60A4A2C
free.LIBCMT ref: 0000024FE60A4A34
free.LIBCMT ref: 0000024FE60A4A40
free.LIBCMT ref: 0000024FE60A4A4D

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
Instruction ID: ec9eb75533a3c84c22617f640d771356079e26c286409ebb1ad7117b5dfcc85d
Opcode Fuzzy Hash: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
Instruction Fuzzy Hash: EE41C0273147A986FA95DF265A082596795B7E4FDAF898030DF168B763EE38C406C304

Function 0000024FE789FC64 Relevance: 7.6, APIs: 5, Instructions: 90fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024FE789FC85

Part of subcall function 0000024FE78AF284: _FF_MSGBANNER.LIBCMT ref: 0000024FE78AF2B4
Part of subcall function 0000024FE78AF284: _NMSG_WRITE.LIBCMT ref: 0000024FE78AF2BE
Part of subcall function 0000024FE78AF284: _callnewh.LIBCMT ref: 0000024FE78AF2F2
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF2FD
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF308

free.LIBCMT ref: 0000024FE789FCC0
fwrite.LIBCMT ref: 0000024FE789FD01
fclose.LIBCMT ref: 0000024FE789FD09
free.LIBCMT ref: 0000024FE789FD16

Part of subcall function 0000024FE78AF244: RtlFreeHeap.NTDLL ref: 0000024FE78AF25A
Part of subcall function 0000024FE78AF244: _errno.LIBCMT ref: 0000024FE78AF264

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno$free$FreeHeap_callnewhfclosefwritemalloc
String ID:
API String ID: 415550720-0
Opcode ID: c287650ca013cd6fba82a94b2bfab312077d62521af6d54d1c0599a360ecab3d
Instruction ID: abc2083c25ab806c476c63bce042b717e160651a68906ece7ac836bc56010c5a
Opcode Fuzzy Hash: c287650ca013cd6fba82a94b2bfab312077d62521af6d54d1c0599a360ecab3d
Instruction Fuzzy Hash: 4B215B20718E084BE6D8FB2855593ADB6D1FBE8356F60057D654EC32E6DE24CE438741

Function 0000024FE60B8620 Relevance: 7.6, APIs: 6, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024FE60B864F

Part of subcall function 0000024FE60BE684: _FF_MSGBANNER.LIBCMT ref: 0000024FE60BE6B4
Part of subcall function 0000024FE60BE684: _NMSG_WRITE.LIBCMT ref: 0000024FE60BE6BE
Part of subcall function 0000024FE60BE684: _callnewh.LIBCMT ref: 0000024FE60BE6F2
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE6FD
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE708

_snprintf.LIBCMT ref: 0000024FE60B8667

Part of subcall function 0000024FE60BEA3C: _errno.LIBCMT ref: 0000024FE60BEA73
Part of subcall function 0000024FE60BEA3C: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE60BEA7E

free.LIBCMT ref: 0000024FE60B867E

Part of subcall function 0000024FE60BE644: _errno.LIBCMT ref: 0000024FE60BE664

malloc.LIBCMT ref: 0000024FE60B86CE
_snprintf.LIBCMT ref: 0000024FE60B86E6
free.LIBCMT ref: 0000024FE60B870E

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
String ID:
API String ID: 761449704-0
Opcode ID: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
Instruction ID: 290c828f31ee9cd41a36e33b6dfe2a1fa1d0f6e7bd892c1b8e905e0e7ab1a2d1
Opcode Fuzzy Hash: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
Instruction Fuzzy Hash: 893190113006A946F6959F626A1C3A56B61B7CAFE6FC88271DFA6077B7CE38C4428704

Function 0000024FE60AF064 Relevance: 7.6, APIs: 5, Instructions: 58fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024FE60AF085

Part of subcall function 0000024FE60BE684: _FF_MSGBANNER.LIBCMT ref: 0000024FE60BE6B4
Part of subcall function 0000024FE60BE684: _NMSG_WRITE.LIBCMT ref: 0000024FE60BE6BE
Part of subcall function 0000024FE60BE684: _callnewh.LIBCMT ref: 0000024FE60BE6F2
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE6FD
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE708

free.LIBCMT ref: 0000024FE60AF0C0
fwrite.LIBCMT ref: 0000024FE60AF101
fclose.LIBCMT ref: 0000024FE60AF109
free.LIBCMT ref: 0000024FE60AF116

