Edit tour

Windows Analysis Report
mode11_buqd.exe

Overview

General Information

Sample name:	mode11_buqd.exe
Analysis ID:	1583718
MD5:	061c6604a402b997dd6aced94ceaff5e
SHA1:	33f3301b7c351637527e2fca7189989c5a7f3803
SHA256:	4a3341b1a681826f08bc9ec90ca24459826bb28f909030ba522d5ae2c92467d7
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

CobaltStrike

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Performs DNS queries to domains with low reputation

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

IP address seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

mode11_buqd.exe (PID: 7360 cmdline: "C:\Users\user\Desktop\mode11_buqd.exe" MD5: 061C6604A402B997DD6ACED94CEAFF5E)

conhost.exe (PID: 7368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 8443, "SleepTime": 12000, "MaxGetSize": 1403642, "Jitter": 60, "C2Server": "632313373.xyz,/js/jquery-3.3.1.min.js", "HttpPostUri": "/post", "Malleable_C2_Instructions": ["Remove 1522 bytes from the end", "Remove 4016 bytes from the beginning", "Base64 decode"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe", "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 17500, "ProcInject_PrependAppend_x86": ["kJCQkJCQkJCQ", "Empty"], "ProcInject_PrependAppend_x64": ["kJCQkJCQkJCQ", "Empty"], "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "NtQueueApcThread-s", "SetThreadContext", "CreateRemoteThread", "kernel32.dll:LoadLibraryA", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "False", "HostHeader": "Host: 632313373.xyz\r\n"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x32760:$a39: %s as %s\%s: %d 0x41be2:$a41: beacon.x64.dll 0x33970:$a46: %s (admin) 0x328d8:$a48: %s%s: %s 0x3278c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x327b8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x339d9:$a51: Content-Length: %d
00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x1a4ca:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 8B 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 71 F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF 50 0x1986e:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30d60:$a39: %s as %s\%s: %d 0x401e2:$a41: beacon.x64.dll 0x31f70:$a46: %s (admin) 0x30ed8:$a48: %s%s: %s 0x30d8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x30db8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x31fd9:$a51: Content-Length: %d
00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1cd3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1896a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0xa4d60:$a39: %s as %s\%s: %d 0xdad60:$a39: %s as %s\%s: %d 0x11ed60:$a39: %s as %s\%s: %d 0xea1e2:$a41: beacon.x64.dll 0x12e1e2:$a41: beacon.x64.dll 0xa5f70:$a46: %s (admin) 0xdbf70:$a46: %s (admin) 0x11ff70:$a46: %s (admin) 0xa4ed8:$a48: %s%s: %s 0xdaed8:$a48: %s%s: %s 0x11eed8:$a48: %s%s: %s 0xa4d8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xa4db8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xdad8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xdadb8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x11ed8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x11edb8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xa5fd9:$a51: Content-Length: %d 0xdbfd9:$a51: Content-Length: %d 0x11ffd9:$a51: Content-Length: %d
00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x46d3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0x66d3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0x90d3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0xc6d3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0x10ad3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x4296a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x43c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x6296a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x63c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x8c96a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x8dc9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0xc296a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0xc3c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x10696a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x107c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
Process Memory Space: mode11_buqd.exe PID: 7360	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
Process Memory Space: mode11_buqd.exe PID: 7360	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
Process Memory Space: mode11_buqd.exe PID: 7360	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Process Memory Space: mode11_buqd.exe PID: 7360	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x6989e5:$a39: %s as %s\%s: %d 0x6ac476:$a39: %s as %s\%s: %d 0x8381bf:$a39: %s as %s\%s: %d 0x69c7a0:$a41: beacon.x64.dll 0x6b050a:$a41: beacon.x64.dll 0x83bd6e:$a41: beacon.x64.dll 0x698d6b:$a46: %s (admin) 0x698dea:$a46: %s (admin) 0x6ac7fc:$a46: %s (admin) 0x6ac87b:$a46: %s (admin) 0x838545:$a46: %s (admin) 0x8385c4:$a46: %s (admin) 0x698b03:$a48: %s%s: %s 0x6ac594:$a48: %s%s: %s 0x8382dd:$a48: %s%s: %s 0x6989ff:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x698a28:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x698bab:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x6ac490:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x6ac4b9:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x6ac63c:$a50: %02d/%02d/%02d %02d:%02d:%02d
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.mode11_buqd.exe.c000102000.7.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x4513c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.mode11_buqd.exe.c000102000.7.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x40d6a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x4209b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.mode11_buqd.exe.25c73fa0000.12.raw.unpack	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
0.2.mode11_buqd.exe.25c73fa0000.12.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.mode11_buqd.exe.25c73fa0000.12.raw.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
0.2.mode11_buqd.exe.25c73fa0000.12.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.mode11_buqd.exe.25c73fa0000.12.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30d60:$a39: %s as %s\%s: %d 0x401e2:$a41: beacon.x64.dll 0x31f70:$a46: %s (admin) 0x30ed8:$a48: %s%s: %s 0x30d8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x30db8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x31fd9:$a51: Content-Length: %d
0.2.mode11_buqd.exe.25c73fa0000.12.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1cd3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.mode11_buqd.exe.25c73fa0000.12.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1896a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.mode11_buqd.exe.25c73fa0000.12.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
0.2.mode11_buqd.exe.25c73fa0000.12.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.mode11_buqd.exe.25c73fa0000.12.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
0.2.mode11_buqd.exe.25c73fa0000.12.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.mode11_buqd.exe.25c73fa0000.12.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1c13c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.mode11_buqd.exe.25c73fa0000.12.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x17d6a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1909b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.mode11_buqd.exe.c000102000.7.raw.unpack	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
0.2.mode11_buqd.exe.c000102000.7.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.mode11_buqd.exe.c000102000.7.raw.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
0.2.mode11_buqd.exe.c000102000.7.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.mode11_buqd.exe.c000102000.7.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0xa4d60:$a39: %s as %s\%s: %d 0xdad60:$a39: %s as %s\%s: %d 0x11ed60:$a39: %s as %s\%s: %d 0xea1e2:$a41: beacon.x64.dll 0x12e1e2:$a41: beacon.x64.dll 0xa5f70:$a46: %s (admin) 0xdbf70:$a46: %s (admin) 0x11ff70:$a46: %s (admin) 0xa4ed8:$a48: %s%s: %s 0xdaed8:$a48: %s%s: %s 0x11eed8:$a48: %s%s: %s 0xa4d8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xa4db8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xdad8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xdadb8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x11ed8c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x11edb8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xa5fd9:$a51: Content-Length: %d 0xdbfd9:$a51: Content-Length: %d 0x11ffd9:$a51: Content-Length: %d
0.2.mode11_buqd.exe.c000102000.7.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x46d3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0x66d3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0x90d3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0xc6d3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 0x10ad3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.mode11_buqd.exe.c000102000.7.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x4296a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x43c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x6296a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x63c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x8c96a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x8dc9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0xc296a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0xc3c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x10696a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x107c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
Click to see the 17 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsJWnu	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js3011b87bd06	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsV	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js3/	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsH	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsab	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsR	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsnt:	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsN	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js$	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsetCookies	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsD	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsO	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/	Avira URL Cloud: Label: malware
Source: https://632313373.xyz/	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js8	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsdez	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsl	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js0acc1ce4a71	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsder	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsk	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsderH	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js2	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsgraphy	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js3	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/Dc	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsderA	Avira URL Cloud: Label: malware
Source: 632313373.xyz	Avira URL Cloud: Label: malware
Source: https://632313373.xyz:8443/js/jquery-3.3.1.min.js/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 8443, "SleepTime": 12000, "MaxGetSize": 1403642, "Jitter": 60, "C2Server": "632313373.xyz,/js/jquery-3.3.1.min.js", "HttpPostUri": "/post", "Malleable_C2_Instructions": ["Remove 1522 bytes from the end", "Remove 4016 bytes from the beginning", "Base64 decode"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe", "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 17500, "ProcInject_PrependAppend_x86": ["kJCQkJCQkJCQ", "Empty"], "ProcInject_PrependAppend_x64": ["kJCQkJCQkJCQ", "Empty"], "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "NtQueueApcThread-s", "SetThreadContext", "CreateRemoteThread", "kernel32.dll:LoadLibraryA", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "False", "HostHeader": "Host: 632313373.xyz\r\n"}

Multi AV Scanner detection for submitted file

Source: mode11_buqd.exe	ReversingLabs: Detection: 21%
Source: mode11_buqd.exe	Virustotal: Detection: 25%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: mode11_buqd.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 632313373.xyz

Performs DNS queries to domains with low reputation

Source:

DNS query: 632313373.xyz

Source: global traffic

TCP traffic: 192.168.2.5:49724 -> 188.114.96.3:8443

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\mode11_buqd.exe

Code function: 0_2_0000025C757BE68C _snprintf,_snprintf,_snprintf,InternetQueryDataAvailable,InternetReadFile,InternetCloseHandle,

0_2_0000025C757BE68C

Source: global traffic

DNS traffic detected: DNS query: 632313373.xyz

Source: mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB4A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542926635.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348615326.0000025C2EB9C000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664245105.0000025C2EB9A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB9B000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2421425639.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441215662.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441180034.0000025C2EB9F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462633796.0000025C2EBAB000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB4A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462654993.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/gsr1.crl0
Source: mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462654993.0000025C2EBA2000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2284354764.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB4A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542926635.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348615326.0000025C2EB9C000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB9B000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2421425639.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EBA2000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441215662.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441180034.0000025C2EB9D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441180034.0000025C2EB9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r4.crl0
Source: mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348615326.0000025C2EB9C000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB9B000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2421425639.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441215662.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441180034.0000025C2EB9F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462654993.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2284305766.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2422666108.0000025C2EB9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/we1/PCUeQViQlYc.crl0
Source: mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB4A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542926635.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348615326.0000025C2EB9C000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664245105.0000025C2EB9A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB9B000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2421425639.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441215662.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441180034.0000025C2EB9F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462633796.0000025C2EBAB000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB4A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462654993.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/gsr1.crt0-
Source: mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462654993.0000025C2EBA2000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2284354764.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB4A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542926635.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348615326.0000025C2EB9C000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB9B000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2421425639.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EBA2000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441215662.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441180034.0000025C2EB9D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441180034.0000025C2EB9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r4.crt0
Source: mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/we1.crt
Source: mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348615326.0000025C2EB9C000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB9B000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2421425639.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441215662.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441180034.0000025C2EB9F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462654993.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2284305766.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2422666108.0000025C2EB9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/we1.crt0
Source: mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348615326.0000025C2EB9C000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB9B000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2421425639.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441215662.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441180034.0000025C2EB9F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462654993.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2284305766.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2422666108.0000025C2EB9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/s/we1/lk00%
Source: mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz/
Source: mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/
Source: mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/Dc
Source: mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js
Source: mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js$
Source: mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js/
Source: mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js0acc1ce4a71
Source: mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js2
Source: mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js3
Source: mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js3/
Source: mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js3011b87bd06
Source: mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.js8
Source: mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsD
Source: mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsH
Source: mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsJWnu
Source: mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsN
Source: mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsO
Source: mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsR
Source: mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsV
Source: mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsab
Source: mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsder
Source: mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsderA
Source: mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsderH
Source: mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsdez
Source: mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsetCookies
Source: mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsgraphy
Source: mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsk
Source: mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsl
Source: mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsnt:
Source: mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://632313373.xyz:8443/js/jquery-3.3.1.min.jsr
Source: mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/what?indextype=1&__cfduid=
Source: mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664245105.0000025C2EB9F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EBA1000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462654993.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036539520.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462820088.0000025C2EB9A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2284305766.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/what?indextype=1&__cfduid=GZW54oS6Gn_3HDDEOVbu04tVtOzZbJnhQvE7m469jmEnCoTJ8cr

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.mode11_buqd.exe.c000102000.7.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.mode11_buqd.exe.c000102000.7.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.mode11_buqd.exe.25c73fa0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.mode11_buqd.exe.25c73fa0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.mode11_buqd.exe.25c73fa0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.mode11_buqd.exe.25c73fa0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.mode11_buqd.exe.25c73fa0000.12.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.mode11_buqd.exe.25c73fa0000.12.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.mode11_buqd.exe.c000102000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.mode11_buqd.exe.c000102000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.mode11_buqd.exe.c000102000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: Process Memory Space: mode11_buqd.exe PID: 7360, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown

Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C73FCAAB0	0_2_0000025C73FCAAB0
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C73FC1264	0_2_0000025C73FC1264
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C73FA916C	0_2_0000025C73FA916C
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C73FC1928	0_2_0000025C73FC1928
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C73FC5914	0_2_0000025C73FC5914
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C73FCCFF0	0_2_0000025C73FCCFF0
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C73FCB7B0	0_2_0000025C73FCB7B0
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C73FB6F38	0_2_0000025C73FB6F38
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C73FCC680	0_2_0000025C73FCC680
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C73FA9680	0_2_0000025C73FA9680
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C73FACE3C	0_2_0000025C73FACE3C
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C73FCE600	0_2_0000025C73FCE600
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C73FBF5A8	0_2_0000025C73FBF5A8
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C73FC239C	0_2_0000025C73FC239C
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C73FCC397	0_2_0000025C73FCC397
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C73FC0374	0_2_0000025C73FC0374
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C73FB0334	0_2_0000025C73FB0334
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C757DDBF0	0_2_0000025C757DDBF0
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C757C7B38	0_2_0000025C757C7B38
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C757D1E64	0_2_0000025C757D1E64
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C757D2528	0_2_0000025C757D2528
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C757D2F9C	0_2_0000025C757D2F9C
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C757DD280	0_2_0000025C757DD280
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C757D01A8	0_2_0000025C757D01A8

Source: 0.2.mode11_buqd.exe.c000102000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.mode11_buqd.exe.c000102000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.mode11_buqd.exe.25c73fa0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.mode11_buqd.exe.25c73fa0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.mode11_buqd.exe.25c73fa0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.mode11_buqd.exe.25c73fa0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.mode11_buqd.exe.25c73fa0000.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.mode11_buqd.exe.25c73fa0000.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.mode11_buqd.exe.c000102000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.mode11_buqd.exe.c000102000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.mode11_buqd.exe.c000102000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: Process Memory Space: mode11_buqd.exe PID: 7360, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.winEXE@2/0@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7368:120:WilError_03

Source: mode11_buqd.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mode11_buqd.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mode11_buqd.exe	ReversingLabs: Detection: 21%
Source: mode11_buqd.exe	Virustotal: Detection: 25%

Source: mode11_buqd.exe	String found in binary or memory: _cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned" not supported for cpu option "MapIter.Value called before Nextuse of closed network connectioncrypto/aes: output not full blockCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyW142108547152020037174224853515625710542735760100185871124267578125too many levels of symbolic linksslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangeGODEBUG: no value specified for "reflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangewaiting for unsupported file typecrypto/aes: invalid buffer overlapillegal base64 data at input byte CM_Get_Device_Interface_List_SizeWSetFileCompletionNotificationModes3552713678800500929355621337890625too many references: cannot spliceslice bounds out of range [:%x:%y]slice bounds out of range [%x:%y:]out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedruntime: source value is too largeVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notreflect: Field of non-struct type reflect: Field index out of boundsreflect: string index out of rangeunexpected runtime.netpoll error: encoding/hex: odd length hex stringSubscribeServiceChangeNotifications1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9network dropped connection on resettransport endpoint is not connectedpersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid
Source: mode11_buqd.exe	String found in binary or memory: _cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned" not supported for cpu option "MapIter.Value called before Nextuse of closed network connectioncrypto/aes: output not full blockCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyW142108547152020037174224853515625710542735760100185871124267578125too many levels of symbolic linksslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangeGODEBUG: no value specified for "reflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangewaiting for unsupported file typecrypto/aes: invalid buffer overlapillegal base64 data at input byte CM_Get_Device_Interface_List_SizeWSetFileCompletionNotificationModes3552713678800500929355621337890625too many references: cannot spliceslice bounds out of range [:%x:%y]slice bounds out of range [%x:%y:]out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedruntime: source value is too largeVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notreflect: Field of non-struct type reflect: Field index out of boundsreflect: string index out of rangeunexpected runtime.netpoll error: encoding/hex: odd length hex stringSubscribeServiceChangeNotifications1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9network dropped connection on resettransport endpoint is not connectedpersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid
Source: mode11_buqd.exe	String found in binary or memory: C:/Program Files/Go/src/net/addrselect.go

Source: unknown	Process created: C:\Users\user\Desktop\mode11_buqd.exe "C:\Users\user\Desktop\mode11_buqd.exe"
Source: C:\Users\user\Desktop\mode11_buqd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\mode11_buqd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: mode11_buqd.exe

Static file information: File size 3906560 > 1048576

Source: mode11_buqd.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2dc400

Source: mode11_buqd.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: mode11_buqd.exe	Static PE information: section name: .xdata
Source: mode11_buqd.exe	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C73FD776C push 0000006Ah; retf	0_2_0000025C73FD7784
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C757E03FC push ebp; iretd	0_2_0000025C757E0401
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C757BA35D push edi; iretd	0_2_0000025C757BA35E
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C757BBD58 push ebp; iretd	0_2_0000025C757BBD59
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C757DB84F push ebp; iretd	0_2_0000025C757DB850
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C757DB898 push ebp; iretd	0_2_0000025C757DB899
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C757DB86F push ebp; iretd	0_2_0000025C757DB870
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C757BA71E push cs; retf	0_2_0000025C757BA71F
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C757BC91C pushad ; retf	0_2_0000025C757BC91D
Source: C:\Users\user\Desktop\mode11_buqd.exe	Code function: 0_2_0000025C757C0901 push ebx; iretd	0_2_0000025C757C0902

Source: C:\Users\user\Desktop\mode11_buqd.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Users\user\Desktop\mode11_buqd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mode11_buqd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\mode11_buqd.exe

Last function: Thread delayed

Source: mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB4A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB4A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB4A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB4A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB4A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\mode11_buqd.exe

Code function: 0_2_0000025C757C5E28 GetUserNameA,GetModuleFileNameA,strrchr,_snprintf,

0_2_0000025C757C5E28

Source: C:\Users\user\Desktop\mode11_buqd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: 0.2.mode11_buqd.exe.25c73fa0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mode11_buqd.exe.25c73fa0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mode11_buqd.exe.c000102000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mode11_buqd.exe PID: 7360, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Obfuscated Files or Information	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mode11_buqd.exe	21%	ReversingLabs
mode11_buqd.exe	25%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsJWnu	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js3011b87bd06	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsV	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js3/	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsH	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsab	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsR	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsnt:	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsN	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js$	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsetCookies	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsD	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsO	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/	100%	Avira URL Cloud	malware
https://632313373.xyz/	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js8	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsdez	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsl	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js0acc1ce4a71	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsder	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsk	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsderH	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js2	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsgraphy	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js3	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/Dc	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsderA	100%	Avira URL Cloud	malware
632313373.xyz	100%	Avira URL Cloud	malware
https://632313373.xyz:8443/js/jquery-3.3.1.min.js/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
632313373.xyz	188.114.96.3	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
632313373.xyz	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://o.pki.goog/s/we1/lk00%	mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348615326.0000025C2EB9C000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB9B000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2421425639.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441215662.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441180034.0000025C2EB9F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462654993.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2284305766.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2422666108.0000025C2EB9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsJWnu	mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsV	mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.js$	mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://i.pki.goog/we1.crt0	mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348615326.0000025C2EB9C000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB9B000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2421425639.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441215662.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441180034.0000025C2EB9F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462654993.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2284305766.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2422666108.0000025C2EB9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/js/jquery-3.3.1.min.js3011b87bd06	mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsab	mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://c.pki.goog/r/gsr1.crl0	mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB4A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542926635.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348615326.0000025C2EB9C000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664245105.0000025C2EB9A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB9B000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2421425639.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441215662.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441180034.0000025C2EB9F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462633796.0000025C2EBAB000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB4A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462654993.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsH	mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.js3/	mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsnt:	mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsR	mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.google.com/what?indextype=1&__cfduid=	mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsN	mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsO	mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsetCookies	mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/what?indextype=1&__cfduid=GZW54oS6Gn_3HDDEOVbu04tVtOzZbJnhQvE7m469jmEnCoTJ8cr	mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664245105.0000025C2EB9F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EBA1000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462654993.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036539520.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462820088.0000025C2EB9A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2284305766.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/js/jquery-3.3.1.min.js8	mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.js	mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://c.pki.goog/we1/PCUeQViQlYc.crl0	mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348615326.0000025C2EB9C000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB9B000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2421425639.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441215662.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441180034.0000025C2EB9F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462654993.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2284305766.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2422666108.0000025C2EB9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/	mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsD	mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://i.pki.goog/gsr1.crt0-	mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB4A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542926635.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348615326.0000025C2EB9C000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664245105.0000025C2EB9A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB9B000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2421425639.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441215662.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441180034.0000025C2EB9F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462633796.0000025C2EBAB000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB4A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462654993.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsdez	mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://c.pki.goog/r/r4.crl0	mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462654993.0000025C2EBA2000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2284354764.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB4A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542926635.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348615326.0000025C2EB9C000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB9B000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2421425639.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EBA2000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441215662.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441180034.0000025C2EB9D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441180034.0000025C2EB9F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz/	mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsl	mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://i.pki.goog/r4.crt0	mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3462654993.0000025C2EBA2000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2284354764.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB4A000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542926635.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348615326.0000025C2EB9C000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB9B000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2421425639.0000025C2EB99000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EBA2000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441215662.0000025C2EB92000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441180034.0000025C2EB9D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2441180034.0000025C2EB9F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/js/jquery-3.3.1.min.js0acc1ce4a71	mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsder	mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsk	mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EACC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsderH	mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsgraphy	mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.js2	mode11_buqd.exe, 00000000.00000003.2664283324.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB32000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB2D000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB2F000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsr	mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://www.google.com/	mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB31000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/js/jquery-3.3.1.min.js3	mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/Dc	mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://i.pki.goog/we1.crt	mode11_buqd.exe, 00000000.00000003.2542943666.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000002.3470887253.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2664149314.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2419891640.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2385867049.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://632313373.xyz:8443/js/jquery-3.3.1.min.jsderA	mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://632313373.xyz:8443/js/jquery-3.3.1.min.js/	mode11_buqd.exe, 00000000.00000003.3036646515.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp, mode11_buqd.exe, 00000000.00000003.2348525114.0000025C2EB62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	632313373.xyz	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583718
Start date and time:	2025-01-03 13:04:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mode11_buqd.exe
Detection:	MAL
Classification:	mal100.troj.winEXE@2/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:05:23	API Interceptor	60x Sleep call for process: mode11_buqd.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
632313373.xyz	m.exe	Get hash	malicious	CobaltStrike	Browse	188.114.97.3
632313373.xyz	svchostinter.exe	Get hash	malicious	CobaltStrike	Browse	172.67.175.230