Part of subcall function 0000024FE60BE644: _errno.LIBCMT ref: 0000024FE60BE664

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno$free$_callnewhfclosefwritemalloc
String ID:
API String ID: 1696598829-0
Opcode ID: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
Instruction ID: a399a51399b905548e14f81728a8572d7adbe6e6f7bba1cf696b5ad676fba2a9
Opcode Fuzzy Hash: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
Instruction Fuzzy Hash: 0011876130466841FA90FE12E2193AE5391A7C9FD6FC49235AF6A4B7EBDE2CC5018740

Function 0000024FE78BA5EC Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE78BA5FD

Part of subcall function 0000024FE78B1D18: _getptd_noexit.LIBCMT ref: 0000024FE78B1D1C

__doserrno.LIBCMT ref: 0000024FE78BA5F5

Part of subcall function 0000024FE78B1CA8: _getptd_noexit.LIBCMT ref: 0000024FE78B1CAC

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction ID: 108fe1e092465abbe94be3e9eb2e075f3ad16197cee770fac2863e2c31f35969
Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction Fuzzy Hash: 4401A268724C084EF399EF288A5D35832D0BBAA327FB4026492058B0F6D73885438712

Function 0000024FE60C99EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE60C99FD

Part of subcall function 0000024FE60C1118: _getptd_noexit.LIBCMT ref: 0000024FE60C111C

__doserrno.LIBCMT ref: 0000024FE60C99F5

Part of subcall function 0000024FE60C10A8: _getptd_noexit.LIBCMT ref: 0000024FE60C10AC

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
Instruction ID: 65f67f2f84bbcbbbd877a3ce42fbaef5977751fda42f6047b81652e3b9564b26
Opcode Fuzzy Hash: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
Instruction Fuzzy Hash: E4018161B1166C44FE852B24CA4D3AC6251AFD0F33FE18361D729073F3C66884214652

Function 0000024FE789EC04 Relevance: 6.5, APIs: 5, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000024FE789ECD3
_snprintf.LIBCMT ref: 0000024FE789ECFE
_snprintf.LIBCMT ref: 0000024FE789ED1A
_snprintf.LIBCMT ref: 0000024FE789EDCF
_snprintf.LIBCMT ref: 0000024FE789EDE6

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _snprintf
String ID:
API String ID: 3512837008-0
Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction ID: 7790fc0b27a90e3c649bb6f6d914835b176eb90b89ac9f53c6282268ccb5e498
Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction Fuzzy Hash: DB91A531218E094FEB94EF18D889BAA77E5FBE5302F104679E54AC31B2DB34DA46C741

Function 0000024FE60AE004 Relevance: 6.4, APIs: 5, Instructions: 165COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000024FE60AE0D3
_snprintf.LIBCMT ref: 0000024FE60AE0FE
_snprintf.LIBCMT ref: 0000024FE60AE11A
_snprintf.LIBCMT ref: 0000024FE60AE1CF
_snprintf.LIBCMT ref: 0000024FE60AE1E6

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _snprintf
String ID:
API String ID: 3512837008-0
Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction ID: 429bb21b5b8afabc060ba62721919e43d8f1084091c0d736c03c24a01f052c17
Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction Fuzzy Hash: 34814B32300AA986FB90DF61DA483E977A0F7C8B96F844532EB5A137A6DF78C545C710

Function 0000024FE78AEFEC Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024FE78AF00F

Part of subcall function 0000024FE78AF284: _FF_MSGBANNER.LIBCMT ref: 0000024FE78AF2B4
Part of subcall function 0000024FE78AF284: _NMSG_WRITE.LIBCMT ref: 0000024FE78AF2BE
Part of subcall function 0000024FE78AF284: _callnewh.LIBCMT ref: 0000024FE78AF2F2
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF2FD
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF308

malloc.LIBCMT ref: 0000024FE78AF01D

Part of subcall function 0000024FE78AF284: _callnewh.LIBCMT ref: 0000024FE78AF318
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF31D

malloc.LIBCMT ref: 0000024FE78AF03F
_snprintf.LIBCMT ref: 0000024FE78AF05A

Part of subcall function 0000024FE78AF63C: _errno.LIBCMT ref: 0000024FE78AF673
Part of subcall function 0000024FE78AF63C: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE78AF67E

malloc.LIBCMT ref: 0000024FE78AF075

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
String ID:
API String ID: 2026495703-0
Opcode ID: b352101c7262c8bcb4a5e96376bd10b91777e0dce9561e268234f3b9efdf5141
Instruction ID: 3d2b3b05b5bde323e7c348d82b5609cf5c2d3f56b7ef8e54ddb3765743821955
Opcode Fuzzy Hash: b352101c7262c8bcb4a5e96376bd10b91777e0dce9561e268234f3b9efdf5141
Instruction Fuzzy Hash: 77114F3061DF044FE7E8EB68A44935576D1E79C311F20466EE18AC32A6EA34DD4287C1

Function 0000024FE78B062C Relevance: 6.2, APIs: 4, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE78B0664

Part of subcall function 0000024FE78B1D18: _getptd_noexit.LIBCMT ref: 0000024FE78B1D1C

_invalid_parameter_noinfo.LIBCMT ref: 0000024FE78B066F
_flush.LIBCMT ref: 0000024FE78B0721
_fileno.LIBCMT ref: 0000024FE78B0742

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 634798775-0
Opcode ID: 34e7f92ebff520e6a17a4e985317f9f17b8bd586bad3667c73d28a98cf0395a5
Instruction ID: a1d4630ee5ca3137d5d584abe49ad8b6b63780e01b10a67ac9e2e5421360b154
Opcode Fuzzy Hash: 34e7f92ebff520e6a17a4e985317f9f17b8bd586bad3667c73d28a98cf0395a5
Instruction Fuzzy Hash: D851D534708F094AE6F85E6D664E335B2C0EBF9312F34027E959AC31F2EA61DD534686

Function 0000024FE60BB3C0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
Instruction ID: eba8b1f4f6c2ac6b7e998f2c02794480cf70387b23a8e821ae2c174879eb6cfb
Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
Instruction Fuzzy Hash: 5F615B717016688BFBD48F15EA4936836A0E798F96F94853AEB26473B3CF39D4418B40

Function 0000024FE78910D0 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 0000024FE7891117
clock.LIBCMT ref: 0000024FE7891124
clock.LIBCMT ref: 0000024FE789112D
clock.LIBCMT ref: 0000024FE789113A

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction ID: a679889d5657569c6595788d781ebe46b1ef22c6fda07ea16d8719cec3218a54
Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction Fuzzy Hash: D2212631A0CB095EE7F8AD98554A666B2C0E7E5352F25123DEACA83173F9518D4382C6

Function 0000024FE60A04D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 0000024FE60A0517
clock.LIBCMT ref: 0000024FE60A0524
clock.LIBCMT ref: 0000024FE60A052D
clock.LIBCMT ref: 0000024FE60A053A

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction ID: a7e36b1365eee453b78cd2bfcbaf630ac33637de2c0e08a1f122c27e6944bf93
Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction Fuzzy Hash: 6B113A3370076C85F3F0AEB66A8432BB690BBC4BD9F590131EF5603263E930C9818741

Function 0000024FE60CE9D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000024FE60CE9FC

Part of subcall function 0000024FE60C0A00: _getptd.LIBCMT ref: 0000024FE60C0A16
Part of subcall function 0000024FE60C0A00: __updatetlocinfo.LIBCMT ref: 0000024FE60C0A4B
Part of subcall function 0000024FE60C0A00: __updatetmbcinfo.LIBCMT ref: 0000024FE60C0A72

_errno.LIBCMT ref: 0000024FE60CEA08

Part of subcall function 0000024FE60C1118: _getptd_noexit.LIBCMT ref: 0000024FE60C111C

_invalid_parameter_noinfo.LIBCMT ref: 0000024FE60CEA13
strchr.LIBCMT ref: 0000024FE60CEA29

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
Instruction ID: 0d33f494cf5de4120a950d5c68a6b8fdad8b40548ef5f78f69381f69f26cc6fc
Opcode Fuzzy Hash: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
Instruction Fuzzy Hash: 6521C0627082BC49FBE09615925837DA6A0FBC1FD6F9C4131EBA60BAF7C92CC5418752