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://t1.awagama2.org	Get hash	malicious	Unknown	Browse	188.114.96.3
	m.exe	Get hash	malicious	CobaltStrike	Browse	188.114.97.3
	http://www.escudier-sas.fr	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.18.11.207
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	http://www.technoafriwave.rw	Get hash	malicious	Unknown	Browse	1.1.1.1
	dropper.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.665784376667119
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mode11_buqd.exe
File size:	3'906'560 bytes
MD5:	061c6604a402b997dd6aced94ceaff5e
SHA1:	33f3301b7c351637527e2fca7189989c5a7f3803
SHA256:	4a3341b1a681826f08bc9ec90ca24459826bb28f909030ba522d5ae2c92467d7
SHA512:	b608b066313d20354179ed89a594789cdb200c242b2b66974678f45ee47c19e7aaa65cdbc66c5aa0b6521fea414cacdb2c2a1d4ec7043c07837c2100b0ac75b9
SSDEEP:	49152:+UgD5mHuE0r0VOjjC4mkZMyITWt1U4yP21Qsq8VT/0+2Cw2:tpGm
TLSH:	3D06DF0BBCE159B5C0AE92328A7661567A71BC040F3267D73A90B37C2F77BD09A36744
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........;......."..........n................@...............................@...........`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x46ec80
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	d42595b695fc008ef2c56aabd8efd68e

Entrypoint Preview

Instruction
jmp 00007F52708F44F0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
dec eax
mov ebp, esp
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
inc ebp
xorps xmm7, xmm7
dec ebp
xor esi, esi
dec eax
mov eax, dword ptr [00387812h]
dec eax
mov eax, dword ptr [eax]
dec eax
cmp eax, 00000000h
je 00007F52708F7D95h
dec esp
mov esi, dword ptr [eax]
dec eax
sub esp, 10h
dec eax
mov eax, ecx
dec eax
mov ebx, edx
call 00007F527090236Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x401000	0x53e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x3fa000	0x5370	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x402000	0x499c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x39a1a0	0x178	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xbbbfc	0xbbc00	10704d168259afefca014f0ac9decebf	False	0.47511130992010653	data	6.267032997413728	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xbd000	0x2dc3c0	0x2dc400	05a92a6d9f4eed592bcedad622d664fc	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x39a000	0x5fe40	0x16e00	34ba11b22f7b7bfb4d342bf95dce2cf0	False	0.2855297984972678	data	3.2077796073927614	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x3fa000	0x5370	0x5400	6b7df8b45d2250e08eb91fb84ea19749	False	0.4015531994047619	data	4.9405195822402	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x400000	0xb4	0x200	d5a432b15ea1de5871ba1b040f244088	False	0.228515625	shared library	1.787112262798912	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x401000	0x53e	0x600	1eed92b78c29d6c28ea4846d7c7f7421	False	0.3776041666666667	OpenPGP Public Key	4.017189066074398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x402000	0x499c	0x4a00	07327396c5ce6db70861b1b3714f3a06	False	0.30938555743243246	data	5.393634428702928	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x407000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 13:05:22.611025095 CET	49724	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:22.615816116 CET	8443	49724	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:22.615891933 CET	49724	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:22.649436951 CET	49724	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:22.654274940 CET	8443	49724	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:23.061463118 CET	8443	49724	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:23.061476946 CET	8443	49724	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:23.061490059 CET	8443	49724	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:23.061532021 CET	49724	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:23.061572075 CET	49724	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:23.112175941 CET	49724	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:23.116980076 CET	8443	49724	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:23.205585003 CET	8443	49724	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:23.205643892 CET	49724	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:23.214257002 CET	49724	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:23.219075918 CET	8443	49724	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:24.265166044 CET	8443	49724	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:24.265187979 CET	8443	49724	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:24.265201092 CET	8443	49724	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:24.265216112 CET	8443	49724	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:24.265228033 CET	8443	49724	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:24.265234947 CET	8443	49724	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:24.265264988 CET	49724	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:24.265311003 CET	49724	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:24.517345905 CET	49736	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:24.522819996 CET	8443	49736	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:24.523075104 CET	49736	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:24.562658072 CET	49736	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:24.567475080 CET	8443	49736	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:24.971374989 CET	8443	49736	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:24.971712112 CET	49736	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:24.972045898 CET	49736	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:24.973237038 CET	49736	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:24.976826906 CET	8443	49736	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:24.978065014 CET	8443	49736	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:26.077950001 CET	8443	49736	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:26.077975988 CET	8443	49736	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:26.077987909 CET	8443	49736	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:26.077999115 CET	8443	49736	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:26.078010082 CET	8443	49736	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:26.078022003 CET	8443	49736	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:26.078036070 CET	49736	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:26.078071117 CET	49736	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:26.188170910 CET	49724	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:26.188782930 CET	49747	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:26.193115950 CET	8443	49724	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:26.193620920 CET	8443	49747	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:26.193698883 CET	49724	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:26.193744898 CET	49747	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:26.193969965 CET	49747	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:26.198760986 CET	8443	49747	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:26.644179106 CET	8443	49747	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:26.644244909 CET	49747	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:26.644794941 CET	49747	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:26.645905018 CET	49747	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:26.649694920 CET	8443	49747	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:26.650660992 CET	8443	49747	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:27.732876062 CET	8443	49747	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:27.732896090 CET	8443	49747	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:27.732908010 CET	8443	49747	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:27.732953072 CET	49747	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:27.732974052 CET	8443	49747	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:27.732985973 CET	8443	49747	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:27.732997894 CET	8443	49747	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:27.733002901 CET	49747	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:27.733007908 CET	8443	49747	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:27.733026981 CET	49747	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:27.733052969 CET	49747	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:27.844448090 CET	49736	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:27.852849960 CET	49758	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:27.858560085 CET	8443	49758	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:27.858659029 CET	49758	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:27.858915091 CET	49758	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:27.863241911 CET	8443	49736	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:27.863307953 CET	49736	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:27.863621950 CET	8443	49758	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:28.310101986 CET	8443	49758	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:28.310198069 CET	49758	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:28.310657024 CET	49758	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:28.311665058 CET	49758	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:28.315493107 CET	8443	49758	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:28.316406012 CET	8443	49758	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:29.388050079 CET	8443	49758	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:29.388075113 CET	8443	49758	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:29.388087988 CET	8443	49758	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:29.388099909 CET	8443	49758	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:29.388111115 CET	8443	49758	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:29.388120890 CET	49758	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:29.388123989 CET	8443	49758	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:29.388151884 CET	49758	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:29.388176918 CET	49758	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:34.266480923 CET	49747	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:34.271557093 CET	8443	49747	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:34.271614075 CET	49747	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:34.278707981 CET	49800	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:34.283570051 CET	8443	49800	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:34.283651114 CET	49800	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:34.284679890 CET	49800	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:34.290314913 CET	8443	49800	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:34.737472057 CET	8443	49800	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:34.737575054 CET	49800	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:34.738079071 CET	49800	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:34.739083052 CET	49800	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:34.742805958 CET	8443	49800	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:34.743922949 CET	8443	49800	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:35.884190083 CET	8443	49800	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:35.884231091 CET	8443	49800	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:35.884236097 CET	8443	49800	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:35.884243011 CET	8443	49800	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:35.884260893 CET	8443	49800	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:35.884267092 CET	8443	49800	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:35.884273052 CET	8443	49800	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:35.884320974 CET	49800	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:35.884356022 CET	49800	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:36.237179041 CET	49758	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:36.238013029 CET	49814	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:36.242111921 CET	8443	49758	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:36.242172956 CET	49758	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:36.242815971 CET	8443	49814	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:36.242875099 CET	49814	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:36.243503094 CET	49814	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:36.248328924 CET	8443	49814	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:36.712846041 CET	8443	49814	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:36.712914944 CET	49814	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:36.713288069 CET	49814	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:36.714198112 CET	49814	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:36.718041897 CET	8443	49814	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:36.718972921 CET	8443	49814	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:37.886897087 CET	8443	49814	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:37.886918068 CET	8443	49814	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:37.886929035 CET	8443	49814	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:37.886939049 CET	8443	49814	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:37.886950016 CET	8443	49814	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:37.886961937 CET	8443	49814	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:37.886961937 CET	49814	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:37.887001991 CET	49814	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:37.887027979 CET	49814	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:38.000730991 CET	49800	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:38.005772114 CET	8443	49800	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:38.005825996 CET	49800	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:38.010942936 CET	49828	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:38.015789032 CET	8443	49828	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:38.015849113 CET	49828	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:38.016643047 CET	49828	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:38.021420002 CET	8443	49828	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:38.468457937 CET	8443	49828	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:38.468527079 CET	49828	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:38.499841928 CET	49828	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:38.504614115 CET	8443	49828	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:38.506315947 CET	49828	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:38.511105061 CET	8443	49828	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:39.668828964 CET	8443	49828	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:39.668842077 CET	8443	49828	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:39.668853045 CET	8443	49828	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:39.668864965 CET	8443	49828	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:39.668875933 CET	8443	49828	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:39.668889046 CET	8443	49828	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:39.668899059 CET	49828	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:39.668941975 CET	49828	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:39.781910896 CET	49814	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:39.782387972 CET	49840	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:39.786927938 CET	8443	49814	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:39.786984921 CET	49814	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:39.787199020 CET	8443	49840	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:39.787264109 CET	49840	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:39.787501097 CET	49840	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:39.792256117 CET	8443	49840	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:40.249176979 CET	8443	49840	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:40.249238968 CET	49840	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:40.249671936 CET	49840	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:40.254292965 CET	49840	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:40.254421949 CET	8443	49840	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:40.259114027 CET	8443	49840	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:41.400815010 CET	8443	49840	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:41.400876999 CET	49840	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:41.400883913 CET	8443	49840	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:41.400896072 CET	8443	49840	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:41.400908947 CET	8443	49840	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:41.400914907 CET	8443	49840	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:41.400919914 CET	8443	49840	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:41.400995016 CET	49840	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:41.801065922 CET	49828	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:41.801537991 CET	49855	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:41.806171894 CET	8443	49828	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:41.806276083 CET	49828	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:41.806298971 CET	8443	49855	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:41.806365013 CET	49855	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:41.806734085 CET	49855	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:41.811486959 CET	8443	49855	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:42.272450924 CET	8443	49855	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:42.272555113 CET	49855	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:42.279122114 CET	49855	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:42.280920982 CET	49855	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:42.283881903 CET	8443	49855	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:42.285716057 CET	8443	49855	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:43.421152115 CET	8443	49855	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:43.421179056 CET	8443	49855	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:43.421191931 CET	8443	49855	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:43.421210051 CET	8443	49855	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:43.421221972 CET	8443	49855	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:43.421231985 CET	8443	49855	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:43.421253920 CET	49855	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:43.421334982 CET	49855	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:43.531941891 CET	49840	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:43.537014961 CET	8443	49840	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:43.537136078 CET	49840	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:43.539575100 CET	49865	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:43.544384956 CET	8443	49865	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:43.544524908 CET	49865	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:43.544718981 CET	49865	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:43.549551010 CET	8443	49865	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:44.005812883 CET	8443	49865	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:44.005897045 CET	49865	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:44.006366014 CET	49865	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:44.007450104 CET	49865	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:44.011187077 CET	8443	49865	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:44.012279034 CET	8443	49865	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:45.123351097 CET	8443	49865	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:45.123374939 CET	8443	49865	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:45.123388052 CET	8443	49865	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:45.123399973 CET	8443	49865	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:45.123413086 CET	49865	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:45.123414040 CET	8443	49865	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:45.123429060 CET	8443	49865	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:45.123435974 CET	49865	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:45.123481989 CET	49865	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:45.236613035 CET	49855	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:45.237085104 CET	49877	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:45.241589069 CET	8443	49855	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:45.241662979 CET	49855	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:45.241930962 CET	8443	49877	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:45.242028952 CET	49877	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:45.242224932 CET	49877	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:45.246977091 CET	8443	49877	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:45.716295958 CET	8443	49877	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:45.716415882 CET	49877	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:45.716756105 CET	49877	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:45.717829943 CET	49877	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:45.721539021 CET	8443	49877	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:45.722640038 CET	8443	49877	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:46.821583033 CET	8443	49877	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:46.821614981 CET	8443	49877	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:46.821634054 CET	8443	49877	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:46.821646929 CET	8443	49877	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:46.821659088 CET	8443	49877	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:46.821671963 CET	8443	49877	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:46.821691990 CET	49877	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:46.821691990 CET	49877	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:46.821742058 CET	49877	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:46.969985008 CET	49865	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:46.970748901 CET	49888	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:46.975347042 CET	8443	49865	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:46.975399017 CET	49865	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:46.975534916 CET	8443	49888	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:46.975599051 CET	49888	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:46.975917101 CET	49888	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:46.980643034 CET	8443	49888	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:47.429527998 CET	8443	49888	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:47.429682970 CET	49888	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:47.430124998 CET	49888	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:47.431205034 CET	49888	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:47.434964895 CET	8443	49888	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:47.436042070 CET	8443	49888	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:48.585807085 CET	8443	49888	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:48.585827112 CET	8443	49888	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:48.585844040 CET	8443	49888	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:48.585855961 CET	8443	49888	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:48.585871935 CET	8443	49888	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:48.585880995 CET	49888	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:48.585884094 CET	8443	49888	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:48.585894108 CET	8443	49888	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:48.585927963 CET	49888	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:48.585953951 CET	49888	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:48.688235998 CET	49877	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:48.688910007 CET	49901	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:48.693209887 CET	8443	49877	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:48.693279982 CET	49877	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:48.693672895 CET	8443	49901	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:48.693737030 CET	49901	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:48.693939924 CET	49901	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:48.698703051 CET	8443	49901	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:49.143007994 CET	8443	49901	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:49.143071890 CET	49901	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:49.143667936 CET	49901	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:49.144835949 CET	49901	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:49.148392916 CET	8443	49901	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:49.149647951 CET	8443	49901	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:50.239183903 CET	8443	49901	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:50.239212990 CET	8443	49901	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:50.239223003 CET	8443	49901	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:50.239238024 CET	8443	49901	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:50.239249945 CET	8443	49901	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:50.239254951 CET	49901	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:50.239260912 CET	8443	49901	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:50.239274025 CET	8443	49901	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:50.239295959 CET	49901	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:50.239321947 CET	49901	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:50.344677925 CET	49888	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:50.345294952 CET	49912	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:50.355084896 CET	8443	49888	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:50.355099916 CET	8443	49912	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:50.355137110 CET	49888	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:50.355185986 CET	49912	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:50.355511904 CET	49912	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:50.362809896 CET	8443	49912	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:50.812189102 CET	8443	49912	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:50.812254906 CET	49912	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:50.812589884 CET	49912	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:50.813661098 CET	49912	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:50.817399979 CET	8443	49912	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:50.818922043 CET	8443	49912	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:51.955194950 CET	8443	49912	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:51.955208063 CET	8443	49912	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:51.955224991 CET	8443	49912	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:51.955235958 CET	8443	49912	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:51.955248117 CET	8443	49912	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:51.955260992 CET	8443	49912	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:51.955271006 CET	8443	49912	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:51.955282927 CET	49912	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:51.955307961 CET	49912	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:51.955332994 CET	49912	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:52.063509941 CET	49901	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:52.063873053 CET	49925	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:52.068450928 CET	8443	49901	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:52.068511963 CET	49901	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:52.068751097 CET	8443	49925	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:52.068813086 CET	49925	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:52.069003105 CET	49925	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:52.073770046 CET	8443	49925	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:52.523055077 CET	8443	49925	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:52.526674986 CET	49925	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:52.588228941 CET	49925	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:52.589294910 CET	49925	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:52.593010902 CET	8443	49925	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:52.594018936 CET	8443	49925	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:53.704479933 CET	8443	49925	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:53.704502106 CET	8443	49925	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:53.704530001 CET	8443	49925	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:53.704547882 CET	8443	49925	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:53.704560041 CET	8443	49925	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:53.704565048 CET	49925	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:53.704572916 CET	8443	49925	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:53.704602003 CET	49925	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:53.704631090 CET	49925	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:53.829066038 CET	49912	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:53.829473972 CET	49938	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:53.834125042 CET	8443	49912	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:53.834239960 CET	8443	49938	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:53.834311962 CET	49912	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:53.834328890 CET	49938	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:53.834594011 CET	49938	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:53.839380026 CET	8443	49938	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:54.302628040 CET	8443	49938	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:54.308485985 CET	49938	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:54.308753967 CET	49938	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:54.309598923 CET	49938	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:54.313606977 CET	8443	49938	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:54.314441919 CET	8443	49938	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:55.456538916 CET	8443	49938	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:55.456562996 CET	8443	49938	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:55.456579924 CET	8443	49938	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:55.456590891 CET	8443	49938	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:55.456603050 CET	8443	49938	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:55.456614017 CET	8443	49938	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:55.456681013 CET	49938	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:55.456748962 CET	49938	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:55.563715935 CET	49925	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:55.564424992 CET	49949	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:55.568720102 CET	8443	49925	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:55.568795919 CET	49925	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:55.569180012 CET	8443	49949	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:55.569262981 CET	49949	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:55.569602966 CET	49949	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:55.574426889 CET	8443	49949	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:56.033248901 CET	8443	49949	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:56.033338070 CET	49949	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:56.033941984 CET	49949	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:56.035227060 CET	49949	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:56.038712978 CET	8443	49949	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:56.040024996 CET	8443	49949	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:57.202199936 CET	8443	49949	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:57.202223063 CET	8443	49949	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:57.202234983 CET	8443	49949	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:57.202254057 CET	8443	49949	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:57.202265024 CET	8443	49949	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:57.202280998 CET	8443	49949	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:57.202308893 CET	49949	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:57.202358961 CET	49949	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:57.202385902 CET	49949	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:57.292690039 CET	8443	49949	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:57.292779922 CET	49949	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:57.407296896 CET	49938	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:57.407768965 CET	49963	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:57.412377119 CET	8443	49938	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:57.412452936 CET	49938	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:57.412533045 CET	8443	49963	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:57.412722111 CET	49963	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:57.413016081 CET	49963	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:57.417824984 CET	8443	49963	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:57.886828899 CET	8443	49963	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:57.887037039 CET	49963	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:57.887634993 CET	49963	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:57.888775110 CET	49963	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:57.892388105 CET	8443	49963	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:57.893578053 CET	8443	49963	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:58.965150118 CET	8443	49963	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:58.965183020 CET	8443	49963	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:58.965210915 CET	8443	49963	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:58.965235949 CET	8443	49963	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:58.965255022 CET	8443	49963	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:58.965270996 CET	8443	49963	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:58.965289116 CET	8443	49963	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:58.965306044 CET	49963	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:58.965362072 CET	49963	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:59.079144955 CET	49949	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:59.079906940 CET	49975	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:59.084218025 CET	8443	49949	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:59.084295988 CET	49949	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:59.084687948 CET	8443	49975	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:59.084770918 CET	49975	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:59.085081100 CET	49975	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:59.089823961 CET	8443	49975	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:59.530833006 CET	8443	49975	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:59.530934095 CET	49975	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:59.531255960 CET	49975	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:59.532464027 CET	49975	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:05:59.536036968 CET	8443	49975	188.114.96.3	192.168.2.5
Jan 3, 2025 13:05:59.537220001 CET	8443	49975	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:00.630630970 CET	8443	49975	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:00.630647898 CET	8443	49975	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:00.630738020 CET	49975	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:00.630803108 CET	8443	49975	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:00.630814075 CET	8443	49975	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:00.630834103 CET	8443	49975	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:00.630877018 CET	49975	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:00.630882025 CET	8443	49975	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:00.630897999 CET	8443	49975	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:00.630903959 CET	49975	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:00.630913019 CET	8443	49975	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:00.630929947 CET	49975	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:00.630959988 CET	49975	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:00.735151052 CET	49963	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:00.735718012 CET	49986	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:00.740140915 CET	8443	49963	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:00.740372896 CET	49963	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:00.740461111 CET	8443	49986	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:00.740539074 CET	49986	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:00.740900040 CET	49986	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:00.745663881 CET	8443	49986	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:01.189273119 CET	8443	49986	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:01.189377069 CET	49986	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:01.189793110 CET	49986	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:01.190771103 CET	49986	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:01.194525003 CET	8443	49986	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:01.195548058 CET	8443	49986	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:02.262794971 CET	8443	49986	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:02.262854099 CET	8443	49986	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:02.262866020 CET	8443	49986	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:02.262882948 CET	8443	49986	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:02.262893915 CET	8443	49986	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:02.262919903 CET	49986	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:02.262960911 CET	49986	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:02.349622965 CET	8443	49986	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:02.349736929 CET	49986	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:02.453941107 CET	49975	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:02.454371929 CET	49997	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:02.458899975 CET	8443	49975	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:02.458970070 CET	49975	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:02.459209919 CET	8443	49997	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:02.459276915 CET	49997	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:02.459446907 CET	49997	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:02.464243889 CET	8443	49997	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:02.924869061 CET	8443	49997	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:02.924947977 CET	49997	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:02.925286055 CET	49997	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:02.926141977 CET	49997	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:02.930090904 CET	8443	49997	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:02.930948019 CET	8443	49997	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:04.028028011 CET	8443	49997	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:04.028088093 CET	49997	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:04.028090954 CET	8443	49997	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:04.028104067 CET	8443	49997	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:04.028124094 CET	8443	49997	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:04.028136015 CET	8443	49997	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:04.028151989 CET	49997	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:04.028151989 CET	8443	49997	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:04.028203011 CET	49997	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:04.141407967 CET	49986	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:04.141851902 CET	50008	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:04.146380901 CET	8443	49986	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:04.146459103 CET	49986	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:04.146652937 CET	8443	50008	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:04.146722078 CET	50008	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:04.147069931 CET	50008	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:04.152554035 CET	8443	50008	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:04.612986088 CET	8443	50008	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:04.614782095 CET	50008	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:04.615082026 CET	50008	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:04.615999937 CET	50008	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:04.619889975 CET	8443	50008	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:04.620773077 CET	8443	50008	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:05.711843967 CET	8443	50008	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:05.711921930 CET	8443	50008	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:05.711932898 CET	8443	50008	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:05.711942911 CET	8443	50008	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:05.711952925 CET	8443	50008	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:05.711975098 CET	8443	50008	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:05.711982012 CET	50008	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:05.712028980 CET	50008	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:05.712049961 CET	50008	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:05.829054117 CET	49997	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:05.834032059 CET	8443	49997	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:05.834085941 CET	49997	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:05.846780062 CET	50013	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:05.851560116 CET	8443	50013	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:05.851655006 CET	50013	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:05.851864100 CET	50013	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:05.856616020 CET	8443	50013	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:06.307657957 CET	8443	50013	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:06.307723999 CET	50013	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:06.308094025 CET	50013	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:06.308954000 CET	50013	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:06.312864065 CET	8443	50013	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:06.313752890 CET	8443	50013	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:07.418584108 CET	8443	50013	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:07.418755054 CET	50013	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:07.418801069 CET	8443	50013	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:07.418812990 CET	8443	50013	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:07.418832064 CET	8443	50013	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:07.418844938 CET	8443	50013	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:07.418857098 CET	8443	50013	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:07.418867111 CET	8443	50013	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:07.418915987 CET	50013	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:07.419013023 CET	50013	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:07.532093048 CET	50008	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:07.532726049 CET	50014	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:07.537159920 CET	8443	50008	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:07.537254095 CET	50008	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:07.537503958 CET	8443	50014	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:07.537573099 CET	50014	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:07.537791014 CET	50014	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:07.542620897 CET	8443	50014	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:08.002914906 CET	8443	50014	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:08.003000975 CET	50014	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:08.003501892 CET	50014	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:08.004523993 CET	50014	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:08.008276939 CET	8443	50014	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:08.009293079 CET	8443	50014	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:09.152870893 CET	8443	50014	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:09.152893066 CET	8443	50014	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:09.152909040 CET	8443	50014	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:09.152923107 CET	8443	50014	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:09.152968884 CET	50014	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:09.152975082 CET	8443	50014	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:09.152992010 CET	8443	50014	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:09.153003931 CET	8443	50014	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:09.153186083 CET	50014	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:09.153186083 CET	50014	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:09.153186083 CET	50014	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:09.266510963 CET	50013	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:09.267146111 CET	50015	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:09.271768093 CET	8443	50013	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:09.271862030 CET	50013	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:09.271955967 CET	8443	50015	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:09.272032976 CET	50015	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:09.272399902 CET	50015	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:09.277179003 CET	8443	50015	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:09.739020109 CET	8443	50015	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:09.739104986 CET	50015	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:09.739676952 CET	50015	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:09.740731955 CET	50015	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:09.745232105 CET	8443	50015	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:09.746269941 CET	8443	50015	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:10.848618031 CET	8443	50015	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:10.848633051 CET	8443	50015	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:10.848644018 CET	8443	50015	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:10.848655939 CET	8443	50015	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:10.848668098 CET	8443	50015	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:10.848679066 CET	8443	50015	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:10.848690033 CET	8443	50015	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:10.848773956 CET	50015	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:10.848834991 CET	50015	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:10.953969002 CET	50014	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:10.954585075 CET	50016	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:10.959013939 CET	8443	50014	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:10.959094048 CET	50014	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:10.959347963 CET	8443	50016	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:10.959418058 CET	50016	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:10.961180925 CET	50016	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:10.965918064 CET	8443	50016	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:11.407267094 CET	8443	50016	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:11.407373905 CET	50016	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:11.407908916 CET	50016	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:11.408953905 CET	50016	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:11.412688971 CET	8443	50016	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:11.413710117 CET	8443	50016	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:12.567748070 CET	8443	50016	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:12.567773104 CET	8443	50016	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:12.567785025 CET	8443	50016	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:12.567807913 CET	8443	50016	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:12.567817926 CET	8443	50016	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:12.567830086 CET	8443	50016	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:12.567910910 CET	50016	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:12.567987919 CET	50016	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:12.672883987 CET	50015	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:12.673501015 CET	50018	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:12.677845955 CET	8443	50015	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:12.677948952 CET	50015	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:12.678287029 CET	8443	50018	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:12.678356886 CET	50018	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:12.678561926 CET	50018	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:12.683382988 CET	8443	50018	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:13.143018961 CET	8443	50018	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:13.143143892 CET	50018	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:13.214557886 CET	50018	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:13.219409943 CET	8443	50018	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:13.226347923 CET	50018	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:13.231117010 CET	8443	50018	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:14.313684940 CET	8443	50018	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:14.313699961 CET	8443	50018	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:14.313713074 CET	8443	50018	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:14.313730955 CET	8443	50018	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:14.313744068 CET	8443	50018	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:14.313755989 CET	8443	50018	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:14.313767910 CET	50018	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:14.313801050 CET	50018	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:14.313828945 CET	50018	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:14.422590017 CET	50016	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:14.423085928 CET	50019	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:14.427697897 CET	8443	50016	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:14.427774906 CET	50016	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:14.427907944 CET	8443	50019	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:14.427979946 CET	50019	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:14.428160906 CET	50019	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:14.432962894 CET	8443	50019	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:14.874803066 CET	8443	50019	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:14.874980927 CET	50019	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:14.875597000 CET	50019	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:14.876521111 CET	50019	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:14.880342007 CET	8443	50019	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:14.881258011 CET	8443	50019	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:15.976259947 CET	8443	50019	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:15.976281881 CET	8443	50019	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:15.976294041 CET	8443	50019	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:15.976306915 CET	8443	50019	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:15.976320028 CET	8443	50019	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:15.976331949 CET	8443	50019	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:15.976351976 CET	50019	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:15.976402998 CET	50019	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:16.140659094 CET	50018	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:16.141027927 CET	50021	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:16.145674944 CET	8443	50018	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:16.145726919 CET	50018	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:16.145821095 CET	8443	50021	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:16.145884991 CET	50021	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:16.188951015 CET	50021	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:16.193809986 CET	8443	50021	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:16.592426062 CET	8443	50021	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:16.592508078 CET	50021	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:16.599442005 CET	50021	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:16.600979090 CET	50021	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:16.604233027 CET	8443	50021	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:16.605726957 CET	8443	50021	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:17.683222055 CET	8443	50021	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:17.683252096 CET	8443	50021	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:17.683270931 CET	8443	50021	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:17.683290005 CET	8443	50021	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:17.683284998 CET	50021	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:17.683305025 CET	8443	50021	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:17.683327913 CET	8443	50021	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:17.683334112 CET	50021	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:17.683334112 CET	50021	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:17.683334112 CET	50021	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:17.683348894 CET	50021	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:17.683357954 CET	50021	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:17.797933102 CET	50019	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:17.798371077 CET	50022	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:17.802922010 CET	8443	50019	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:17.803168058 CET	8443	50022	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:17.803251982 CET	50019	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:17.803302050 CET	50022	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:17.803530931 CET	50022	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:17.808289051 CET	8443	50022	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:18.291244984 CET	8443	50022	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:18.291316986 CET	50022	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:18.291779995 CET	50022	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:18.293210983 CET	50022	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:18.296554089 CET	8443	50022	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:18.298079014 CET	8443	50022	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:19.388829947 CET	8443	50022	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:19.388849974 CET	8443	50022	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:19.388864040 CET	8443	50022	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:19.388875008 CET	8443	50022	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:19.388887882 CET	8443	50022	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:19.388895988 CET	50022	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:19.388926029 CET	50022	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:19.388956070 CET	50022	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:19.477677107 CET	8443	50022	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:19.477778912 CET	50022	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:19.594403028 CET	50021	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:19.594844103 CET	50023	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:19.599371910 CET	8443	50021	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:19.599554062 CET	50021	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:19.599606037 CET	8443	50023	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:19.599673986 CET	50023	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:19.599906921 CET	50023	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:19.604717970 CET	8443	50023	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:20.047426939 CET	8443	50023	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:20.048626900 CET	50023	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:20.048986912 CET	50023	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:20.049949884 CET	50023	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:20.053828001 CET	8443	50023	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:20.054738998 CET	8443	50023	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:21.134613037 CET	8443	50023	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:21.134644032 CET	8443	50023	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:21.134655952 CET	8443	50023	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:21.134670019 CET	8443	50023	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:21.134684086 CET	8443	50023	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:21.134696007 CET	8443	50023	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:21.134766102 CET	50023	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:21.134809971 CET	50023	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:21.250876904 CET	50022	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:21.251333952 CET	50024	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:21.255951881 CET	8443	50022	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:21.256031036 CET	50022	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:21.256155014 CET	8443	50024	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:21.256218910 CET	50024	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:21.256478071 CET	50024	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:21.261240005 CET	8443	50024	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:21.703814983 CET	8443	50024	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:21.703896046 CET	50024	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:21.714912891 CET	50024	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:21.716006994 CET	50024	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:21.719686031 CET	8443	50024	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:21.720741034 CET	8443	50024	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:22.841793060 CET	8443	50024	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:22.841845989 CET	8443	50024	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:22.841857910 CET	8443	50024	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:22.841865063 CET	50024	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:22.841870070 CET	8443	50024	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:22.841881990 CET	8443	50024	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:22.841895103 CET	8443	50024	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:22.841909885 CET	50024	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:22.841909885 CET	50024	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:22.841933966 CET	50024	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:22.954701900 CET	50023	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:22.955192089 CET	50025	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:22.959825039 CET	8443	50023	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:22.959908009 CET	50023	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:22.959966898 CET	8443	50025	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:22.960035086 CET	50025	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:22.960280895 CET	50025	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:22.965022087 CET	8443	50025	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:23.407428026 CET	8443	50025	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:23.407499075 CET	50025	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:23.407892942 CET	50025	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:23.408967018 CET	50025	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:23.412714005 CET	8443	50025	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:23.413765907 CET	8443	50025	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:24.503142118 CET	8443	50025	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:24.503164053 CET	8443	50025	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:24.503174067 CET	8443	50025	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:24.503196001 CET	50025	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:24.503225088 CET	8443	50025	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:24.503235102 CET	50025	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:24.503237009 CET	8443	50025	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:24.503251076 CET	8443	50025	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:24.503259897 CET	8443	50025	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:24.503271103 CET	50025	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:24.503289938 CET	50025	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:24.503315926 CET	50025	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:24.610985994 CET	50024	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:24.611479044 CET	50026	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:24.615946054 CET	8443	50024	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:24.616044998 CET	50024	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:24.616290092 CET	8443	50026	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:24.616384983 CET	50026	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:24.616652012 CET	50026	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:24.621433973 CET	8443	50026	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:25.064328909 CET	8443	50026	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:25.064415932 CET	50026	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:25.064860106 CET	50026	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:25.065810919 CET	50026	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:25.069637060 CET	8443	50026	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:25.070615053 CET	8443	50026	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:26.156326056 CET	8443	50026	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:26.156343937 CET	8443	50026	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:26.156356096 CET	8443	50026	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:26.156368017 CET	8443	50026	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:26.156384945 CET	8443	50026	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:26.156397104 CET	8443	50026	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:26.156497002 CET	50026	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:26.156652927 CET	50026	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:26.267070055 CET	50025	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:26.267574072 CET	50027	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:26.272115946 CET	8443	50025	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:26.272219896 CET	50025	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:26.272351980 CET	8443	50027	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:26.272422075 CET	50027	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:26.272684097 CET	50027	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:26.277488947 CET	8443	50027	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:26.723587036 CET	8443	50027	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:26.723675013 CET	50027	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:26.724097013 CET	50027	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:26.725095034 CET	50027	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:26.728893995 CET	8443	50027	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:26.729845047 CET	8443	50027	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:27.822945118 CET	8443	50027	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:27.823035955 CET	50027	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:27.823055029 CET	8443	50027	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:27.823066950 CET	8443	50027	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:27.823079109 CET	8443	50027	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:27.823091984 CET	8443	50027	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:27.823103905 CET	8443	50027	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:27.823113918 CET	8443	50027	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:27.823116064 CET	50027	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:27.823163986 CET	50027	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:27.938941002 CET	50026	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:27.939371109 CET	50028	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:27.944103956 CET	8443	50026	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:27.944194078 CET	50026	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:27.944433928 CET	8443	50028	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:27.944508076 CET	50028	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:27.944814920 CET	50028	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:27.949660063 CET	8443	50028	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:28.398941994 CET	8443	50028	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:28.399025917 CET	50028	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:28.399404049 CET	50028	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:28.400330067 CET	50028	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:28.404267073 CET	8443	50028	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:28.405050993 CET	8443	50028	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:29.541547060 CET	8443	50028	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:29.541599035 CET	8443	50028	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:29.541613102 CET	8443	50028	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:29.541626930 CET	8443	50028	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:29.541629076 CET	50028	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:29.541647911 CET	50028	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:29.541650057 CET	8443	50028	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:29.541666985 CET	8443	50028	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:29.541672945 CET	50028	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:29.541713953 CET	50028	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:29.657648087 CET	50027	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:29.658145905 CET	50029	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:29.662678957 CET	8443	50027	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:29.662750959 CET	50027	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:29.662934065 CET	8443	50029	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:29.663130045 CET	50029	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:29.663400888 CET	50029	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:29.668236017 CET	8443	50029	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:30.152127981 CET	8443	50029	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:30.152240038 CET	50029	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:30.152734041 CET	50029	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:30.153572083 CET	50029	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:30.157593012 CET	8443	50029	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:30.158421993 CET	8443	50029	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:31.251518965 CET	8443	50029	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:31.251559973 CET	8443	50029	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:31.251575947 CET	8443	50029	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:31.251590967 CET	8443	50029	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:31.251605988 CET	8443	50029	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:31.251621008 CET	8443	50029	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:31.251624107 CET	50029	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:31.251636028 CET	8443	50029	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:31.251655102 CET	50029	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:31.251688004 CET	50029	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:31.360830069 CET	50028	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:31.361265898 CET	50030	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:31.366105080 CET	8443	50028	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:31.366179943 CET	50028	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:31.366213083 CET	8443	50030	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:31.366276026 CET	50030	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:31.366494894 CET	50030	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:31.371709108 CET	8443	50030	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:31.866579056 CET	8443	50030	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:31.866669893 CET	50030	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:31.867129087 CET	50030	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:31.868041992 CET	50030	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:31.871867895 CET	8443	50030	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:31.872792006 CET	8443	50030	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:32.959036112 CET	8443	50030	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:32.959052086 CET	8443	50030	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:32.959064007 CET	8443	50030	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:32.959089041 CET	8443	50030	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:32.959100962 CET	8443	50030	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:32.959111929 CET	8443	50030	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:32.959130049 CET	50030	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:32.959170103 CET	50030	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:33.045736074 CET	8443	50030	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:33.045813084 CET	50030	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:33.157665014 CET	50029	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:33.158149004 CET	50031	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:33.162617922 CET	8443	50029	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:33.162694931 CET	50029	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:33.162903070 CET	8443	50031	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:33.162969112 CET	50031	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:33.163175106 CET	50031	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:33.167944908 CET	8443	50031	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:33.617271900 CET	8443	50031	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:33.617367029 CET	50031	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:33.617902994 CET	50031	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:33.618896008 CET	50031	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:33.622632980 CET	8443	50031	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:33.623656034 CET	8443	50031	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:34.758203983 CET	8443	50031	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:34.758232117 CET	8443	50031	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:34.758244991 CET	8443	50031	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:34.758256912 CET	8443	50031	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:34.758270025 CET	50031	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:34.758272886 CET	8443	50031	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:34.758291006 CET	8443	50031	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:34.758304119 CET	50031	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:34.758316994 CET	50031	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:34.758342028 CET	50031	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:39.689043999 CET	50030	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:39.689522982 CET	50032	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:39.694128990 CET	8443	50030	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:39.694197893 CET	50030	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:39.694386005 CET	8443	50032	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:39.694457054 CET	50032	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:39.694696903 CET	50032	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:39.699501038 CET	8443	50032	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:40.141120911 CET	8443	50032	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:40.141304016 CET	50032	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:40.141691923 CET	50032	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:40.142769098 CET	50032	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:40.146503925 CET	8443	50032	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:40.147583008 CET	8443	50032	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:41.220865011 CET	8443	50032	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:41.220937967 CET	8443	50032	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:41.220948935 CET	8443	50032	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:41.220961094 CET	8443	50032	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:41.220972061 CET	8443	50032	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:41.220982075 CET	8443	50032	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:41.220992088 CET	8443	50032	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:41.221016884 CET	50032	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:41.221076012 CET	50032	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:41.332519054 CET	50031	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:41.333000898 CET	50035	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:41.337584019 CET	8443	50031	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:41.337820053 CET	8443	50035	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:41.337908030 CET	50031	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:41.337971926 CET	50035	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:41.338255882 CET	50035	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:41.343056917 CET	8443	50035	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:41.783174038 CET	8443	50035	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:41.784143925 CET	50035	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:41.784562111 CET	50035	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:41.787753105 CET	50035	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:41.789432049 CET	8443	50035	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:41.792507887 CET	8443	50035	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:42.948049068 CET	8443	50035	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:42.948075056 CET	8443	50035	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:42.948086023 CET	8443	50035	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:42.948097944 CET	8443	50035	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:42.948110104 CET	8443	50035	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:42.948120117 CET	8443	50035	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:42.948131084 CET	8443	50035	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:42.948234081 CET	50035	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:42.948571920 CET	50035	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:43.064451933 CET	50032	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:43.069449902 CET	8443	50032	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:43.069508076 CET	50032	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:43.094325066 CET	50036	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:43.099128008 CET	8443	50036	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:43.099214077 CET	50036	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:43.099522114 CET	50036	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:43.104336977 CET	8443	50036	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:43.543580055 CET	8443	50036	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:43.543668032 CET	50036	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:43.544076920 CET	50036	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:43.545049906 CET	50036	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:43.548868895 CET	8443	50036	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:43.549823046 CET	8443	50036	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:44.622539043 CET	8443	50036	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:44.622566938 CET	8443	50036	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:44.622577906 CET	8443	50036	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:44.622590065 CET	8443	50036	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:44.622605085 CET	8443	50036	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:44.622615099 CET	8443	50036	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:44.622632027 CET	8443	50036	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:44.622626066 CET	50036	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:44.622661114 CET	50036	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:44.622680902 CET	50036	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:44.735835075 CET	50035	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:44.736308098 CET	50037	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:44.740823984 CET	8443	50035	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:44.740895987 CET	50035	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:44.741177082 CET	8443	50037	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:44.741240978 CET	50037	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:44.741426945 CET	50037	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:44.746225119 CET	8443	50037	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:45.202831984 CET	8443	50037	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:45.202893972 CET	50037	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:45.203361034 CET	50037	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:45.204468966 CET	50037	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:45.208163023 CET	8443	50037	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:45.209225893 CET	8443	50037	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:46.398222923 CET	8443	50037	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:46.398248911 CET	8443	50037	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:46.398261070 CET	8443	50037	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:46.398272038 CET	8443	50037	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:46.398283005 CET	8443	50037	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:46.398293972 CET	8443	50037	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:46.398365021 CET	50037	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:46.398422003 CET	50037	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:46.501394033 CET	50036	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:46.501863956 CET	50038	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:46.506545067 CET	8443	50036	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:46.506618977 CET	50036	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:46.506654024 CET	8443	50038	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:46.506726980 CET	50038	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:46.506997108 CET	50038	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:46.511748075 CET	8443	50038	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:46.969646931 CET	8443	50038	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:46.969733953 CET	50038	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:46.970099926 CET	50038	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:46.970990896 CET	50038	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:46.974858999 CET	8443	50038	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:46.975826025 CET	8443	50038	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:48.110070944 CET	8443	50038	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:48.110106945 CET	8443	50038	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:48.110120058 CET	8443	50038	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:48.110132933 CET	8443	50038	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:48.110146046 CET	8443	50038	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:48.110161066 CET	8443	50038	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:48.110188007 CET	50038	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:48.110219002 CET	50038	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:48.220396996 CET	50037	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:48.220777988 CET	50039	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:48.225493908 CET	8443	50037	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:48.225536108 CET	8443	50039	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:48.225569963 CET	50037	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:48.225615978 CET	50039	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:48.225824118 CET	50039	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:48.230577946 CET	8443	50039	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:48.690120935 CET	8443	50039	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:48.690226078 CET	50039	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:48.690656900 CET	50039	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:48.691545010 CET	50039	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:48.696360111 CET	8443	50039	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:48.696641922 CET	8443	50039	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:49.879127026 CET	8443	50039	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:49.879143000 CET	8443	50039	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:49.879164934 CET	8443	50039	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:49.879179001 CET	8443	50039	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:49.879192114 CET	8443	50039	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:49.879204035 CET	8443	50039	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:49.879209042 CET	50039	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:49.879216909 CET	8443	50039	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:49.879256010 CET	50039	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:49.879272938 CET	50039	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:49.985970020 CET	50038	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:49.986643076 CET	50040	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:49.991008997 CET	8443	50038	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:49.991099119 CET	50038	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:49.991417885 CET	8443	50040	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:49.991492987 CET	50040	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:49.991678953 CET	50040	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:49.996486902 CET	8443	50040	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:50.448807001 CET	8443	50040	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:50.448919058 CET	50040	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:50.449383974 CET	50040	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:50.450318098 CET	50040	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:50.454205036 CET	8443	50040	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:50.455267906 CET	8443	50040	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:51.569675922 CET	8443	50040	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:51.569693089 CET	8443	50040	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:51.569719076 CET	8443	50040	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:51.569732904 CET	8443	50040	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:51.569746971 CET	8443	50040	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:51.569827080 CET	50040	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:51.569907904 CET	8443	50040	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:51.569933891 CET	8443	50040	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:51.569998980 CET	50040	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:51.569998980 CET	50040	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:51.569998980 CET	50040	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:51.673605919 CET	50039	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:51.674046993 CET	50041	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:51.678706884 CET	8443	50039	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:51.678829908 CET	50039	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:51.678939104 CET	8443	50041	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:51.679025888 CET	50041	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:51.680217028 CET	50041	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:51.684961081 CET	8443	50041	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:52.146142960 CET	8443	50041	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:52.146207094 CET	50041	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:52.146680117 CET	50041	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:52.147694111 CET	50041	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:52.151492119 CET	8443	50041	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:52.152518988 CET	8443	50041	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:53.270606995 CET	8443	50041	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:53.270633936 CET	8443	50041	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:53.270647049 CET	8443	50041	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:53.270661116 CET	8443	50041	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:53.270673037 CET	8443	50041	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:53.270693064 CET	8443	50041	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:53.270701885 CET	8443	50041	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:53.270706892 CET	50041	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:53.270736933 CET	50041	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:53.270782948 CET	50041	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:53.376470089 CET	50040	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:53.376949072 CET	50042	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:53.381505966 CET	8443	50040	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:53.381714106 CET	8443	50042	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:53.381772041 CET	50040	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:53.381793022 CET	50042	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:53.382066011 CET	50042	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:53.386816978 CET	8443	50042	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:53.893146992 CET	8443	50042	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:53.893232107 CET	50042	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:53.893632889 CET	50042	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:53.894573927 CET	50042	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:53.898422003 CET	8443	50042	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:53.899365902 CET	8443	50042	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:55.018254042 CET	8443	50042	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:55.018271923 CET	8443	50042	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:55.018281937 CET	8443	50042	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:55.018291950 CET	8443	50042	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:55.018301964 CET	8443	50042	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:55.018313885 CET	8443	50042	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:55.018330097 CET	50042	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:55.018376112 CET	50042	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:55.126686096 CET	50041	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:55.127347946 CET	50043	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:55.131756067 CET	8443	50041	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:55.131825924 CET	50041	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:55.132179022 CET	8443	50043	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:55.132244110 CET	50043	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:55.132539034 CET	50043	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:55.137253046 CET	8443	50043	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:55.599981070 CET	8443	50043	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:55.600061893 CET	50043	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:55.600419998 CET	50043	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:55.601562977 CET	50043	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:55.605335951 CET	8443	50043	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:55.607316017 CET	8443	50043	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:56.775198936 CET	8443	50043	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:56.775213957 CET	8443	50043	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:56.775224924 CET	8443	50043	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:56.775234938 CET	8443	50043	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:56.775247097 CET	8443	50043	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:56.775259018 CET	8443	50043	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:56.775270939 CET	8443	50043	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:56.775269032 CET	50043	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:56.775321960 CET	50043	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:56.876543045 CET	50042	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:56.877084017 CET	50044	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:56.881597042 CET	8443	50042	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:56.881680012 CET	50042	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:56.881927013 CET	8443	50044	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:56.882009983 CET	50044	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:56.882317066 CET	50044	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:56.887067080 CET	8443	50044	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:57.332328081 CET	8443	50044	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:57.332418919 CET	50044	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:57.332827091 CET	50044	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:57.333749056 CET	50044	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:57.337618113 CET	8443	50044	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:57.338516951 CET	8443	50044	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:58.455354929 CET	8443	50044	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:58.455368996 CET	8443	50044	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:58.455387115 CET	8443	50044	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:58.455398083 CET	8443	50044	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:58.455410004 CET	8443	50044	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:58.455421925 CET	8443	50044	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:58.455434084 CET	8443	50044	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:58.455553055 CET	50044	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:58.455553055 CET	50044	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:58.564003944 CET	50043	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:58.564502954 CET	50045	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:58.568974972 CET	8443	50043	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:58.569057941 CET	50043	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:58.569286108 CET	8443	50045	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:58.569363117 CET	50045	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:58.569701910 CET	50045	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:58.574471951 CET	8443	50045	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:59.090126038 CET	8443	50045	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:59.090198040 CET	50045	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:59.090681076 CET	50045	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:59.091556072 CET	50045	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:06:59.095475912 CET	8443	50045	188.114.96.3	192.168.2.5
Jan 3, 2025 13:06:59.096329927 CET	8443	50045	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:00.228527069 CET	8443	50045	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:00.228539944 CET	8443	50045	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:00.228550911 CET	8443	50045	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:00.228562117 CET	8443	50045	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:00.228573084 CET	8443	50045	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:00.228584051 CET	8443	50045	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:00.228594065 CET	8443	50045	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:00.228610992 CET	50045	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:00.228648901 CET	50045	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:00.347162008 CET	50044	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:00.350454092 CET	50046	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:00.352066040 CET	8443	50044	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:00.352159023 CET	50044	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:00.355381012 CET	8443	50046	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:00.355443954 CET	50046	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:00.356411934 CET	50046	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:00.361222029 CET	8443	50046	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:00.802360058 CET	8443	50046	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:00.802450895 CET	50046	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:00.802831888 CET	50046	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:00.803719997 CET	50046	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:00.807596922 CET	8443	50046	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:00.808449030 CET	8443	50046	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:01.961422920 CET	8443	50046	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:01.961445093 CET	8443	50046	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:01.961457968 CET	8443	50046	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:01.961468935 CET	8443	50046	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:01.961481094 CET	8443	50046	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:01.961492062 CET	8443	50046	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:01.961503029 CET	8443	50046	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:01.961575985 CET	50046	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:01.964627028 CET	50046	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:02.069480896 CET	50045	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:02.074454069 CET	8443	50045	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:02.074527025 CET	50045	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:02.130348921 CET	50047	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:02.135149002 CET	8443	50047	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:02.135234118 CET	50047	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:02.138104916 CET	50047	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:02.142844915 CET	8443	50047	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:02.591298103 CET	8443	50047	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:02.591372013 CET	50047	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:02.596698046 CET	50047	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:02.598335981 CET	50047	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:02.601553917 CET	8443	50047	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:02.603166103 CET	8443	50047	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:03.728625059 CET	8443	50047	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:03.728652954 CET	8443	50047	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:03.728666067 CET	8443	50047	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:03.728677034 CET	8443	50047	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:03.728688002 CET	8443	50047	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:03.728698969 CET	8443	50047	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:03.728735924 CET	50047	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:03.728775024 CET	50047	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:03.831407070 CET	50046	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:03.831945896 CET	50048	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:03.836415052 CET	8443	50046	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:03.836472034 CET	50046	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:03.836767912 CET	8443	50048	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:03.836832047 CET	50048	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:03.837044954 CET	50048	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:03.841792107 CET	8443	50048	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:04.312342882 CET	8443	50048	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:04.312436104 CET	50048	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:04.312860966 CET	50048	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:04.313832045 CET	50048	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:04.317679882 CET	8443	50048	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:04.318615913 CET	8443	50048	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:05.453084946 CET	8443	50048	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:05.453182936 CET	50048	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:05.453211069 CET	8443	50048	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:05.453227043 CET	8443	50048	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:05.453239918 CET	8443	50048	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:05.453250885 CET	8443	50048	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:05.453257084 CET	50048	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:05.453262091 CET	8443	50048	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:05.453269958 CET	50048	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:05.453273058 CET	8443	50048	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:05.453293085 CET	50048	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:05.453325987 CET	50048	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:05.565774918 CET	50047	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:05.566061974 CET	50049	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:05.570708036 CET	8443	50047	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:05.570761919 CET	50047	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:05.570825100 CET	8443	50049	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:05.570890903 CET	50049	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:05.571208954 CET	50049	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:05.575949907 CET	8443	50049	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:06.021224022 CET	8443	50049	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:06.021337986 CET	50049	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:06.023576975 CET	50049	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:06.024522066 CET	50049	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:06.028507948 CET	8443	50049	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:06.029406071 CET	8443	50049	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:07.146964073 CET	8443	50049	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:07.146985054 CET	8443	50049	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:07.146996975 CET	8443	50049	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:07.147008896 CET	8443	50049	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:07.147021055 CET	8443	50049	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:07.147032976 CET	8443	50049	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:07.147058964 CET	50049	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:07.147077084 CET	50049	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:07.251297951 CET	50048	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:07.251754999 CET	50050	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:07.256251097 CET	8443	50048	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:07.256313086 CET	50048	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:07.256608009 CET	8443	50050	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:07.256665945 CET	50050	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:07.256844044 CET	50050	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:07.261579990 CET	8443	50050	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:07.722276926 CET	8443	50050	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:07.722389936 CET	50050	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:07.722848892 CET	50050	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:07.723809004 CET	50050	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:07.727926016 CET	8443	50050	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:07.728765011 CET	8443	50050	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:08.842616081 CET	8443	50050	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:08.842696905 CET	8443	50050	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:08.842710018 CET	8443	50050	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:08.842713118 CET	50050	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:08.842720985 CET	8443	50050	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:08.842732906 CET	8443	50050	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:08.842742920 CET	8443	50050	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:08.842745066 CET	50050	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:08.842782974 CET	50050	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:08.842809916 CET	50050	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:08.933281898 CET	8443	50050	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:08.933351040 CET	50050	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:09.047980070 CET	50049	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:09.048445940 CET	50052	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:09.053049088 CET	8443	50049	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:09.053116083 CET	50049	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:09.053256989 CET	8443	50052	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:09.053425074 CET	50052	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:09.053690910 CET	50052	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:09.058445930 CET	8443	50052	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:09.519998074 CET	8443	50052	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:09.520178080 CET	50052	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:09.520590067 CET	50052	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:09.521538973 CET	50052	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:09.525356054 CET	8443	50052	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:09.526364088 CET	8443	50052	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:10.597126961 CET	8443	50052	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:10.597150087 CET	8443	50052	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:10.597167969 CET	8443	50052	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:10.597179890 CET	8443	50052	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:10.597193003 CET	8443	50052	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:10.597192049 CET	50052	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:10.597203970 CET	8443	50052	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:10.597217083 CET	8443	50052	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:10.597219944 CET	50052	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:10.597270012 CET	50052	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:15.610510111 CET	50050	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:15.611064911 CET	50053	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:15.615493059 CET	8443	50050	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:15.615564108 CET	50050	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:15.615926981 CET	8443	50053	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:15.615997076 CET	50053	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:15.616199017 CET	50053	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:15.621000051 CET	8443	50053	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:16.080429077 CET	8443	50053	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:16.080523014 CET	50053	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:16.080940962 CET	50053	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:16.082123995 CET	50053	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:16.085669041 CET	8443	50053	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:16.086875916 CET	8443	50053	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:17.149460077 CET	8443	50053	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:17.149472952 CET	8443	50053	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:17.149483919 CET	8443	50053	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:17.149496078 CET	8443	50053	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:17.149506092 CET	8443	50053	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:17.149517059 CET	8443	50053	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:17.149535894 CET	50053	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:17.149740934 CET	50053	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:17.251338959 CET	50052	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:17.251725912 CET	50054	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:17.256232023 CET	8443	50052	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:17.256303072 CET	50052	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:17.256509066 CET	8443	50054	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:17.256568909 CET	50054	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:17.256762028 CET	50054	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:17.261539936 CET	8443	50054	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:17.722706079 CET	8443	50054	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:17.722768068 CET	50054	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:17.723278046 CET	50054	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:17.724148989 CET	50054	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:17.728097916 CET	8443	50054	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:17.728966951 CET	8443	50054	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:18.845767021 CET	8443	50054	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:18.845788002 CET	8443	50054	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:18.845807076 CET	8443	50054	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:18.845824957 CET	8443	50054	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:18.845829010 CET	50054	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:18.845835924 CET	8443	50054	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:18.845851898 CET	50054	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:18.845864058 CET	8443	50054	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:18.845875025 CET	8443	50054	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:18.845890045 CET	50054	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:18.845904112 CET	50054	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:18.954261065 CET	50053	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:18.954725981 CET	50055	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:18.959233046 CET	8443	50053	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:18.959341049 CET	50053	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:18.959476948 CET	8443	50055	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:18.959556103 CET	50055	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:18.959837914 CET	50055	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:18.964560986 CET	8443	50055	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:19.405308962 CET	8443	50055	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:19.405383110 CET	50055	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:19.405756950 CET	50055	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:19.406814098 CET	50055	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:19.410516977 CET	8443	50055	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:19.411636114 CET	8443	50055	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:20.534241915 CET	8443	50055	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:20.534261942 CET	8443	50055	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:20.534277916 CET	8443	50055	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:20.534290075 CET	8443	50055	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:20.534291983 CET	50055	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:20.534301043 CET	8443	50055	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:20.534316063 CET	50055	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:20.534331083 CET	50055	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:20.534360886 CET	50055	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:20.534462929 CET	8443	50055	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:20.534472942 CET	8443	50055	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:20.534508944 CET	50055	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:20.641726971 CET	50054	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:20.642294884 CET	50056	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:20.646748066 CET	8443	50054	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:20.646812916 CET	50054	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:20.647078991 CET	8443	50056	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:20.647150040 CET	50056	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:20.647409916 CET	50056	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:20.652153015 CET	8443	50056	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:21.107726097 CET	8443	50056	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:21.107806921 CET	50056	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:21.108135939 CET	50056	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:21.109039068 CET	50056	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:21.112946033 CET	8443	50056	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:21.113774061 CET	8443	50056	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:22.240895987 CET	8443	50056	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:22.240962029 CET	8443	50056	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:22.240968943 CET	50056	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:22.240972996 CET	8443	50056	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:22.240983963 CET	8443	50056	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:22.240994930 CET	8443	50056	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:22.241003036 CET	50056	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:22.241005898 CET	8443	50056	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:22.241049051 CET	50056	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:22.345652103 CET	50055	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:22.347040892 CET	50057	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:22.350564003 CET	8443	50055	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:22.350645065 CET	50055	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:22.351875067 CET	8443	50057	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:22.351965904 CET	50057	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:22.352158070 CET	50057	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:22.356954098 CET	8443	50057	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:22.817439079 CET	8443	50057	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:22.817504883 CET	50057	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:22.817893028 CET	50057	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:22.818932056 CET	50057	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:22.822680950 CET	8443	50057	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:22.823652029 CET	8443	50057	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:23.894356966 CET	8443	50057	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:23.894370079 CET	8443	50057	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:23.894381046 CET	8443	50057	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:23.894397020 CET	8443	50057	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:23.894407988 CET	8443	50057	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:23.894418955 CET	8443	50057	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:23.894491911 CET	50057	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:23.894507885 CET	50057	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:24.001178980 CET	50056	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:24.001856089 CET	50058	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:24.006098032 CET	8443	50056	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:24.006148100 CET	50056	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:24.006567955 CET	8443	50058	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:24.006634951 CET	50058	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:24.006920099 CET	50058	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:24.011621952 CET	8443	50058	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:24.465281010 CET	8443	50058	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:24.465419054 CET	50058	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:24.465847969 CET	50058	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:24.466737032 CET	50058	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:24.470640898 CET	8443	50058	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:24.471448898 CET	8443	50058	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:25.561881065 CET	8443	50058	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:25.561917067 CET	8443	50058	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:25.561929941 CET	8443	50058	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:25.561944962 CET	8443	50058	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:25.561968088 CET	50058	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:25.561969995 CET	8443	50058	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:25.561983109 CET	8443	50058	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:25.562006950 CET	50058	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:25.562050104 CET	50058	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:25.677608013 CET	50057	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:25.683768988 CET	8443	50057	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:25.683819056 CET	50057	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:25.707391024 CET	50059	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:25.712944984 CET	8443	50059	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:25.713056087 CET	50059	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:25.713321924 CET	50059	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:25.718588114 CET	8443	50059	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:26.162846088 CET	8443	50059	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:26.162925005 CET	50059	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:26.163331985 CET	50059	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:26.164422035 CET	50059	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:26.168083906 CET	8443	50059	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:26.169241905 CET	8443	50059	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:27.228336096 CET	8443	50059	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:27.228360891 CET	8443	50059	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:27.228372097 CET	8443	50059	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:27.228414059 CET	8443	50059	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:27.228425980 CET	8443	50059	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:27.228436947 CET	8443	50059	188.114.96.3	192.168.2.5
Jan 3, 2025 13:07:27.228503942 CET	50059	8443	192.168.2.5	188.114.96.3
Jan 3, 2025 13:07:27.228718996 CET	50059	8443	192.168.2.5	188.114.96.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 13:05:22.568569899 CET	65381	53	192.168.2.5	1.1.1.1
Jan 3, 2025 13:05:22.604547024 CET	53	65381	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 3, 2025 13:05:22.568569899 CET	192.168.2.5	1.1.1.1	0x8e37	Standard query (0)	632313373.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 3, 2025 13:05:22.604547024 CET	1.1.1.1	192.168.2.5	0x8e37	No error (0)	632313373.xyz		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 3, 2025 13:05:22.604547024 CET	1.1.1.1	192.168.2.5	0x8e37	No error (0)	632313373.xyz		188.114.97.3	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	07:05:21
Start date:	03/01/2025
Path:	C:\Users\user\Desktop\mode11_buqd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\mode11_buqd.exe"
Imagebase:	0x420000
File size:	3'906'560 bytes
MD5 hash:	061C6604A402B997DD6ACED94CEAFF5E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3470228905.000000C000102000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	07:05:21
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.7%
Total number of Nodes:	212
Total number of Limit Nodes:	26