Function 0000024FE60B13B0 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024FE60B13D2

Part of subcall function 0000024FE60BE684: _FF_MSGBANNER.LIBCMT ref: 0000024FE60BE6B4
Part of subcall function 0000024FE60BE684: _NMSG_WRITE.LIBCMT ref: 0000024FE60BE6BE
Part of subcall function 0000024FE60BE684: _callnewh.LIBCMT ref: 0000024FE60BE6F2
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE6FD
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE708

_snprintf.LIBCMT ref: 0000024FE60B13F1

Part of subcall function 0000024FE60BEA3C: _errno.LIBCMT ref: 0000024FE60BEA73
Part of subcall function 0000024FE60BEA3C: _invalid_parameter_noinfo.LIBCMT ref: 0000024FE60BEA7E

remove.LIBCMT ref: 0000024FE60B13FD
remove.LIBCMT ref: 0000024FE60B1404

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno$remove$_callnewh_invalid_parameter_noinfo_snprintfmalloc
String ID:
API String ID: 2566950902-0
Opcode ID: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
Instruction ID: c9c9059845e5ead833ac8b2060cea8d18ec77bf7ceeec41fce519b4fce44ed0a
Opcode Fuzzy Hash: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
Instruction Fuzzy Hash: DEF09621704B6485F2909F12BA1939AA360A7C8FD1F988131BF4A17BA7CE38C5418744

Function 0000024FE78AF860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE78AF8B1

Part of subcall function 0000024FE78B1D18: _getptd_noexit.LIBCMT ref: 0000024FE78B1D1C

_invalid_parameter_noinfo.LIBCMT ref: 0000024FE78AF8BC

Strings

B, xrefs: 0000024FE78AF8E8

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction ID: 19e44489b9601bd9e7b22b0d1e4493ec49a95173210af10efc0c180f8a2ddf1a
Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction Fuzzy Hash: B711C130628F084FD784EF1C948976AB3D1FBA8325F6043AEA119C32A1CB74CA45C782

Function 0000024FE60BEC60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000024FE60BECB1

Part of subcall function 0000024FE60C1118: _getptd_noexit.LIBCMT ref: 0000024FE60C111C

_invalid_parameter_noinfo.LIBCMT ref: 0000024FE60BECBC

Strings

B, xrefs: 0000024FE60BECE8

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
Instruction ID: 52c2a2ebd26fb287142947a622c49e7a5748503dbbd0478620a969fcea2cd01e
Opcode Fuzzy Hash: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
Instruction Fuzzy Hash: 4311A172710A6886FB509F12D54839DB661FBD8FE4FA48320AF6907BA6CF38C145CB00

Function 0000024FE60A10C4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE

Download Yara Rule

APIs

calloc.LIBCMT ref: 0000024FE60A116A

Part of subcall function 0000024FE60CE208: _calloc_impl.LIBCMT ref: 0000024FE60CE218
Part of subcall function 0000024FE60CE208: _errno.LIBCMT ref: 0000024FE60CE22B
Part of subcall function 0000024FE60CE208: _errno.LIBCMT ref: 0000024FE60CE235

free.LIBCMT ref: 0000024FE60A12F3
free.LIBCMT ref: 0000024FE60A12FD
free.LIBCMT ref: 0000024FE60A130F

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: free$_errno$_calloc_implcalloc
String ID:
API String ID: 4000150058-0
Opcode ID: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
Instruction ID: 4032eab09fb05189153ae3cff5815a261a284c1474b473ecb2988984eccf9df8
Opcode Fuzzy Hash: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
Instruction Fuzzy Hash: 7CC1FB37708B948AE7A4CF55E58879E77B4F788B84F504129EB8D83B69DB38C455CB00

Function 0000024FE78AAD44 Relevance: 5.2, APIs: 4, Instructions: 226COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024FE78AAD78

Part of subcall function 0000024FE78AF284: _FF_MSGBANNER.LIBCMT ref: 0000024FE78AF2B4
Part of subcall function 0000024FE78AF284: _NMSG_WRITE.LIBCMT ref: 0000024FE78AF2BE
Part of subcall function 0000024FE78AF284: _callnewh.LIBCMT ref: 0000024FE78AF2F2
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF2FD
Part of subcall function 0000024FE78AF284: _errno.LIBCMT ref: 0000024FE78AF308

free.LIBCMT ref: 0000024FE78AAEBF
free.LIBCMT ref: 0000024FE78AAF23
free.LIBCMT ref: 0000024FE78AAF2F