Executed Functions

Function 0000025C757BE68C Relevance: 9.3, APIs: 6, Instructions: 260
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_snprintf.LIBCMT ref: 0000025C757BE725

Part of subcall function 0000025C757CF63C: _errno.LIBCMT ref: 0000025C757CF673
Part of subcall function 0000025C757CF63C: _invalid_parameter_noinfo.LIBCMT ref: 0000025C757CF67E

_snprintf.LIBCMT ref: 0000025C757BE7BD
InternetQueryDataAvailable.WININET ref: 0000025C757BE87A

Part of subcall function 0000025C757C2D70: strchr.LIBCMT ref: 0000025C757C2DD6
Part of subcall function 0000025C757C2D70: _snprintf.LIBCMT ref: 0000025C757C2E0C

Part of subcall function 0000025C757C2C0C: strchr.LIBCMT ref: 0000025C757C2C69
Part of subcall function 0000025C757C2C0C: _snprintf.LIBCMT ref: 0000025C757C2CB3

_snprintf.LIBCMT ref: 0000025C757BE7D4

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _snprintf$strchr$AvailableDataInternetQuery_errno_invalid_parameter_noinfo
String ID:
API String ID: 2459009813-0
Opcode ID: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
Instruction ID: 071a598ed97edd8e24e25ad2ef39bc25bc81c78aae947aa614a954e69e52b133
Opcode Fuzzy Hash: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
Instruction Fuzzy Hash: E6819431A28F484FE755EB14D8C96A9B3E9FB98312F10056DE84AC3291EE34DD06CB85

Function 0000025C757C5E28 Relevance: 6.2, APIs: 4, Instructions: 190
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000025C757C5FEC: malloc.LIBCMT ref: 0000025C757C6008

GetUserNameA.ADVAPI32(?,?,?,?,?,?,?,-00000001,?,-00000001,?,00000002,0000025C757BCC89), ref: 0000025C757C5EAF
GetModuleFileNameA.KERNELBASE ref: 0000025C757C5EDB
strrchr.LIBCMT ref: 0000025C757C5EED
_snprintf.LIBCMT ref: 0000025C757C5F9B

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: Name$FileModuleUser_snprintfmallocstrrchr
String ID:
API String ID: 1730036252-0
Opcode ID: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
Instruction ID: 2147688614abea66b04c3ba66904fd4795c450e8450c0e1825b6b1862440e1bb
Opcode Fuzzy Hash: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
Instruction Fuzzy Hash: 3B517830728F080FEA58AB6C98997B9B2D6E78D301F20455DE48FC3693E934DC028745

Function 0000025C757BCA74 Relevance: 7.9, APIs: 6, Instructions: 411
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000025C757C5FEC: malloc.LIBCMT ref: 0000025C757C6008

malloc.LIBCMT ref: 0000025C757BCB3B

Part of subcall function 0000025C757CF284: _FF_MSGBANNER.LIBCMT ref: 0000025C757CF2B4
Part of subcall function 0000025C757CF284: _NMSG_WRITE.LIBCMT ref: 0000025C757CF2BE
Part of subcall function 0000025C757CF284: _callnewh.LIBCMT ref: 0000025C757CF2F2
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF2FD
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF308

Part of subcall function 0000025C757CC230: malloc.LIBCMT ref: 0000025C757CC29C

Part of subcall function 0000025C757CEAA8: malloc.LIBCMT ref: 0000025C757CEAF8

Part of subcall function 0000025C757CEAA8: realloc.LIBCMT ref: 0000025C757CEB07

malloc.LIBCMT ref: 0000025C757BCC4A
_snprintf.LIBCMT ref: 0000025C757BCCC1
_snprintf.LIBCMT ref: 0000025C757BCCE7
_snprintf.LIBCMT ref: 0000025C757BCD0E
free.LIBCMT ref: 0000025C757BCEC6

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errno$_callnewhfreerealloc
String ID:
API String ID: 74200508-0
Opcode ID: fd4b1ce187cf5d2c7b3c7d1d5f2f485ec143d87fcb2d796d9dd721ce5a89571b
Instruction ID: 115a2efc923f2900ace27959650d6e31a4771502730976c074973e862a72a691
Opcode Fuzzy Hash: fd4b1ce187cf5d2c7b3c7d1d5f2f485ec143d87fcb2d796d9dd721ce5a89571b
Instruction Fuzzy Hash: 72D19920624F454FEB54B7248CDA3A9F2EDEB8C302F6145ADA446C3AD3FE349D05CA49

Function 0000025C757BF014 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketA.WS2_32 ref: 0000025C757BF042
WSAIoctl.WS2_32 ref: 0000025C757BF08F
closesocket.WS2_32 ref: 0000025C757BF0EE

Strings

_Cy, xrefs: 0000025C757BF0A1

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: IoctlSocketclosesocket
String ID: _Cy
API String ID: 3445158922-1085951347
Opcode ID: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
Instruction ID: da01755540ed28102ef89ded1d66c49e783fc76424dd89a129ae0c1ba712c6a8
Opcode Fuzzy Hash: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
Instruction Fuzzy Hash: 64319530918F484FD7549E2898C8766B7E5EBA8315F21466EE44AC32A1EB34C942CB45

Function 0000025C757BEA48 Relevance: 3.2, APIs: 2, Instructions: 159
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET ref: 0000025C757BEB0C
InternetConnectA.WININET ref: 0000025C757BEB7A

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: Internet$ConnectOpen
String ID:
API String ID: 2790792615-0
Opcode ID: c02896be98f17698b461471e8597e5ae08ffedd86d74317b17a8770a829ca45e
Instruction ID: ca60bfb6fb1bbe6ca61bea3e1f7ea65d3252813548f376f403efd04f46516372
Opcode Fuzzy Hash: c02896be98f17698b461471e8597e5ae08ffedd86d74317b17a8770a829ca45e
Instruction Fuzzy Hash: 06519830628F044FEB59DB18D8D9769B3E9FB4C305F21046DE48BC7692EA789D06CB46

Function 0000025C73FB96B4 Relevance: 1.6, APIs: 1, Instructions: 149
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000025C73FB977B

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
Instruction ID: 6412084bef716448d45d398ee03edbe7de462d632996b66f53c632c993610193
Opcode Fuzzy Hash: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
Instruction Fuzzy Hash: 1A718636219F8486CAA0CB1AE49035AB7A4F7C8B94F508125EFCE83B69DF3DD555CB04

Function 0000025C73FB9324 Relevance: 1.3, APIs: 1, Instructions: 87
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000025C73FB9471

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
Instruction ID: be3f4f59f3395caee663be3887b8ddb5f445a7c9a9e0d9e083f8c455e5c380f7
Opcode Fuzzy Hash: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
Instruction Fuzzy Hash: F941BA76628B84C7DB50CB19E44471AB7A5F3C8B94F105125FADE83BA8DB3CD4518F04

Function 0048F220 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3468748922.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.3468732052.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3468821729.00000000004DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469077174.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469098913.00000000007BC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469121315.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469139102.00000000007CE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469169953.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469169953.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469169953.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469169953.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469169953.0000000000816000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469287065.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469301523.0000000000821000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469318099.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_mode11_buqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a83c295b55d1fb3924cfc6086ff6026e810ee76d85704118357723c5304dc2
Instruction ID: 5dea1a7c60ea6db613da8a8420ba4a5fd7b661128deb9cfa87656a62accfbd76
Opcode Fuzzy Hash: a2a83c295b55d1fb3924cfc6086ff6026e810ee76d85704118357723c5304dc2
Instruction Fuzzy Hash: 22319C6391CFC482D2219B25B5413AAB364F7A9788F15A715EFC812A1ADB38E1E5CB40

Function 0048B5C0 Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3468748922.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.3468732052.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3468821729.00000000004DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469077174.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469098913.00000000007BC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469121315.00000000007C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469139102.00000000007CE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469169953.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469169953.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469169953.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469169953.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469169953.0000000000816000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469287065.000000000081A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469301523.0000000000821000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3469318099.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_mode11_buqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f426410239744f5ba57e2b78151ac65bfe157d6a2c0a85e8369f5e0dce230c44
Instruction ID: 261a0a6df1470e50db678c7131a460da8565a27646ed6dcf204cff58353409f4
Opcode Fuzzy Hash: f426410239744f5ba57e2b78151ac65bfe157d6a2c0a85e8369f5e0dce230c44
Instruction Fuzzy Hash:

Non-executed Functions

Function 0000025C73FC239C Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 694COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000025C73FC23FD

Part of subcall function 0000025C73FC0A00: _getptd.LIBCMT ref: 0000025C73FC0A16
Part of subcall function 0000025C73FC0A00: __updatetlocinfo.LIBCMT ref: 0000025C73FC0A4B
Part of subcall function 0000025C73FC0A00: __updatetmbcinfo.LIBCMT ref: 0000025C73FC0A72

_errno.LIBCMT ref: 0000025C73FC2402

Part of subcall function 0000025C73FC1118: _getptd_noexit.LIBCMT ref: 0000025C73FC111C

_fileno.LIBCMT ref: 0000025C73FC242F

Part of subcall function 0000025C73FC4E54: _errno.LIBCMT ref: 0000025C73FC4E5D
Part of subcall function 0000025C73FC4E54: _invalid_parameter_noinfo.LIBCMT ref: 0000025C73FC4E68

write_multi_char.LIBCMT ref: 0000025C73FC2A6B
write_string.LIBCMT ref: 0000025C73FC2A88
write_multi_char.LIBCMT ref: 0000025C73FC2AA5
write_string.LIBCMT ref: 0000025C73FC2B04
write_string.LIBCMT ref: 0000025C73FC2B3B
write_multi_char.LIBCMT ref: 0000025C73FC2B5D
free.LIBCMT ref: 0000025C73FC2B71
_isleadbyte_l.LIBCMT ref: 0000025C73FC2C42
write_char.LIBCMT ref: 0000025C73FC2C58
write_char.LIBCMT ref: 0000025C73FC2C79
_errno.LIBCMT ref: 0000025C73FC2D7C
_invalid_parameter_noinfo.LIBCMT ref: 0000025C73FC2D87

Strings

, xrefs: 0000025C73FC2A3F
@, xrefs: 0000025C73FC241B

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3318157856-1077428164
Opcode ID: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
Instruction ID: fe871c7bc5c119a81140e4d861d1ba2c66da3c2586e88dec0ef72683969039cd
Opcode Fuzzy Hash: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
Instruction Fuzzy Hash: 2452C42A6E4F499DFF658A14DD4836DEAA8F7C9FC6F340045DA6606ED4E738C8408F08

Function 0000025C757D2F9C Relevance: 30.8, APIs: 15, Strings: 2, Instructions: 1030COMMON

Download Yara Rule

APIs

Part of subcall function 0000025C757D1600: _getptd.LIBCMT ref: 0000025C757D1616
Part of subcall function 0000025C757D1600: __updatetlocinfo.LIBCMT ref: 0000025C757D164B
Part of subcall function 0000025C757D1600: __updatetmbcinfo.LIBCMT ref: 0000025C757D1672

_errno.LIBCMT ref: 0000025C757D3002

Part of subcall function 0000025C757D1D18: _getptd_noexit.LIBCMT ref: 0000025C757D1D1C

_fileno.LIBCMT ref: 0000025C757D302F

Part of subcall function 0000025C757D5A54: _errno.LIBCMT ref: 0000025C757D5A5D
Part of subcall function 0000025C757D5A54: _invalid_parameter_noinfo.LIBCMT ref: 0000025C757D5A68

write_multi_char.LIBCMT ref: 0000025C757D366B
write_string.LIBCMT ref: 0000025C757D3688
write_multi_char.LIBCMT ref: 0000025C757D36A5
write_string.LIBCMT ref: 0000025C757D3704
write_multi_char.LIBCMT ref: 0000025C757D375D
free.LIBCMT ref: 0000025C757D3771
_isleadbyte_l.LIBCMT ref: 0000025C757D3842
write_char.LIBCMT ref: 0000025C757D3858
write_char.LIBCMT ref: 0000025C757D3879
_errno.LIBCMT ref: 0000025C757D397C
_invalid_parameter_noinfo.LIBCMT ref: 0000025C757D3987

Strings

, xrefs: 0000025C757D363F
@, xrefs: 0000025C757D301B

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3613058218-1077428164
Opcode ID: 0599035506f01076b605f9026c3628a483f4ccd483033c44f83e2593a1d2db07
Instruction ID: 90863fafb00a5320825d059110099e503d73c0f25f71fb04e285d5244f0f06ad
Opcode Fuzzy Hash: 0599035506f01076b605f9026c3628a483f4ccd483033c44f83e2593a1d2db07
Instruction Fuzzy Hash: C262B570928F4D8FE7698A188CCA779F7F9FB59312F34029DD486829D1E6359C02CE49

Function 0000025C757D2528 Relevance: 29.0, APIs: 15, Strings: 1, Instructions: 1022COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000025C757D1600: _getptd.LIBCMT ref: 0000025C757D1616
Part of subcall function 0000025C757D1600: __updatetlocinfo.LIBCMT ref: 0000025C757D164B
Part of subcall function 0000025C757D1600: __updatetmbcinfo.LIBCMT ref: 0000025C757D1672

_errno.LIBCMT ref: 0000025C757D258E

Part of subcall function 0000025C757D1D18: _getptd_noexit.LIBCMT ref: 0000025C757D1D1C

_fileno.LIBCMT ref: 0000025C757D25BB

Part of subcall function 0000025C757D5A54: _errno.LIBCMT ref: 0000025C757D5A5D
Part of subcall function 0000025C757D5A54: _invalid_parameter_noinfo.LIBCMT ref: 0000025C757D5A68

write_multi_char.LIBCMT ref: 0000025C757D2BEB
write_string.LIBCMT ref: 0000025C757D2C08
write_multi_char.LIBCMT ref: 0000025C757D2C25
write_string.LIBCMT ref: 0000025C757D2C84
write_multi_char.LIBCMT ref: 0000025C757D2CDD
free.LIBCMT ref: 0000025C757D2CF1
_isleadbyte_l.LIBCMT ref: 0000025C757D2DC2
write_char.LIBCMT ref: 0000025C757D2DD8
write_char.LIBCMT ref: 0000025C757D2DF9
_errno.LIBCMT ref: 0000025C757D2EF3
_invalid_parameter_noinfo.LIBCMT ref: 0000025C757D2EFE

Strings

, xrefs: 0000025C757D2BBF

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID:
API String ID: 3613058218-3916222277
Opcode ID: 99560b4e6a3ba651302837abcdacc877c80be0c82fbf8e81c16206e006ab6ccb
Instruction ID: 3141a5d71d3d68bee15496921a0ee5db1d6c22d84c8abc5f826a074565bd0504
Opcode Fuzzy Hash: 99560b4e6a3ba651302837abcdacc877c80be0c82fbf8e81c16206e006ab6ccb
Instruction Fuzzy Hash: 5062E931528F594FE7689A188CCA369F7F9FB99312F34019DD486839D2F6369C03CA49

Function 0000025C73FC1928 Relevance: 28.6, APIs: 14, Strings: 2, Instructions: 645COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000025C73FC1989

Part of subcall function 0000025C73FC0A00: _getptd.LIBCMT ref: 0000025C73FC0A16
Part of subcall function 0000025C73FC0A00: __updatetlocinfo.LIBCMT ref: 0000025C73FC0A4B
Part of subcall function 0000025C73FC0A00: __updatetmbcinfo.LIBCMT ref: 0000025C73FC0A72

_errno.LIBCMT ref: 0000025C73FC198E

Part of subcall function 0000025C73FC1118: _getptd_noexit.LIBCMT ref: 0000025C73FC111C

_fileno.LIBCMT ref: 0000025C73FC19BB

Part of subcall function 0000025C73FC4E54: _errno.LIBCMT ref: 0000025C73FC4E5D
Part of subcall function 0000025C73FC4E54: _invalid_parameter_noinfo.LIBCMT ref: 0000025C73FC4E68

write_multi_char.LIBCMT ref: 0000025C73FC1FEB
write_string.LIBCMT ref: 0000025C73FC2008
_errno.LIBCMT ref: 0000025C73FC22F3
_invalid_parameter_noinfo.LIBCMT ref: 0000025C73FC22FE

Strings

0, xrefs: 0000025C73FC1D28
-, xrefs: 0000025C73FC1F9C

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno$Locale_invalid_parameter_noinfo$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexitwrite_multi_charwrite_string
String ID: -$0
API String ID: 3246410048-417717675
Opcode ID: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
Instruction ID: 3ecec17c7dc635acf9eefcc389f67c61aef0557261ee66a02708666851f17505
Opcode Fuzzy Hash: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
Instruction Fuzzy Hash: AF42D92A6E4F8899FB648A149D4836DEBA8F789FC6F340045DA6546ED4F739C850CF08

Function 0000025C73FC5914 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 460COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000025C73FC596A
_errno.LIBCMT ref: 0000025C73FC5971
_invalid_parameter_noinfo.LIBCMT ref: 0000025C73FC597C

Strings

U, xrefs: 0000025C73FC5EDE

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
Instruction ID: aa08da233bd2b9bf1266441c4d7022687b5c5c354deff7e091705c5b9256b3eb
Opcode Fuzzy Hash: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
Instruction Fuzzy Hash: 3212D7762A4F418EEB108F25D84836AE7A8F7C8FD6F640156DA5D43E94EB39C445CF08

Function 0000025C757C7B38 Relevance: 13.3, APIs: 10, Instructions: 790COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000025C757C7CA5
_snprintf.LIBCMT ref: 0000025C757C7D66
_snprintf.LIBCMT ref: 0000025C757C7D83
_snprintf.LIBCMT ref: 0000025C757C7FD8
_snprintf.LIBCMT ref: 0000025C757C80E8
_snprintf.LIBCMT ref: 0000025C757C81A6
_snprintf.LIBCMT ref: 0000025C757C825E
_snprintf.LIBCMT ref: 0000025C757C8002

Part of subcall function 0000025C757CF63C: _errno.LIBCMT ref: 0000025C757CF673
Part of subcall function 0000025C757CF63C: _invalid_parameter_noinfo.LIBCMT ref: 0000025C757CF67E

_snprintf.LIBCMT ref: 0000025C757C8276
_snprintf.LIBCMT ref: 0000025C757C8334

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID:
API String ID: 3442832105-0
Opcode ID: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
Instruction ID: f900e2f722c6e3d9833fdced654ead91e586b0c666dfae87e375f7468508886f
Opcode Fuzzy Hash: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
Instruction Fuzzy Hash: 9152B320128E899BE759AB2CD8867E4F3F8FF68306F515248D985C7552FB30D983CB85

Function 0000025C73FB6F38 Relevance: 13.0, APIs: 10, Instructions: 545COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000025C73FB7166
_snprintf.LIBCMT ref: 0000025C73FB7183
_snprintf.LIBCMT ref: 0000025C73FB70A5

Part of subcall function 0000025C73FBEA3C: _errno.LIBCMT ref: 0000025C73FBEA73
Part of subcall function 0000025C73FBEA3C: _invalid_parameter_noinfo.LIBCMT ref: 0000025C73FBEA7E

_snprintf.LIBCMT ref: 0000025C73FB73D8
_snprintf.LIBCMT ref: 0000025C73FB7734

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID:
API String ID: 3442832105-0
Opcode ID: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
Instruction ID: e08c2462fe5306308f2ba8bae10f8cfc827f0e507bdbe8f7942787f360c969de
Opcode Fuzzy Hash: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
Instruction Fuzzy Hash: 8142C5A9224F8496EA158B3CE4053E8E3A4FF5CB9AF145101DF9917F61FF38D2A68704

Function 0000025C73FCB7B0 Relevance: 5.9, Strings: 4, Instructions: 884COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 0000025C73FCBE63
e ', xrefs: 0000025C73FCC405, 0000025C73FCC47E, 0000025C73FCC4F7, 0000025C73FCC570
<, xrefs: 0000025C73FCBE6E
ailure #%d - %s, xrefs: 0000025C73FCC41F, 0000025C73FCC498, 0000025C73FCC511, 0000025C73FCC58A

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID:
String ID: $<$ailure #%d - %s$e '
API String ID: 0-963976815
Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
Instruction ID: 54fbe1ec4d878f0d3fa1889cc00421b38bbb8ae764f13e105024d4c5bd5c6975
Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
Instruction Fuzzy Hash: 539211B6325A8087DB58CB1DE4A573AB7A1F3C8B80F54512AEB9B87794DE3CC451CB04

Function 0000025C73FCC397 Relevance: 2.6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

e ', xrefs: 0000025C73FCC405, 0000025C73FCC47E, 0000025C73FCC4F7, 0000025C73FCC570
ailure #%d - %s, xrefs: 0000025C73FCC41F, 0000025C73FCC498, 0000025C73FCC511, 0000025C73FCC58A

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID:
String ID: ailure #%d - %s$e '
API String ID: 0-4163927988
Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
Instruction ID: 085e75a70b6567b018509f7cdc2de2fb8501464c4923f6471bc99d8e3e68db9d
Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
Instruction Fuzzy Hash: AA613CB6224A508BD714CF08E4A562AB7E1F3CCBC5F94421AE39B87B68DA3CD545CF44

Function 0000025C757D01A8 Relevance: 1.8, APIs: 1, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

_initp_misc_winsig.LIBCMT ref: 0000025C757D01DC

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _initp_misc_winsig
String ID:
API String ID: 2710132595-0
Opcode ID: c8c90554330dcabd03fa81e8dd660722591610607187a6cda5de2b4df199049a
Instruction ID: b8d95712fefb2edcad51bf9f6d4429a8b6cb12ed6418735bbcde0effe94d325e
Opcode Fuzzy Hash: c8c90554330dcabd03fa81e8dd660722591610607187a6cda5de2b4df199049a
Instruction Fuzzy Hash: 98A1EC71619A098FEF54EFB5EC98AAA37B2F768301721893A904AC3174DABCD545CF40

Function 0000025C757DDBF0 Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction ID: e789ed3a6711873bbb9b95ea505b97dfa11f015d12ae2284f237b4ddc649426e
Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction Fuzzy Hash: C8620A31228A558FD31CCB1CC5B1B7AB7E1FB89340F44896DE287CB692C639DA45CB91

Function 0000025C757DD280 Relevance: .8, Instructions: 761COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction ID: 4ec21e6ef24db2c558cd74755bca9e96f7324784894a935f30035dc705b95dcc
Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction Fuzzy Hash: E852EE312286558FD31CCF1CC5A1E7AB7E1FB8D340F448A6DE28ACB692C639D545CB91

Function 0000025C73FCCFF0 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction ID: d75c6b9447cbfe2cefef023f532507428db4f456ff1c508935d92e33200f4322
Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction Fuzzy Hash: 10525FB6214A418BD708CB1CE4A573AB7E1F3C9B81F44852AE7978BB99CA3DD544CF04

Function 0000025C73FCC680 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction ID: 0209f090b908fbfb00719d74ca6298a3c5c953bcf3c55120d69963f10f8a5e22
Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction Fuzzy Hash: 7A5264B6214A808BD708CB1DE4A573AB7E1F3CDB80F44852AE79687799CA3DD540CF44

Function 0000025C73FA9680 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
Instruction ID: a52fdec8e92e8681baded6b775f310b89fa3114010e4d3e8a7b0d6d9f2da7dd2
Opcode Fuzzy Hash: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
Instruction Fuzzy Hash: 7CF1A92A364F458AEB20DA19DC4439FA3A8F79EBC5F600061DA6987F85FA34C905CF44

Function 0000025C73FACE3C Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74bee57ece39a3ee739721ddd6b8b7c874878cbec99e002ba7fd2a6b2694298
Instruction ID: 5ab51968ad1e8b33738ee3ae992ce8b84801e471445d7aedc548adc8849b054a
Opcode Fuzzy Hash: f74bee57ece39a3ee739721ddd6b8b7c874878cbec99e002ba7fd2a6b2694298
Instruction Fuzzy Hash: E2E1F6A76A0B408BFB608B35EC543A9A3A5F74DBC6F144161DB9A83F91EA3CE041C704

Function 0000025C73FA916C Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
Instruction ID: 4fdd1a2f7d3458e004c5bf3dd713997b1c697851f0f0b80960cc0399b3f5c784
Opcode Fuzzy Hash: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
Instruction Fuzzy Hash: D0E1F92A364F4649EF109A58DC4479FE3A8F79EBC9FA00061DE5987E85FA34C905CB44

Function 0000025C73FB0334 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
Instruction ID: 65984f9eb62fe3327c4158a1dae3dadd9fb7d9301054138468adfd009c9cbde6
Opcode Fuzzy Hash: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
Instruction Fuzzy Hash: 45718D7A264F418AEB608F35E858B5DB3A8F74DFC6F201065DA6943E94EF38C4448F49

Function 0000025C757D6E1C Relevance: 16.6, APIs: 11, Instructions: 108COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C757D6E4E

Part of subcall function 0000025C757D1D18: _getptd_noexit.LIBCMT ref: 0000025C757D1D1C

__doserrno.LIBCMT ref: 0000025C757D6E45

Part of subcall function 0000025C757D1CA8: _getptd_noexit.LIBCMT ref: 0000025C757D1CAC

__doserrno.LIBCMT ref: 0000025C757D6EAB
_errno.LIBCMT ref: 0000025C757D6EB2
_invalid_parameter_noinfo.LIBCMT ref: 0000025C757D6F16

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: f569b21a01fad2a92039226acf8a97d91cb16fac7f3924a9cc2c8e1a455bf938
Instruction ID: e8e6f1563904984eb0bd0d8d5ca13263a7a1bde207d09123f5e0c5ab4d84e721
Opcode Fuzzy Hash: f569b21a01fad2a92039226acf8a97d91cb16fac7f3924a9cc2c8e1a455bf938
Instruction Fuzzy Hash: 4E31F670228F444FE315AF78CCCB368B6E8EB4A322F714699E416876D3E6349C41CB95

Function 0000025C73FC1B48 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 227COMMON

Download Yara Rule

APIs

write_multi_char.LIBCMT ref: 0000025C73FC1FEB
write_string.LIBCMT ref: 0000025C73FC2008
write_multi_char.LIBCMT ref: 0000025C73FC2025
write_string.LIBCMT ref: 0000025C73FC2084
write_multi_char.LIBCMT ref: 0000025C73FC20DD
free.LIBCMT ref: 0000025C73FC20F1

Strings

, xrefs: 0000025C73FC1FBF

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: write_multi_char$write_string$free
String ID:
API String ID: 2630409672-3916222277
Opcode ID: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
Instruction ID: 8ae9469e2ba262e33bf2b1b8a5702cf9f459d69f354e4d99bb7da575ef8adfb6
Opcode Fuzzy Hash: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
Instruction Fuzzy Hash: C4A1E62A6E4F4489FB21CB559C0839EABA8F7C9BC5F340042DE6957E95EB38C944CF04