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 220d10eecca3932b28677e19a5d899b4e1de467fae96e5e6bbac4d4284393be2
Instruction ID: 362a33f1ec3b38b3dedd5e2e60c2f48dded66977632cdb7e287248fa578d4203
Opcode Fuzzy Hash: 220d10eecca3932b28677e19a5d899b4e1de467fae96e5e6bbac4d4284393be2
Instruction Fuzzy Hash: 14618830719D094BE7EDEB28D5597B972D1E7E4342F20093DE64AC31A7DE34DA078682

Function 0000024FE7894300 Relevance: 5.2, APIs: 4, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024FE7894363

Memory Dump Source

Source File: 00000000.00000002.3181428388.0000024FE7890000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000024FE7890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe7890000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: eb22e79342f6c44f5990d3d93bc1acaf377093f70efb3d4e41a798bd81bbd69f
Instruction ID: e81bc553c94ec17629949fdea50d953599584b3f06dbb706cc53b32ae875e5eb
Opcode Fuzzy Hash: eb22e79342f6c44f5990d3d93bc1acaf377093f70efb3d4e41a798bd81bbd69f
Instruction Fuzzy Hash: 2251B530318E454BEB98DF2C958966A73D1FBE8302F20557DE95FC32A6EA20DD138681

Function 0000024FE60BA144 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024FE60BA178

Part of subcall function 0000024FE60BE684: _FF_MSGBANNER.LIBCMT ref: 0000024FE60BE6B4
Part of subcall function 0000024FE60BE684: _NMSG_WRITE.LIBCMT ref: 0000024FE60BE6BE
Part of subcall function 0000024FE60BE684: _callnewh.LIBCMT ref: 0000024FE60BE6F2
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE6FD
Part of subcall function 0000024FE60BE684: _errno.LIBCMT ref: 0000024FE60BE708

free.LIBCMT ref: 0000024FE60BA2BF
free.LIBCMT ref: 0000024FE60BA323
free.LIBCMT ref: 0000024FE60BA32F

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
Instruction ID: 4549b754e1a48460a9ac78b4370a83b9d785498a0779a0608bf44954c2eb0ac0
Opcode Fuzzy Hash: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
Instruction Fuzzy Hash: FE518D7130026D81FA98AF26A65C3AD6391E7C8FC2FD48535AB1B17BB7DAB9C5018700

Function 0000024FE60A3700 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000024FE60A3763

Memory Dump Source

Source File: 00000000.00000002.3181395250.0000024FE60A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000024FE60A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24fe60a0000_mode11_AKUh.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
Instruction ID: c350de0cd0fc9d3f668651e4b9779074391ab88e882a92d287b026bcadab18c8
Opcode Fuzzy Hash: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
Instruction Fuzzy Hash: F94160337007A88AFB98DA26961866D63A0B394FC5F848535EF2A87796DF74D8058700

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mode11_AKUh.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
mode11_AKUh.exe

Function 0000024FE789E68C Relevance: 9.3, APIs: 6, Instructions: 260
networkCOMMONLIBRARYCODE

Function 0000024FE78A5E28 Relevance: 4.7, APIs: 3, Instructions: 190
stringCOMMONLIBRARYCODE

Function 0000024FE789CA74 Relevance: 7.9, APIs: 6, Instructions: 411
COMMONLIBRARYCODE

Function 0000024FE789F014 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103
networkCOMMONLIBRARYCODE

Function 0000024FE789EA48 Relevance: 3.2, APIs: 2, Instructions: 159
networkCOMMONLIBRARYCODE

Function 0000024FE60B96B4 Relevance: 1.6, APIs: 1, Instructions: 149
libraryCOMMON

Function 0000024FE60B9324 Relevance: 1.3, APIs: 1, Instructions: 87
memoryCOMMON

Function 0076F220 Relevance: .1, Instructions: 57
COMMON

Function 0076B5C0 Relevance: .0, Instructions: 2
COMMON