Function 0000025C757D7C08 Relevance: 15.1, APIs: 10, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C757D7C33

Part of subcall function 0000025C757D1D18: _getptd_noexit.LIBCMT ref: 0000025C757D1D1C

__doserrno.LIBCMT ref: 0000025C757D7C2B

Part of subcall function 0000025C757D1CA8: _getptd_noexit.LIBCMT ref: 0000025C757D1CAC

__lock_fhandle.LIBCMT ref: 0000025C757D7C77
_lseeki64_nolock.LIBCMT ref: 0000025C757D7C90
_unlock_fhandle.LIBCMT ref: 0000025C757D7CB3

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
String ID:
API String ID: 2644381645-0
Opcode ID: 1a0056bbafc3a7faafb75a0a5683c60387dc6450d26c6e1c9b28f7a797692c5c
Instruction ID: 61c51d75f6159879799a80b49e8cfe7e22b2bc78ec86f0f10fbc96c756ef8e3f
Opcode Fuzzy Hash: 1a0056bbafc3a7faafb75a0a5683c60387dc6450d26c6e1c9b28f7a797692c5c
Instruction Fuzzy Hash: B721F830628F080FF3156B689CCB369B6E8EB49323F3505C9E0198B5D3F6745C41CAA9

Function 0000025C757D7A90 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C757D7ABB

Part of subcall function 0000025C757D1D18: _getptd_noexit.LIBCMT ref: 0000025C757D1D1C

__doserrno.LIBCMT ref: 0000025C757D7AB3

Part of subcall function 0000025C757D1CA8: _getptd_noexit.LIBCMT ref: 0000025C757D1CAC

__lock_fhandle.LIBCMT ref: 0000025C757D7AFF
_lseek_nolock.LIBCMT ref: 0000025C757D7B18
_unlock_fhandle.LIBCMT ref: 0000025C757D7B39

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock_unlock_fhandle
String ID:
API String ID: 1078912150-0
Opcode ID: af586274eb7c0247a5ed565ce490a43ddd2b1adc4c580e4a875ff27a69eb19f0
Instruction ID: b2d252a0fed0aff50952d4ccb9608a567c50bc9ee20c579998b8ef2cef738af8
Opcode Fuzzy Hash: af586274eb7c0247a5ed565ce490a43ddd2b1adc4c580e4a875ff27a69eb19f0
Instruction Fuzzy Hash: F8210A31628F000FF3156B68DCCB37CB6E8DB4A322F350688E0564B6D3E6745C41CAA9

Function 0000025C73FC621C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C73FC624E

Part of subcall function 0000025C73FC1118: _getptd_noexit.LIBCMT ref: 0000025C73FC111C

__doserrno.LIBCMT ref: 0000025C73FC6245

Part of subcall function 0000025C73FC10A8: _getptd_noexit.LIBCMT ref: 0000025C73FC10AC

__doserrno.LIBCMT ref: 0000025C73FC62AB
_errno.LIBCMT ref: 0000025C73FC62B2
_invalid_parameter_noinfo.LIBCMT ref: 0000025C73FC6316

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
Instruction ID: 1bc4e18fee31db9b5acdcd930de53b783fc82564dd8e82abd6486924bf229f8f
Opcode Fuzzy Hash: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
Instruction Fuzzy Hash: 023105262E4F408DE7116F619C4935DA558ABC9FD2F7841A5A93117FD3E638C451CF08

Function 0000025C73FCF150 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000025C73FCF176
_errno.LIBCMT ref: 0000025C73FCF16B

Part of subcall function 0000025C73FC1118: _getptd_noexit.LIBCMT ref: 0000025C73FC111C

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1812809483-0
Opcode ID: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
Instruction ID: 161c3c2cabc9d7a5d1714696fb3e2e7c32576103e849681dfe2d5f62b3b7c57a
Opcode Fuzzy Hash: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
Instruction Fuzzy Hash: 8D41E37D6F2B5189FB609B118C183E9E298E79CFE6FB041619A7443EC5F63889518F08

Function 0000025C757D6434 Relevance: 13.6, APIs: 9, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C757D645F

Part of subcall function 0000025C757D1D18: _getptd_noexit.LIBCMT ref: 0000025C757D1D1C

__doserrno.LIBCMT ref: 0000025C757D6457

Part of subcall function 0000025C757D1CA8: _getptd_noexit.LIBCMT ref: 0000025C757D1CAC

__lock_fhandle.LIBCMT ref: 0000025C757D64A3
_unlock_fhandle.LIBCMT ref: 0000025C757D64DD

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 2464146582-0
Opcode ID: c89056d156aae0bb9c491ae48c02d203d405bbf82af9f534bcd04b22b5544d86
Instruction ID: ef19d093ecc198992b669a4b2f118b30e618f0eb79bfc51fe2fe91b4cec762f8
Opcode Fuzzy Hash: c89056d156aae0bb9c491ae48c02d203d405bbf82af9f534bcd04b22b5544d86
Instruction Fuzzy Hash: D221D830628F404FF3156B68DCCB37DB6E4DB49322F354599E016876D3E6745C41CAA9

Function 0000025C757D5C58 Relevance: 13.6, APIs: 9, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C757D5C79

Part of subcall function 0000025C757D1D18: _getptd_noexit.LIBCMT ref: 0000025C757D1D1C

__doserrno.LIBCMT ref: 0000025C757D5C71

Part of subcall function 0000025C757D1CA8: _getptd_noexit.LIBCMT ref: 0000025C757D1CAC

__lock_fhandle.LIBCMT ref: 0000025C757D5CBD
_close_nolock.LIBCMT ref: 0000025C757D5CD0
_unlock_fhandle.LIBCMT ref: 0000025C757D5CE9

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 2140805544-0
Opcode ID: d63a0d9a057a00514656f61d256491cfcc4309f98023220473e92bade8306c33
Instruction ID: 398ff6a2992e83e458bc46b8cc4a71decee0494730c31ea07ce56bf48bee4a9b
Opcode Fuzzy Hash: d63a0d9a057a00514656f61d256491cfcc4309f98023220473e92bade8306c33
Instruction Fuzzy Hash: A321F631126F144FF3156B748CDB368B6F8EB49322F750598E41A875D3E6744C41CBA9

Function 0000025C73FC7008 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C73FC7033

Part of subcall function 0000025C73FC1118: _getptd_noexit.LIBCMT ref: 0000025C73FC111C

__doserrno.LIBCMT ref: 0000025C73FC702B

Part of subcall function 0000025C73FC10A8: _getptd_noexit.LIBCMT ref: 0000025C73FC10AC

__lock_fhandle.LIBCMT ref: 0000025C73FC7077
_lseeki64_nolock.LIBCMT ref: 0000025C73FC7090

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
String ID:
API String ID: 4140391395-0
Opcode ID: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
Instruction ID: 977a6a320ddec1f2b65747ace59c347f5d9b6bc1b575bc03496c0196cdf0a888
Opcode Fuzzy Hash: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
Instruction Fuzzy Hash: 6121CF262E0F404DF6012B259C0A3ADE518A7C8FF2F394784AA3507BE2E738C4518B28

Function 0000025C73FC6E90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C73FC6EBB

Part of subcall function 0000025C73FC1118: _getptd_noexit.LIBCMT ref: 0000025C73FC111C

__doserrno.LIBCMT ref: 0000025C73FC6EB3

Part of subcall function 0000025C73FC10A8: _getptd_noexit.LIBCMT ref: 0000025C73FC10AC

__lock_fhandle.LIBCMT ref: 0000025C73FC6EFF
_lseek_nolock.LIBCMT ref: 0000025C73FC6F18

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
String ID:
API String ID: 310312816-0
Opcode ID: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
Instruction ID: 2c91a71833238b033c69a4a67cbecf2b23f5ccd0119b88baf1ba8819511ebfa6
Opcode Fuzzy Hash: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
Instruction Fuzzy Hash: 0621CF2A6E4F404DF7012F259C493ADE558A7C8FE3F394195AA3507AD2FA788851CB1C

Function 0000025C757CFF6C Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000025C757CFF9A

Part of subcall function 0000025C757CF244: RtlFreeHeap.NTDLL ref: 0000025C757CF25A
Part of subcall function 0000025C757CF244: _errno.LIBCMT ref: 0000025C757CF264

free.LIBCMT ref: 0000025C757CFFAF
free.LIBCMT ref: 0000025C757CFFD0
free.LIBCMT ref: 0000025C757CFFE5
free.LIBCMT ref: 0000025C757CFFF9
free.LIBCMT ref: 0000025C757D0005
free.LIBCMT ref: 0000025C757D0030
free.LIBCMT ref: 0000025C757D0051
free.LIBCMT ref: 0000025C757D006A
free.LIBCMT ref: 0000025C757D009B

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: free$FreeHeap_errno
String ID:
API String ID: 2737118440-0
Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction ID: 87c93266f5883042450c8254b8fca1e4c53ac381d5340f486d5db31d5949e490
Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction Fuzzy Hash: 81416030261F498FFB94EB58DCE9B68B2E8F758317F7150A99406C25D1EA7C8D42CB14

Function 0000025C73FBF36C Relevance: 12.6, APIs: 10, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000025C73FBF39A

Part of subcall function 0000025C73FBE644: _errno.LIBCMT ref: 0000025C73FBE664

free.LIBCMT ref: 0000025C73FBF3AF
free.LIBCMT ref: 0000025C73FBF3D0
free.LIBCMT ref: 0000025C73FBF3E5
free.LIBCMT ref: 0000025C73FBF3F9
free.LIBCMT ref: 0000025C73FBF405
free.LIBCMT ref: 0000025C73FBF430
free.LIBCMT ref: 0000025C73FBF451
free.LIBCMT ref: 0000025C73FBF46A
free.LIBCMT ref: 0000025C73FBF49B

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
Instruction ID: 899ccda022dd7103bd9828445207ef37380d7757d48c6169144626fbca557b54
Opcode Fuzzy Hash: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
Instruction Fuzzy Hash: 53312B6D2F1F418DFB549B25EC6D364926CAB5CFD2F2801A5D93906EE1AE3880048A19

Function 0000025C757DFD50 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000025C757DFD76
_errno.LIBCMT ref: 0000025C757DFD6B

Part of subcall function 0000025C757D1D18: _getptd_noexit.LIBCMT ref: 0000025C757D1D1C

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1812809483-0
Opcode ID: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
Instruction ID: c2e993227efd60a85b8bf653ae4170bd682f0f5d663e1747b09c20b9b1a91ea9
Opcode Fuzzy Hash: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
Instruction Fuzzy Hash: D4510B30124F1A4FE764AB258CCA3A5B2F4EB5C313F74019AA455C79DAF6348C43CB99

Function 0000025C73FC5834 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C73FC585F

Part of subcall function 0000025C73FC1118: _getptd_noexit.LIBCMT ref: 0000025C73FC111C

__doserrno.LIBCMT ref: 0000025C73FC5857

Part of subcall function 0000025C73FC10A8: _getptd_noexit.LIBCMT ref: 0000025C73FC10AC

__lock_fhandle.LIBCMT ref: 0000025C73FC58A3

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
String ID:
API String ID: 2611593033-0
Opcode ID: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
Instruction ID: 5521a72fa82e68a9500d11217528506d162e6dcc738b578d88914c114a15318e
Opcode Fuzzy Hash: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
Instruction Fuzzy Hash: 8721256A6E0F444DF7012F229D493BDE55877C8FE3F354184AA3907BD2E67888518F18

Function 0000025C73FC5058 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C73FC5079

Part of subcall function 0000025C73FC1118: _getptd_noexit.LIBCMT ref: 0000025C73FC111C

__doserrno.LIBCMT ref: 0000025C73FC5071

Part of subcall function 0000025C73FC10A8: _getptd_noexit.LIBCMT ref: 0000025C73FC10AC

__lock_fhandle.LIBCMT ref: 0000025C73FC50BD
_close_nolock.LIBCMT ref: 0000025C73FC50D0

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
String ID:
API String ID: 4060740672-0
Opcode ID: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
Instruction ID: c833d57d75e19779346831d05576d78943b6ccefa987d2c1dd564dc1424cbb3c
Opcode Fuzzy Hash: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
Instruction Fuzzy Hash: 1C1102662E0F814DF3052F269C4D3ACE518A7C8FE3F394694953947AE2E678C4518F18

Function 0000025C757B460C Relevance: 11.6, APIs: 9, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000025C757B46A9

Part of subcall function 0000025C757CF284: _FF_MSGBANNER.LIBCMT ref: 0000025C757CF2B4
Part of subcall function 0000025C757CF284: _NMSG_WRITE.LIBCMT ref: 0000025C757CF2BE
Part of subcall function 0000025C757CF284: _callnewh.LIBCMT ref: 0000025C757CF2F2
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF2FD
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF308

malloc.LIBCMT ref: 0000025C757B46B3

Part of subcall function 0000025C757CF284: _callnewh.LIBCMT ref: 0000025C757CF318
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF31D

malloc.LIBCMT ref: 0000025C757B46BE
free.LIBCMT ref: 0000025C757B487E
free.LIBCMT ref: 0000025C757B4886
free.LIBCMT ref: 0000025C757B488E

Part of subcall function 0000025C757B54F0: malloc.LIBCMT ref: 0000025C757B553A
Part of subcall function 0000025C757B54F0: malloc.LIBCMT ref: 0000025C757B5545
Part of subcall function 0000025C757B54F0: free.LIBCMT ref: 0000025C757B562C
Part of subcall function 0000025C757B54F0: free.LIBCMT ref: 0000025C757B5634

free.LIBCMT ref: 0000025C757B489A
free.LIBCMT ref: 0000025C757B48A7
free.LIBCMT ref: 0000025C757B48B4

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh
String ID:
API String ID: 4160633307-0
Opcode ID: 78c5723810e6e6d18fab4a62d391ea0db65c57382cb75ed74f6abc212771b6cb
Instruction ID: 5290138aa6336c6f4b6fd0bd10dd71a881979985a077aeaf0af32bd643534173
Opcode Fuzzy Hash: 78c5723810e6e6d18fab4a62d391ea0db65c57382cb75ed74f6abc212771b6cb
Instruction Fuzzy Hash: C4919C20F24F494FD759AA5C5C96779B3EBE789701F61029DD446C3693FE309C02CA8A

Function 0000025C73FA3A0C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000025C73FA3AA9

Part of subcall function 0000025C73FBE684: _FF_MSGBANNER.LIBCMT ref: 0000025C73FBE6B4
Part of subcall function 0000025C73FBE684: _NMSG_WRITE.LIBCMT ref: 0000025C73FBE6BE
Part of subcall function 0000025C73FBE684: _callnewh.LIBCMT ref: 0000025C73FBE6F2
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE6FD
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE708

malloc.LIBCMT ref: 0000025C73FA3AB3

Part of subcall function 0000025C73FBE684: _callnewh.LIBCMT ref: 0000025C73FBE718
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE71D

malloc.LIBCMT ref: 0000025C73FA3ABE
free.LIBCMT ref: 0000025C73FA3C7E
free.LIBCMT ref: 0000025C73FA3C86
free.LIBCMT ref: 0000025C73FA3C8E

Part of subcall function 0000025C73FA48F0: malloc.LIBCMT ref: 0000025C73FA493A
Part of subcall function 0000025C73FA48F0: malloc.LIBCMT ref: 0000025C73FA4945
Part of subcall function 0000025C73FA48F0: free.LIBCMT ref: 0000025C73FA4A2C
Part of subcall function 0000025C73FA48F0: free.LIBCMT ref: 0000025C73FA4A34

free.LIBCMT ref: 0000025C73FA3C9A
free.LIBCMT ref: 0000025C73FA3CA7
free.LIBCMT ref: 0000025C73FA3CB4

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh
String ID:
API String ID: 4160633307-0
Opcode ID: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
Instruction ID: e4450ab177a60495953df148e09606dbf300f6c4eb19c3e7740386c161a62179
Opcode Fuzzy Hash: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
Instruction Fuzzy Hash: 42714B6A360B844EEB109B2A9C4876AF799B79AFC5F2040569D5607F86FF39C405CF08

Function 0000025C757CFE10 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C757CFE36

Part of subcall function 0000025C757D1D18: _getptd_noexit.LIBCMT ref: 0000025C757D1D1C

_invalid_parameter_noinfo.LIBCMT ref: 0000025C757CFE42
__crtIsPackagedApp.LIBCMT ref: 0000025C757CFE53
_dosmaperr.LIBCMT ref: 0000025C757CFE9D

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2917016420-0
Opcode ID: cfbfe809ff06962f400f8854e8dfaca57605153f463412cb5835124c7fa4a529
Instruction ID: 0912dedb9b74466eca9e5b71d81283e08003df478b6cf72623f2e92fd17bceef
Opcode Fuzzy Hash: cfbfe809ff06962f400f8854e8dfaca57605153f463412cb5835124c7fa4a529
Instruction Fuzzy Hash: CB31C730624F094FE754AB789C9A369B6E9FB8D312F25419DA44AC32D2E778CC42CB45

Function 0000025C757DA73C Relevance: 10.6, APIs: 7, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C757DA755

Part of subcall function 0000025C757D1D18: _getptd_noexit.LIBCMT ref: 0000025C757D1D1C

__lock_fhandle.LIBCMT ref: 0000025C757DA79D
__doserrno.LIBCMT ref: 0000025C757DA7D2
_errno.LIBCMT ref: 0000025C757DA7D9
_unlock_fhandle.LIBCMT ref: 0000025C757DA7E9

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 4120058822-0
Opcode ID: 9341880fa3ae8ea43da77f4714028596b22b009dd5c4526b8d460d71b2af8a07
Instruction ID: 50ebca9011cabb2f64d9b174f24b0aa0133117b713b8e3ee1146f524eaa17ce1
Opcode Fuzzy Hash: 9341880fa3ae8ea43da77f4714028596b22b009dd5c4526b8d460d71b2af8a07
Instruction Fuzzy Hash: D3212130624F014FE354AB688CDB369B6F9BB49322F350198E406877D2EA745C40CBAA

Function 0000025C73FBF210 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C73FBF236

Part of subcall function 0000025C73FC1118: _getptd_noexit.LIBCMT ref: 0000025C73FC111C

_invalid_parameter_noinfo.LIBCMT ref: 0000025C73FBF242
__crtIsPackagedApp.LIBCMT ref: 0000025C73FBF253
_dosmaperr.LIBCMT ref: 0000025C73FBF29D

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2917016420-0
Opcode ID: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
Instruction ID: 543d9b598f2c188a772f05b75fada6951a564fde42a50bb14f07b1c4ad3b4d83
Opcode Fuzzy Hash: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
Instruction Fuzzy Hash: 9131C3693A1F408AFB109B369C1D359E6D9AB8DFD6F2405649A6543FD5FF38C4108B08

Function 0000025C73FCEFD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000025C73FCF004

Part of subcall function 0000025C73FC0A00: _getptd.LIBCMT ref: 0000025C73FC0A16
Part of subcall function 0000025C73FC0A00: __updatetlocinfo.LIBCMT ref: 0000025C73FC0A4B
Part of subcall function 0000025C73FC0A00: __updatetmbcinfo.LIBCMT ref: 0000025C73FC0A72

_errno.LIBCMT ref: 0000025C73FCF01F
_invalid_parameter_noinfo.LIBCMT ref: 0000025C73FCF02A

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
Instruction ID: 4f17a0a792974899537360e476c0b6097f25bde4d1351e4841f3b58d71380fa2
Opcode Fuzzy Hash: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
Instruction Fuzzy Hash: 7B31937A2E5B8489E7109B11985875DE6A8F7C8FE2F648161AA6403F95EB34C851CF04

Function 0000025C757D0B10 Relevance: 9.3, APIs: 6, Instructions: 257COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C757D0B4C

Part of subcall function 0000025C757D1D18: _getptd_noexit.LIBCMT ref: 0000025C757D1D1C

_invalid_parameter_noinfo.LIBCMT ref: 0000025C757D0B57
memcpy_s.LIBCMT ref: 0000025C757D0C1C
_fileno.LIBCMT ref: 0000025C757D0C87
_filbuf.LIBCMT ref: 0000025C757D0CB5
_errno.LIBCMT ref: 0000025C757D0D05

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
Instruction ID: 1700a60572957f4c2c31458a0b4afeafae19c2f78dc5b4d352de0b83638bbbcf
Opcode Fuzzy Hash: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
Instruction Fuzzy Hash: CA61C431238F094FE628562C5C9E275F2E5E798723F34139ED45AC3AD2FA709C5289C9

Function 0000025C73FBFF10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C73FBFF4C

Part of subcall function 0000025C73FC1118: _getptd_noexit.LIBCMT ref: 0000025C73FC111C

_invalid_parameter_noinfo.LIBCMT ref: 0000025C73FBFF57
memcpy_s.LIBCMT ref: 0000025C73FC001C
_fileno.LIBCMT ref: 0000025C73FC0087
_filbuf.LIBCMT ref: 0000025C73FC00B5
_errno.LIBCMT ref: 0000025C73FC0105

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
Instruction ID: 3fe8e3b5a89b3012e99d2483976cc770cec13f525f5af41ae73b1a2e0805042f
Opcode Fuzzy Hash: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
Instruction Fuzzy Hash: 255157693E5B408AFB148A265C08769E688B3CDFF5F344750AE3943FD1EB34C4928E09

Function 0000025C757DFBD0 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 0000025C757D1600: _getptd.LIBCMT ref: 0000025C757D1616
Part of subcall function 0000025C757D1600: __updatetlocinfo.LIBCMT ref: 0000025C757D164B
Part of subcall function 0000025C757D1600: __updatetmbcinfo.LIBCMT ref: 0000025C757D1672

_errno.LIBCMT ref: 0000025C757DFC1F
_invalid_parameter_noinfo.LIBCMT ref: 0000025C757DFC2A

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: __updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 2808835054-0
Opcode ID: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
Instruction ID: 8498c601896599b03d2398e14973a8d1025b27fa0c576442f7dc400bd34878f0
Opcode Fuzzy Hash: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
Instruction Fuzzy Hash: BB317C30228F084FD7549F1898CA769B2E4FB5C312F6506E9A84DC7696EB70DC42CB89

Function 0000025C757D0620 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C757D0577

Part of subcall function 0000025C757D1D18: _getptd_noexit.LIBCMT ref: 0000025C757D1D1C

_invalid_parameter_noinfo.LIBCMT ref: 0000025C757D0582
_getstream.LIBCMT ref: 0000025C757D05A2
_errno.LIBCMT ref: 0000025C757D05B4
_errno.LIBCMT ref: 0000025C757D05C6
_openfile.LIBCMT ref: 0000025C757D05F4

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: 25a8bf288fd42ce426ab2ae56b53d18e2e8359fd32586f4ae3706e9ff750b65b
Instruction ID: aec2ce8209e24fe76f928664fe4a91fa22bc3c4fbe386e7335eaaa00cfb7aab6
Opcode Fuzzy Hash: 25a8bf288fd42ce426ab2ae56b53d18e2e8359fd32586f4ae3706e9ff750b65b
Instruction Fuzzy Hash: ED21F770628F0A8FF790AB394C4A76DB2E5EB8D342F2505D99846C3192FB30CC41CB99

Function 0000025C73FBFA20 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C73FBF977

Part of subcall function 0000025C73FC1118: _getptd_noexit.LIBCMT ref: 0000025C73FC111C

_invalid_parameter_noinfo.LIBCMT ref: 0000025C73FBF982
_getstream.LIBCMT ref: 0000025C73FBF9A2
_errno.LIBCMT ref: 0000025C73FBF9B4
_errno.LIBCMT ref: 0000025C73FBF9C6
_openfile.LIBCMT ref: 0000025C73FBF9F4

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
Instruction ID: c6e8698572fcdea4fe903324a4ec31f3c94e535faa53bf45e80deff5487411aa
Opcode Fuzzy Hash: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
Instruction Fuzzy Hash: CD2108A92B5F8299FB115B329C0935EE29D778CFC1F6444A1996987F86FB3CC4108F08

Function 0000025C73FC9B3C Relevance: 9.1, APIs: 6, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C73FC9B55

Part of subcall function 0000025C73FC1118: _getptd_noexit.LIBCMT ref: 0000025C73FC111C

__lock_fhandle.LIBCMT ref: 0000025C73FC9B9D
__doserrno.LIBCMT ref: 0000025C73FC9BD2
_errno.LIBCMT ref: 0000025C73FC9BD9

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno__lock_fhandle_getptd_noexit
String ID:
API String ID: 2102446242-0
Opcode ID: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
Instruction ID: a5ace5dedcb866f6f3845181a6a0c8fd9ec29e44ae8a491a4aab8aea25f3d8ef
Opcode Fuzzy Hash: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
Instruction Fuzzy Hash: 0221F5292E0F814DF7055F659C8D36EE55C97C8FD2F390198963507BD2FA7888418B0C

Function 0000025C73FBE3EC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000025C73FBE40F

Part of subcall function 0000025C73FBE684: _FF_MSGBANNER.LIBCMT ref: 0000025C73FBE6B4
Part of subcall function 0000025C73FBE684: _NMSG_WRITE.LIBCMT ref: 0000025C73FBE6BE
Part of subcall function 0000025C73FBE684: _callnewh.LIBCMT ref: 0000025C73FBE6F2
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE6FD
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE708

malloc.LIBCMT ref: 0000025C73FBE41D

Part of subcall function 0000025C73FBE684: _callnewh.LIBCMT ref: 0000025C73FBE718
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE71D

malloc.LIBCMT ref: 0000025C73FBE43F
_snprintf.LIBCMT ref: 0000025C73FBE45A

Part of subcall function 0000025C73FBEA3C: _errno.LIBCMT ref: 0000025C73FBEA73
Part of subcall function 0000025C73FBEA3C: _invalid_parameter_noinfo.LIBCMT ref: 0000025C73FBEA7E

malloc.LIBCMT ref: 0000025C73FBE475

Strings

dpoolWait, xrefs: 0000025C73FBE444

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
String ID: dpoolWait
API String ID: 2026495703-1875951006
Opcode ID: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
Instruction ID: 366f94d95959c4edda6c2334dadb6565b7ef90e038f2447cbbcea399b83f6d19
Opcode Fuzzy Hash: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
Instruction Fuzzy Hash: 3F01C8B5720B9049EA04DB22BC08759A69DF7ACFD1F25425AEE7947BC6DE38C0418B44

Function 0000025C757C31F4 Relevance: 9.0, APIs: 7, Instructions: 264stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strchr.LIBCMT ref: 0000025C757C322E
strchr.LIBCMT ref: 0000025C757C324C
malloc.LIBCMT ref: 0000025C757C3264
malloc.LIBCMT ref: 0000025C757C3271
rand.LIBCMT ref: 0000025C757C333D
free.LIBCMT ref: 0000025C757C345B
free.LIBCMT ref: 0000025C757C3463

Part of subcall function 0000025C757CF244: RtlFreeHeap.NTDLL ref: 0000025C757CF25A
Part of subcall function 0000025C757CF244: _errno.LIBCMT ref: 0000025C757CF264

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: freemallocstrchr$FreeHeap_errnorand
String ID:
API String ID: 3504763109-0
Opcode ID: f35e4bf4a30ec4413237561f10dac7197b8990473e0b46e11b580f4fb44e5963
Instruction ID: 869e3c3c199e9f144b068cf41c8d35de08646938377022ec46cc930b77874d8a
Opcode Fuzzy Hash: f35e4bf4a30ec4413237561f10dac7197b8990473e0b46e11b580f4fb44e5963
Instruction Fuzzy Hash: 5681F820228F8C4FE755AB2C98993F9F3E8FF9D306F1101A99585C7592EA308D47CB45

Function 0000025C73FB25F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strchr.LIBCMT ref: 0000025C73FB262E
strchr.LIBCMT ref: 0000025C73FB264C
malloc.LIBCMT ref: 0000025C73FB2664
malloc.LIBCMT ref: 0000025C73FB2671
rand.LIBCMT ref: 0000025C73FB273D
free.LIBCMT ref: 0000025C73FB285B
free.LIBCMT ref: 0000025C73FB2863

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: freemallocstrchr$rand
String ID:
API String ID: 1305919620-0
Opcode ID: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
Instruction ID: 48e74682846e4e7d98af5e7d88df55eb1ad5367c2c560bcb94c15066cad22abb
Opcode Fuzzy Hash: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
Instruction Fuzzy Hash: F0714B95664FC459FA259B39AC083EAE390EF9CFC5F280151DB9507F96FE38C1428B08

Function 0000025C757B4170 Relevance: 8.9, APIs: 7, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000025C757B41BD

Part of subcall function 0000025C757CF284: _FF_MSGBANNER.LIBCMT ref: 0000025C757CF2B4
Part of subcall function 0000025C757CF284: _NMSG_WRITE.LIBCMT ref: 0000025C757CF2BE
Part of subcall function 0000025C757CF284: _callnewh.LIBCMT ref: 0000025C757CF2F2
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF2FD
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF308

malloc.LIBCMT ref: 0000025C757B41C8

Part of subcall function 0000025C757CF284: _callnewh.LIBCMT ref: 0000025C757CF318
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF31D

free.LIBCMT ref: 0000025C757B42AF
free.LIBCMT ref: 0000025C757B42B7
free.LIBCMT ref: 0000025C757B42BF
free.LIBCMT ref: 0000025C757B42CB
free.LIBCMT ref: 0000025C757B42D8

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: a46d6df1e63736bbf5e6f8efd513222b2720334364c4a35ae3722e37f335d37b
Instruction ID: df5413d93ddbda485dd959ba25568757434c461ac0d02dd94bf6710f296a3eed
Opcode Fuzzy Hash: a46d6df1e63736bbf5e6f8efd513222b2720334364c4a35ae3722e37f335d37b
Instruction Fuzzy Hash: B751CF34A24F094FDB599B2898956B9B7EAF74D311F50016DD84BC3647FA30DC02CA89

Function 0000025C73FA3570 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000025C73FA35BD

Part of subcall function 0000025C73FBE684: _FF_MSGBANNER.LIBCMT ref: 0000025C73FBE6B4
Part of subcall function 0000025C73FBE684: _NMSG_WRITE.LIBCMT ref: 0000025C73FBE6BE
Part of subcall function 0000025C73FBE684: _callnewh.LIBCMT ref: 0000025C73FBE6F2
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE6FD
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE708

malloc.LIBCMT ref: 0000025C73FA35C8

Part of subcall function 0000025C73FBE684: _callnewh.LIBCMT ref: 0000025C73FBE718
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE71D

free.LIBCMT ref: 0000025C73FA36AF
free.LIBCMT ref: 0000025C73FA36B7
free.LIBCMT ref: 0000025C73FA36BF
free.LIBCMT ref: 0000025C73FA36CB
free.LIBCMT ref: 0000025C73FA36D8

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
Instruction ID: cc51078617b73ffcfd4d0b39c6970bef326c6e9977d941d69c93095cb2eb2095
Opcode Fuzzy Hash: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
Instruction Fuzzy Hash: 94412329360B818FEB94DB2AAC18759A768B75EFC2F640061CE2547F41FF34C412CB08

Function 0000025C73FBB630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_time64.LIBCMT ref: 0000025C73FBB654

Part of subcall function 0000025C73FBF84C: _getptd.LIBCMT ref: 0000025C73FBF854

malloc.LIBCMT ref: 0000025C73FBB69C
strtok.LIBCMT ref: 0000025C73FBB700
strtok.LIBCMT ref: 0000025C73FBB711

Strings

eThreadpoolTimer, xrefs: 0000025C73FBB6DA

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: strtok$_getptd_time64malloc
String ID: eThreadpoolTimer
API String ID: 1522986614-2707337283
Opcode ID: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
Instruction ID: 19b200e3034793105690978381881be4c922b26f3cc44bada0bd05a436ba02d8
Opcode Fuzzy Hash: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
Instruction Fuzzy Hash: 12212BB66A0F9449EB00DF11E84C25CB7ACF39CFD1F254195EE2A43B81DA30C8418B44

Function 0000025C73FABE74 Relevance: 7.8, APIs: 6, Instructions: 296COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000025C73FB53EC: malloc.LIBCMT ref: 0000025C73FB5408

malloc.LIBCMT ref: 0000025C73FABF3B

Part of subcall function 0000025C73FBE684: _FF_MSGBANNER.LIBCMT ref: 0000025C73FBE6B4
Part of subcall function 0000025C73FBE684: _NMSG_WRITE.LIBCMT ref: 0000025C73FBE6BE
Part of subcall function 0000025C73FBE684: _callnewh.LIBCMT ref: 0000025C73FBE6F2
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE6FD
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE708

Part of subcall function 0000025C73FBB630: _time64.LIBCMT ref: 0000025C73FBB654
Part of subcall function 0000025C73FBB630: malloc.LIBCMT ref: 0000025C73FBB69C
Part of subcall function 0000025C73FBB630: strtok.LIBCMT ref: 0000025C73FBB700
Part of subcall function 0000025C73FBB630: strtok.LIBCMT ref: 0000025C73FBB711

Part of subcall function 0000025C73FB28A0: _time64.LIBCMT ref: 0000025C73FB28AE

Part of subcall function 0000025C73FBDEA8: malloc.LIBCMT ref: 0000025C73FBDEF8

Part of subcall function 0000025C73FBDEA8: realloc.LIBCMT ref: 0000025C73FBDF07

malloc.LIBCMT ref: 0000025C73FAC04A
_snprintf.LIBCMT ref: 0000025C73FAC0C1
_snprintf.LIBCMT ref: 0000025C73FAC0E7
_snprintf.LIBCMT ref: 0000025C73FAC10E
free.LIBCMT ref: 0000025C73FAC2C6

Part of subcall function 0000025C73FBA144: malloc.LIBCMT ref: 0000025C73FBA178
Part of subcall function 0000025C73FBA144: free.LIBCMT ref: 0000025C73FBA32F

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errno_time64freestrtok$_callnewhrealloc
String ID:
API String ID: 1314452303-0
Opcode ID: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
Instruction ID: 4b49ba0245fd1532cf75312bb7213af044bbde751bbbf9ef14021b9981ede9db
Opcode Fuzzy Hash: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
Instruction Fuzzy Hash: AAC1E5692A0F404DFA04EB769D59799A28DAB4EFC2F6040A5A97547FD2FE38C4058F08

Function 0000025C757C1694 Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0000025C757C5FEC: malloc.LIBCMT ref: 0000025C757C6008

Part of subcall function 0000025C757D0620: _errno.LIBCMT ref: 0000025C757D0577
Part of subcall function 0000025C757D0620: _invalid_parameter_noinfo.LIBCMT ref: 0000025C757D0582

fseek.LIBCMT ref: 0000025C757C1730

Part of subcall function 0000025C757D0EA4: _errno.LIBCMT ref: 0000025C757D0ECC
Part of subcall function 0000025C757D0EA4: _invalid_parameter_noinfo.LIBCMT ref: 0000025C757D0ED7

_ftelli64.LIBCMT ref: 0000025C757C1738

Part of subcall function 0000025C757D0F18: _errno.LIBCMT ref: 0000025C757D0F36
Part of subcall function 0000025C757D0F18: _invalid_parameter_noinfo.LIBCMT ref: 0000025C757D0F41

fseek.LIBCMT ref: 0000025C757C1748

Part of subcall function 0000025C757D0EA4: _fseek_nolock.LIBCMT ref: 0000025C757D0EF5

malloc.LIBCMT ref: 0000025C757C1788

Part of subcall function 0000025C757CF284: _FF_MSGBANNER.LIBCMT ref: 0000025C757CF2B4
Part of subcall function 0000025C757CF284: _NMSG_WRITE.LIBCMT ref: 0000025C757CF2BE
Part of subcall function 0000025C757CF284: _callnewh.LIBCMT ref: 0000025C757CF2F2
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF2FD
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF308

fclose.LIBCMT ref: 0000025C757C1845

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo$fseekmalloc$_callnewh_fseek_nolock_ftelli64fclose
String ID:
API String ID: 2887643383-0
Opcode ID: f1c4e02295faa99f8843714657dd5281141177bf23df19fa39898597ddf49910
Instruction ID: f989f04bc1da335b7381d048000fdc1f7a5f3c918644f5d88d5b43eb2bd30250
Opcode Fuzzy Hash: f1c4e02295faa99f8843714657dd5281141177bf23df19fa39898597ddf49910
Instruction Fuzzy Hash: F9518B31628F084FD749EB1C98D9779B2E9EB8C311F6042ADA44BC3697ED349D02CA85

Function 0000025C757DA348 Relevance: 7.7, APIs: 5, Instructions: 201COMMON

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 0000025C757DA375

Part of subcall function 0000025C757D3E58: _FF_MSGBANNER.LIBCMT ref: 0000025C757D3E75
Part of subcall function 0000025C757D3E58: _NMSG_WRITE.LIBCMT ref: 0000025C757D3E7F

_lock.LIBCMT ref: 0000025C757DA388
_lock.LIBCMT ref: 0000025C757DA3E3
_calloc_crt.LIBCMT ref: 0000025C757DA49A

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _lock$_calloc_crt_mtinitlocknum
String ID:
API String ID: 3962633935-0
Opcode ID: b1e94c722dda090378a8e761eed7513b06593d91ccd6790d0d4411b736f80c7c
Instruction ID: 1d8befeb95e744cf01d64a79b109b65bba507e4a14b301fd001e005b7f0cc7d4
Opcode Fuzzy Hash: b1e94c722dda090378a8e761eed7513b06593d91ccd6790d0d4411b736f80c7c
Instruction Fuzzy Hash: 6D51C470528F084FE7549F18CC8A375F7E4FB58311F25429DE88AC76A2EA74DC42CA86

Function 0000025C757B54F0 Relevance: 7.7, APIs: 6, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000025C757B553A

Part of subcall function 0000025C757CF284: _FF_MSGBANNER.LIBCMT ref: 0000025C757CF2B4
Part of subcall function 0000025C757CF284: _NMSG_WRITE.LIBCMT ref: 0000025C757CF2BE
Part of subcall function 0000025C757CF284: _callnewh.LIBCMT ref: 0000025C757CF2F2
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF2FD
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF308

malloc.LIBCMT ref: 0000025C757B5545

Part of subcall function 0000025C757CF284: _callnewh.LIBCMT ref: 0000025C757CF318
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF31D

free.LIBCMT ref: 0000025C757B562C
free.LIBCMT ref: 0000025C757B5634
free.LIBCMT ref: 0000025C757B5640
free.LIBCMT ref: 0000025C757B564D

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 9dd44889f23309e2c133c4e883ac3d7c03cf28f4ebc62bcd805b5d39935d1e2d
Instruction ID: 87b3e51600cc3d9ee3aa597fb89407dc44d461bff9c401ccf4cd7226d6b481e5
Opcode Fuzzy Hash: 9dd44889f23309e2c133c4e883ac3d7c03cf28f4ebc62bcd805b5d39935d1e2d
Instruction Fuzzy Hash: 5A41F630628F0D0FE758AA284C8967AB6E9E79A755F64016DD887C3243FD30DC03CB89

Function 0000025C757D239C Relevance: 7.6, APIs: 5, Instructions: 149COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 0000025C757D23B9

Part of subcall function 0000025C757D5A54: _errno.LIBCMT ref: 0000025C757D5A5D
Part of subcall function 0000025C757D5A54: _invalid_parameter_noinfo.LIBCMT ref: 0000025C757D5A68

_errno.LIBCMT ref: 0000025C757D23C9

Part of subcall function 0000025C757D1D18: _getptd_noexit.LIBCMT ref: 0000025C757D1D1C

_errno.LIBCMT ref: 0000025C757D23E5
_isatty.LIBCMT ref: 0000025C757D2446
_getbuf.LIBCMT ref: 0000025C757D2452

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty
String ID:
API String ID: 304646821-0
Opcode ID: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
Instruction ID: 8a8dc2770836d27a15a3dcd9a4989ee2a643986a0f898c87a689c13afd867d15
Opcode Fuzzy Hash: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
Instruction Fuzzy Hash: 87518F30224F084FEB58EF28C8DA765B6E4EB4C311F6402D9D856CB6D6E675CC82CB85

Function 0000025C757C9220 Relevance: 7.6, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000025C757C924F

Part of subcall function 0000025C757CF284: _FF_MSGBANNER.LIBCMT ref: 0000025C757CF2B4
Part of subcall function 0000025C757CF284: _NMSG_WRITE.LIBCMT ref: 0000025C757CF2BE
Part of subcall function 0000025C757CF284: _callnewh.LIBCMT ref: 0000025C757CF2F2
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF2FD
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF308

_snprintf.LIBCMT ref: 0000025C757C9267

Part of subcall function 0000025C757CF63C: _errno.LIBCMT ref: 0000025C757CF673
Part of subcall function 0000025C757CF63C: _invalid_parameter_noinfo.LIBCMT ref: 0000025C757CF67E

free.LIBCMT ref: 0000025C757C927E

Part of subcall function 0000025C757CF244: RtlFreeHeap.NTDLL ref: 0000025C757CF25A
Part of subcall function 0000025C757CF244: _errno.LIBCMT ref: 0000025C757CF264

malloc.LIBCMT ref: 0000025C757C92CE
_snprintf.LIBCMT ref: 0000025C757C92E6
free.LIBCMT ref: 0000025C757C930E

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno$_snprintffreemalloc$FreeHeap_callnewh_invalid_parameter_noinfo
String ID:
API String ID: 343393124-0
Opcode ID: faf2166294d0965833cb84c6e7fe882f3c5ed13ceeefabe40a4c11aee224dca5
Instruction ID: aca6ae1b7d57d08c53420ae1c353cdae9df3a9ef8e65dbd1153dd7cc03a347c5
Opcode Fuzzy Hash: faf2166294d0965833cb84c6e7fe882f3c5ed13ceeefabe40a4c11aee224dca5
Instruction Fuzzy Hash: E341A72031CE480FE698AB6C68657B4B7EAE78D311F554199D08EC3297FE34AC03CB85

Function 0000025C73FB0A94 Relevance: 7.6, APIs: 5, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0000025C73FB53EC: malloc.LIBCMT ref: 0000025C73FB5408

Part of subcall function 0000025C73FBFA20: _errno.LIBCMT ref: 0000025C73FBF977
Part of subcall function 0000025C73FBFA20: _invalid_parameter_noinfo.LIBCMT ref: 0000025C73FBF982

fseek.LIBCMT ref: 0000025C73FB0B30

Part of subcall function 0000025C73FC02A4: _errno.LIBCMT ref: 0000025C73FC02CC
Part of subcall function 0000025C73FC02A4: _invalid_parameter_noinfo.LIBCMT ref: 0000025C73FC02D7

_ftelli64.LIBCMT ref: 0000025C73FB0B38

Part of subcall function 0000025C73FC0318: _errno.LIBCMT ref: 0000025C73FC0336
Part of subcall function 0000025C73FC0318: _invalid_parameter_noinfo.LIBCMT ref: 0000025C73FC0341

fseek.LIBCMT ref: 0000025C73FB0B48

Part of subcall function 0000025C73FC02A4: _fseek_nolock.LIBCMT ref: 0000025C73FC02F5

malloc.LIBCMT ref: 0000025C73FB0B88

Part of subcall function 0000025C73FBE684: _FF_MSGBANNER.LIBCMT ref: 0000025C73FBE6B4
Part of subcall function 0000025C73FBE684: _NMSG_WRITE.LIBCMT ref: 0000025C73FBE6BE
Part of subcall function 0000025C73FBE684: _callnewh.LIBCMT ref: 0000025C73FBE6F2
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE6FD
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE708

Part of subcall function 0000025C73FAC444: malloc.LIBCMT ref: 0000025C73FAC457

fclose.LIBCMT ref: 0000025C73FB0C45

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfomalloc$fseek$_callnewh_fseek_nolock_ftelli64fclose
String ID:
API String ID: 1756087678-0
Opcode ID: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
Instruction ID: 9bcf7f6e7867884633f6ee43566569bbe398260a3358d336c59f114afef2a39f
Opcode Fuzzy Hash: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
Instruction Fuzzy Hash: F641F569360B408AEA00EB229C197ADE259B7CDFC1F604161AD6E47FD6EF3CC5018F08

Function 0000025C73FBFA2C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C73FBFA64

Part of subcall function 0000025C73FC1118: _getptd_noexit.LIBCMT ref: 0000025C73FC111C

_invalid_parameter_noinfo.LIBCMT ref: 0000025C73FBFA6F
_flush.LIBCMT ref: 0000025C73FBFB21
_fileno.LIBCMT ref: 0000025C73FBFB42
_flsbuf.LIBCMT ref: 0000025C73FBFB85

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1640621425-0
Opcode ID: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
Instruction ID: 0221937535bc26dc3be2350346fb89d9eccb4d83e37034b9bf5fdeefd64415fc
Opcode Fuzzy Hash: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
Instruction Fuzzy Hash: AF4114B93A1B418EEB289E325D58359F69DB74CFE1F3882609E7547FD1F638C4418A08

Function 0000025C73FA48F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000025C73FA493A

Part of subcall function 0000025C73FBE684: _FF_MSGBANNER.LIBCMT ref: 0000025C73FBE6B4
Part of subcall function 0000025C73FBE684: _NMSG_WRITE.LIBCMT ref: 0000025C73FBE6BE
Part of subcall function 0000025C73FBE684: _callnewh.LIBCMT ref: 0000025C73FBE6F2
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE6FD
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE708

malloc.LIBCMT ref: 0000025C73FA4945

Part of subcall function 0000025C73FBE684: _callnewh.LIBCMT ref: 0000025C73FBE718
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE71D

free.LIBCMT ref: 0000025C73FA4A2C
free.LIBCMT ref: 0000025C73FA4A34
free.LIBCMT ref: 0000025C73FA4A40
free.LIBCMT ref: 0000025C73FA4A4D

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
Instruction ID: d9531decc5e2ba37b12989dda83b67368f4154708d10cc4899f61e78ea1c0254
Opcode Fuzzy Hash: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
Instruction Fuzzy Hash: 34411729374B954AEB01EF2A5C09359A69DB7AEFC6F694060DD3587F41FE38C406CB08

Function 0000025C757BFC64 Relevance: 7.6, APIs: 5, Instructions: 90fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000025C757BFC85

Part of subcall function 0000025C757CF284: _FF_MSGBANNER.LIBCMT ref: 0000025C757CF2B4
Part of subcall function 0000025C757CF284: _NMSG_WRITE.LIBCMT ref: 0000025C757CF2BE
Part of subcall function 0000025C757CF284: _callnewh.LIBCMT ref: 0000025C757CF2F2
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF2FD
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF308

free.LIBCMT ref: 0000025C757BFCC0
fwrite.LIBCMT ref: 0000025C757BFD01
fclose.LIBCMT ref: 0000025C757BFD09
free.LIBCMT ref: 0000025C757BFD16

Part of subcall function 0000025C757CF244: RtlFreeHeap.NTDLL ref: 0000025C757CF25A
Part of subcall function 0000025C757CF244: _errno.LIBCMT ref: 0000025C757CF264

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno$free$FreeHeap_callnewhfclosefwritemalloc
String ID:
API String ID: 415550720-0
Opcode ID: c287650ca013cd6fba82a94b2bfab312077d62521af6d54d1c0599a360ecab3d
Instruction ID: 121d9d78a0b615be484bdaebe62ea6d16652195036f5b27cba0f25b807a84f40
Opcode Fuzzy Hash: c287650ca013cd6fba82a94b2bfab312077d62521af6d54d1c0599a360ecab3d
Instruction Fuzzy Hash: A0214120638F084FE684B72888997ADF2E5FB9C741F600599A44AC3686FD348D41CB89

Function 0000025C73FB8620 Relevance: 7.6, APIs: 6, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000025C73FB864F

Part of subcall function 0000025C73FBE684: _FF_MSGBANNER.LIBCMT ref: 0000025C73FBE6B4
Part of subcall function 0000025C73FBE684: _NMSG_WRITE.LIBCMT ref: 0000025C73FBE6BE
Part of subcall function 0000025C73FBE684: _callnewh.LIBCMT ref: 0000025C73FBE6F2
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE6FD
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE708

_snprintf.LIBCMT ref: 0000025C73FB8667

Part of subcall function 0000025C73FBEA3C: _errno.LIBCMT ref: 0000025C73FBEA73
Part of subcall function 0000025C73FBEA3C: _invalid_parameter_noinfo.LIBCMT ref: 0000025C73FBEA7E

free.LIBCMT ref: 0000025C73FB867E

Part of subcall function 0000025C73FBE644: _errno.LIBCMT ref: 0000025C73FBE664

malloc.LIBCMT ref: 0000025C73FB86CE
_snprintf.LIBCMT ref: 0000025C73FB86E6
free.LIBCMT ref: 0000025C73FB870E

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
String ID:
API String ID: 761449704-0
Opcode ID: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
Instruction ID: 62b1d9c2147d79a3b79006ba518e88ac782c7a818917572bf0e7e5e92ba3e0b3
Opcode Fuzzy Hash: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
Instruction Fuzzy Hash: 8B3106592B0FC00DE6455B326C2D3A5EB5A738EFD1F684091DEB507F96EB38C4428B08

Function 0000025C73FAF064 Relevance: 7.6, APIs: 5, Instructions: 58fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000025C73FAF085

Part of subcall function 0000025C73FBE684: _FF_MSGBANNER.LIBCMT ref: 0000025C73FBE6B4
Part of subcall function 0000025C73FBE684: _NMSG_WRITE.LIBCMT ref: 0000025C73FBE6BE
Part of subcall function 0000025C73FBE684: _callnewh.LIBCMT ref: 0000025C73FBE6F2
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE6FD
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE708

free.LIBCMT ref: 0000025C73FAF0C0
fwrite.LIBCMT ref: 0000025C73FAF101
fclose.LIBCMT ref: 0000025C73FAF109
free.LIBCMT ref: 0000025C73FAF116

Part of subcall function 0000025C73FBE644: _errno.LIBCMT ref: 0000025C73FBE664

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno$free$_callnewhfclosefwritemalloc
String ID:
API String ID: 1696598829-0
Opcode ID: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
Instruction ID: 5c5e8116328dbb903f084b2d925d095f9e884b79a45bd90ec89bc74a89ae3bef
Opcode Fuzzy Hash: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
Instruction Fuzzy Hash: 1F11F999364F4044EA10E721AC193ADD255A78DFD5F644161AA7D4BFC6EE3CC5018F48

Function 0000025C757DA5EC Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C757DA5FD

Part of subcall function 0000025C757D1D18: _getptd_noexit.LIBCMT ref: 0000025C757D1D1C

__doserrno.LIBCMT ref: 0000025C757DA5F5

Part of subcall function 0000025C757D1CA8: _getptd_noexit.LIBCMT ref: 0000025C757D1CAC

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction ID: 23b903845e428ed4863bd62f38bafb282f37927c0e3098339f3642ac87e25d27
Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction Fuzzy Hash: DF018F30635F088FE755AB348C8A358B2F4BB19327FB506D4E0058BAE2FB390C41CA59

Function 0000025C73FC99EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C73FC99FD

Part of subcall function 0000025C73FC1118: _getptd_noexit.LIBCMT ref: 0000025C73FC111C

__doserrno.LIBCMT ref: 0000025C73FC99F5

Part of subcall function 0000025C73FC10A8: _getptd_noexit.LIBCMT ref: 0000025C73FC10AC

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
Instruction ID: 8c2cb26da3c9a28644fda7f81bd35de01e880d1b2790fb9e2145be70d63f673a
Opcode Fuzzy Hash: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
Instruction Fuzzy Hash: A4016D6A6F1F444CFA052B248C493ACE1596BD9FE3FB18385D53906BD2F63884214E18

Function 0000025C757BEC04 Relevance: 6.5, APIs: 5, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000025C757BECD3
_snprintf.LIBCMT ref: 0000025C757BECFE
_snprintf.LIBCMT ref: 0000025C757BED1A
_snprintf.LIBCMT ref: 0000025C757BEDCF
_snprintf.LIBCMT ref: 0000025C757BEDE6

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _snprintf
String ID:
API String ID: 3512837008-0
Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction ID: d2ee6a048e21f87fc92c9eeb7f0489298310ccb5ed218c0fdabaabdab1e0635c
Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction Fuzzy Hash: 67917130528F484FEB54EF18DCD9BA9B3F9FB99305F1005A9E846C3292EA34D945CB45

Function 0000025C73FAE004 Relevance: 6.4, APIs: 5, Instructions: 165COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000025C73FAE0D3
_snprintf.LIBCMT ref: 0000025C73FAE0FE
_snprintf.LIBCMT ref: 0000025C73FAE11A
_snprintf.LIBCMT ref: 0000025C73FAE1CF
_snprintf.LIBCMT ref: 0000025C73FAE1E6

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _snprintf
String ID:
API String ID: 3512837008-0
Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction ID: 3c42bef46999b3aee7c5c84dfd349835f5102c7180843384e9b0e87e5144f4e6
Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction Fuzzy Hash: CA817F7A260F8489FB109B65EC483D9B3A8F79DFC5F6401A2DA6903B95EF38C505CB04

Function 0000025C757CEFEC Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000025C757CF00F

Part of subcall function 0000025C757CF284: _FF_MSGBANNER.LIBCMT ref: 0000025C757CF2B4
Part of subcall function 0000025C757CF284: _NMSG_WRITE.LIBCMT ref: 0000025C757CF2BE
Part of subcall function 0000025C757CF284: _callnewh.LIBCMT ref: 0000025C757CF2F2
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF2FD
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF308

malloc.LIBCMT ref: 0000025C757CF01D

Part of subcall function 0000025C757CF284: _callnewh.LIBCMT ref: 0000025C757CF318
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF31D

malloc.LIBCMT ref: 0000025C757CF03F
_snprintf.LIBCMT ref: 0000025C757CF05A

Part of subcall function 0000025C757CF63C: _errno.LIBCMT ref: 0000025C757CF673
Part of subcall function 0000025C757CF63C: _invalid_parameter_noinfo.LIBCMT ref: 0000025C757CF67E

malloc.LIBCMT ref: 0000025C757CF075

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
String ID:
API String ID: 2026495703-0
Opcode ID: b352101c7262c8bcb4a5e96376bd10b91777e0dce9561e268234f3b9efdf5141
Instruction ID: 87ec1cab1f3f66ffaa7c72a71411b33ba561e1a4e06c8321380fdc8b8ed0ce67
Opcode Fuzzy Hash: b352101c7262c8bcb4a5e96376bd10b91777e0dce9561e268234f3b9efdf5141
Instruction Fuzzy Hash: 5311663162CF044FE798EB6CA499755B6E5F78C311F21459EF04AC3396EA349C428BC5

Function 0000025C757D062C Relevance: 6.2, APIs: 4, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C757D0664

Part of subcall function 0000025C757D1D18: _getptd_noexit.LIBCMT ref: 0000025C757D1D1C

_invalid_parameter_noinfo.LIBCMT ref: 0000025C757D066F
_flush.LIBCMT ref: 0000025C757D0721
_fileno.LIBCMT ref: 0000025C757D0742

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 634798775-0
Opcode ID: 34e7f92ebff520e6a17a4e985317f9f17b8bd586bad3667c73d28a98cf0395a5
Instruction ID: c7bcf9ac917ff6d336733736668d8555b82dd182d74c57320dd1db7e56e5be8a
Opcode Fuzzy Hash: 34e7f92ebff520e6a17a4e985317f9f17b8bd586bad3667c73d28a98cf0395a5
Instruction Fuzzy Hash: 1F51A830228F094FEAA8596D5C8F335B1E4E79C713F3412AD949AC39D2FA71DC52C989

Function 0000025C73FBB3C0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
Instruction ID: bea40b7b4c7c39d3bf7636a8ef47c53d2979cacc1d99f11298f8429924e26770
Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
Instruction Fuzzy Hash: 4161AF7A2E1F40CEE7148F299D48768B2ACB35CFD6F3441AAD96547B94EB34C8418F48

Function 0000025C757B10D0 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 0000025C757B1117
clock.LIBCMT ref: 0000025C757B1124
clock.LIBCMT ref: 0000025C757B112D
clock.LIBCMT ref: 0000025C757B113A

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction ID: 02b01ca9931147e6bb16518346f7411966dcf8d8cfc7409f4d6adf5e127f7c54
Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction Fuzzy Hash: B8213B3182CB0C0FE768AD9858CA776F3E5D749351F3502ADE88AC3542F9708C42CAC9

Function 0000025C73FCE9D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000025C73FCE9FC

Part of subcall function 0000025C73FC0A00: _getptd.LIBCMT ref: 0000025C73FC0A16
Part of subcall function 0000025C73FC0A00: __updatetlocinfo.LIBCMT ref: 0000025C73FC0A4B
Part of subcall function 0000025C73FC0A00: __updatetmbcinfo.LIBCMT ref: 0000025C73FC0A72

_errno.LIBCMT ref: 0000025C73FCEA08

Part of subcall function 0000025C73FC1118: _getptd_noexit.LIBCMT ref: 0000025C73FC111C

_invalid_parameter_noinfo.LIBCMT ref: 0000025C73FCEA13
strchr.LIBCMT ref: 0000025C73FCEA29

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
Instruction ID: 95f39b8e510841d4e9356d3bf2868d0a46e08411fdc10dd7f316ade0b2e5285b
Opcode Fuzzy Hash: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
Instruction Fuzzy Hash: 1A21261A1E8BA04CEB604611985833DE698F3E8FD7F3841A1E6B607EC5E93CC451AF08

Function 0000025C73FA04D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 0000025C73FA0517
clock.LIBCMT ref: 0000025C73FA0524
clock.LIBCMT ref: 0000025C73FA052D
clock.LIBCMT ref: 0000025C73FA053A

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction ID: 7c765d23926290466d69f921953dab50b99a983be57756b50c6a4e1a54a8498f
Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction Fuzzy Hash: 3C113D66590F468DF374AE797C8432BF598BB8DBD1F390061EE6403A45F930C8418F46

Function 0000025C73FB13B0 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000025C73FB13D2

Part of subcall function 0000025C73FBE684: _FF_MSGBANNER.LIBCMT ref: 0000025C73FBE6B4
Part of subcall function 0000025C73FBE684: _NMSG_WRITE.LIBCMT ref: 0000025C73FBE6BE
Part of subcall function 0000025C73FBE684: _callnewh.LIBCMT ref: 0000025C73FBE6F2
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE6FD
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE708

_snprintf.LIBCMT ref: 0000025C73FB13F1

Part of subcall function 0000025C73FBEA3C: _errno.LIBCMT ref: 0000025C73FBEA73
Part of subcall function 0000025C73FBEA3C: _invalid_parameter_noinfo.LIBCMT ref: 0000025C73FBEA7E

remove.LIBCMT ref: 0000025C73FB13FD
remove.LIBCMT ref: 0000025C73FB1404

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno$remove$_callnewh_invalid_parameter_noinfo_snprintfmalloc
String ID:
API String ID: 2566950902-0
Opcode ID: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
Instruction ID: 30d8d8d554aaef470bac9e8fa275c69fc7bb547e40b71246ac3e71f5342dc7cc
Opcode Fuzzy Hash: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
Instruction Fuzzy Hash: 4EF09669264F40CDE2509B22BC1939AE269A79CFC1F684161BF5817F56EE38C4018F48

Function 0000025C757CF860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C757CF8B1

Part of subcall function 0000025C757D1D18: _getptd_noexit.LIBCMT ref: 0000025C757D1D1C

_invalid_parameter_noinfo.LIBCMT ref: 0000025C757CF8BC

Strings

B, xrefs: 0000025C757CF8E8

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction ID: 57cc9f8bca5e6cca9607a0dcaed2d974f476b117a82389148ee1d03609eae049
Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction Fuzzy Hash: 5511BF30228F084FD744EF1C9889769B3E5FB98325F6043AEA419C32A1DB34C885CB86

Function 0000025C73FBEC60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000025C73FBECB1

Part of subcall function 0000025C73FC1118: _getptd_noexit.LIBCMT ref: 0000025C73FC111C

_invalid_parameter_noinfo.LIBCMT ref: 0000025C73FBECBC

Strings

B, xrefs: 0000025C73FBECE8

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
Instruction ID: 635bf73add258e8886919d060bfa1d35d47d8cab0a76967a03ae00da1fa1e613
Opcode Fuzzy Hash: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
Instruction Fuzzy Hash: 9F118EB6660F408AEB109B12E848399B668F7A8FE4F644360AB6807B95DF38C154CF04

Function 0000025C73FA10C4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE

Download Yara Rule

APIs

calloc.LIBCMT ref: 0000025C73FA116A

Part of subcall function 0000025C73FCE208: _calloc_impl.LIBCMT ref: 0000025C73FCE218
Part of subcall function 0000025C73FCE208: _errno.LIBCMT ref: 0000025C73FCE22B
Part of subcall function 0000025C73FCE208: _errno.LIBCMT ref: 0000025C73FCE235

free.LIBCMT ref: 0000025C73FA12F3
free.LIBCMT ref: 0000025C73FA12FD
free.LIBCMT ref: 0000025C73FA130F

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: free$_errno$_calloc_implcalloc
String ID:
API String ID: 4000150058-0
Opcode ID: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
Instruction ID: 29388c5b446d375fbe44ba5e59bc7f35d23bf6ca264e5af4b3751dc303ccdaa4
Opcode Fuzzy Hash: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
Instruction Fuzzy Hash: 6AC1EB36614F848AE764CF59E88479EB7F8F389B85F204129EA8D47F54EB38C455CB04

Function 0000025C757CAD44 Relevance: 5.2, APIs: 4, Instructions: 226COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000025C757CAD78

Part of subcall function 0000025C757CF284: _FF_MSGBANNER.LIBCMT ref: 0000025C757CF2B4
Part of subcall function 0000025C757CF284: _NMSG_WRITE.LIBCMT ref: 0000025C757CF2BE
Part of subcall function 0000025C757CF284: _callnewh.LIBCMT ref: 0000025C757CF2F2
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF2FD
Part of subcall function 0000025C757CF284: _errno.LIBCMT ref: 0000025C757CF308

free.LIBCMT ref: 0000025C757CAEBF
free.LIBCMT ref: 0000025C757CAF23
free.LIBCMT ref: 0000025C757CAF2F

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 220d10eecca3932b28677e19a5d899b4e1de467fae96e5e6bbac4d4284393be2
Instruction ID: 380954e8be81c4dfb43c76a116af1bda4b2ab35dd652b2c2be929e681a3ab9b6
Opcode Fuzzy Hash: 220d10eecca3932b28677e19a5d899b4e1de467fae96e5e6bbac4d4284393be2
Instruction Fuzzy Hash: FE618C70624F094FEA58A7189CD97BDB2E9E79C302F31096DA446C3597FE34DD02CA89

Function 0000025C757B4300 Relevance: 5.2, APIs: 4, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000025C757B4363

Memory Dump Source

Source File: 00000000.00000002.3471459246.0000025C757B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025C757B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c757b0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: eb22e79342f6c44f5990d3d93bc1acaf377093f70efb3d4e41a798bd81bbd69f
Instruction ID: daac5fdbe2c50b975c77305e857d43942bbefd6df67de1a90403b34a6a928046
Opcode Fuzzy Hash: eb22e79342f6c44f5990d3d93bc1acaf377093f70efb3d4e41a798bd81bbd69f
Instruction Fuzzy Hash: 8251AA70A28F054FDB589E1C98CA669B3E6F788301F24459DD84BC3686FA30DC12CA45

Function 0000025C73FBA144 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000025C73FBA178

Part of subcall function 0000025C73FBE684: _FF_MSGBANNER.LIBCMT ref: 0000025C73FBE6B4
Part of subcall function 0000025C73FBE684: _NMSG_WRITE.LIBCMT ref: 0000025C73FBE6BE
Part of subcall function 0000025C73FBE684: _callnewh.LIBCMT ref: 0000025C73FBE6F2
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE6FD
Part of subcall function 0000025C73FBE684: _errno.LIBCMT ref: 0000025C73FBE708

free.LIBCMT ref: 0000025C73FBA2BF
free.LIBCMT ref: 0000025C73FBA323
free.LIBCMT ref: 0000025C73FBA32F

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
Instruction ID: dcc8e85b6c90f2b43604c832ddc242b84fd991bbcc6c535adf94f95947605fc9
Opcode Fuzzy Hash: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
Instruction Fuzzy Hash: BF5106A92A1B0049EE14AB31AD183ADE399B74CFC2F7804659D2A17FD5FA79C501CF18

Function 0000025C73FA3700 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000025C73FA3763

Memory Dump Source

Source File: 00000000.00000002.3471400157.0000025C73FA0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025C73FA0000, based on PE: true

Associated: 00000000.00000002.3471428041.0000025C73FF0000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3471428041.0000025C73FF5000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25c73fa0000_mode11_buqd.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
Instruction ID: e1ff6295ff89b4026dab61ed552fe221027a0df0aa3800ecdff609dadf563992
Opcode Fuzzy Hash: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
Instruction Fuzzy Hash: C9410626660B808BDB54CB2AA90875DB3A8F349FC6F204466DE3A43F85FF35D805CB04

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mode11_buqd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
mode11_buqd.exe

Function 0000025C757BE68C Relevance: 9.3, APIs: 6, Instructions: 260
networkCOMMONLIBRARYCODE

Function 0000025C757C5E28 Relevance: 6.2, APIs: 4, Instructions: 190
stringCOMMONLIBRARYCODE

Function 0000025C757BCA74 Relevance: 7.9, APIs: 6, Instructions: 411
COMMONLIBRARYCODE

Function 0000025C757BF014 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103
networkCOMMONLIBRARYCODE

Function 0000025C757BEA48 Relevance: 3.2, APIs: 2, Instructions: 159
networkCOMMONLIBRARYCODE

Function 0000025C73FB96B4 Relevance: 1.6, APIs: 1, Instructions: 149
libraryCOMMON

Function 0000025C73FB9324 Relevance: 1.3, APIs: 1, Instructions: 87
memoryCOMMON

Function 0048F220 Relevance: .1, Instructions: 57
COMMON

Function 0048B5C0 Relevance: .0, Instructions: 2
COMMON