Edit tour

Windows Analysis Report
JP1KbvjWcM.exe

Overview

General Information

Sample name:	JP1KbvjWcM.exe renamed because original name is a hash value
Original sample name:	553ab6275ae084f4587840c55a7a2eeb.exe
Analysis ID:	1584584
MD5:	553ab6275ae084f4587840c55a7a2eeb
SHA1:	2c237cb58b4c27b0771e769e4d47fa19b6ad8601
SHA256:	8e550081d6ce27ae8e45a5d8d9af5088e9b1f725ea6eadc47cda7b223f078ea7
Tags:	CobaltStrikeexeuser-abuse_ch
Infos:

Detection

CobaltStrike, Metasploit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected CobaltStrike

Yara detected Metasploit Payload

Yara detected Powershell download and execute

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

JP1KbvjWcM.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\JP1KbvjWcM.exe" MD5: 553AB6275AE084F4587840C55A7A2EEB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://03.19.190.184:4436/Ld3z", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)\r\n"}

Threatname: Metasploit

{"Headers": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)\r\n", "Type": "Metasploit Download", "URL": "http://103.19.190.184/Ld3z"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x871:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x8dd:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x32d6a:$a11: Could not open service control manager on %s: %d 0x3329c:$a12: %d is an x64 process (can't inject x86 content) 0x332cc:$a13: %d is an x86 process (can't inject x64 content) 0x335ed:$a14: Failed to impersonate logged on user %d (%u) 0x33255:$a15: could not create remote thread in %d: %d 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33203:$a17: could not write to process memory: %d 0x32d9b:$a18: Could not create service %s on %s: %d 0x32e24:$a19: Could not delete service %s on %s: %d 0x32c89:$a20: Could not open process token: %d (%u)
00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x334b2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x334fc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x332cc:$x3: %d is an x86 process (can't inject x64 content) 0x32c89:$s1: Could not open process token: %d (%u) 0x329a3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d47:$s4: Could not connect to pipe (%s): %d
00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x41bf1:$loader_export: ReflectiveLoader 0x32960:$exportname: beacon.dll
00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3329c:$x2: %d is an x64 process (can't inject x86 content) 0x335ed:$x3: Failed to impersonate logged on user %d (%u) 0x334fc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x334b2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x32c0f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x33203:$s4: could not write to process memory: %d 0x329a3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d47:$s6: Could not connect to pipe (%s): %d
00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x33970:$str1: %s (admin) 0x32960:$str2: beacon.dll
00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x334fc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x332cc:$x2: %d is an x86 process (can't inject x64 content) 0x334b2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33596:$x4: Failed to impersonate token from %d (%u) 0x335ed:$x5: Failed to impersonate logged on user %d (%u) 0x329a3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x3348a:$s1: %%IMPORT%% 0x32987:$s2: www6.%x%x.%s 0x3297b:$s3: cdn.%x%x.%s 0x32c03:$s4: api.%x%x.%s 0x33970:$s5: %s (admin) 0x32c72:$s6: could not spawn %s: %d 0x3352e:$s7: Could not kill %d: %d 0x32d47:$s8: Could not connect to pipe (%s): %d 0x32994:$s9: %s.1%x.%x%x.%s 0x329a3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a1b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a7e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32ac4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b02:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x32b38:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b61:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b86:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x32ba7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x32bc4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x32bdd:$s9: %s.1%08x%08x.%x%x.%s 0x32bf2:$s9: %s.1%08x.%x%x.%s
00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30fea:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31062:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x317c7:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x31af9:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31a8b:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x31af9:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x310c5:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31256:$a7: could not run command (w/ token) because of its length of %d bytes! 0x3110b:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31149:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31b43:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x313b1:$a11: Could not open service control manager on %s: %d 0x318e3:$a12: %d is an x64 process (can't inject x86 content) 0x31913:$a13: %d is an x86 process (can't inject x64 content) 0x31c34:$a14: Failed to impersonate logged on user %d (%u) 0x3189c:$a15: could not create remote thread in %d: %d 0x3117f:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3184a:$a17: could not write to process memory: %d 0x313e2:$a18: Could not create service %s on %s: %d 0x3146b:$a19: Could not delete service %s on %s: %d 0x312d0:$a20: Could not open process token: %d (%u)
00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1cd83:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x189b1:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19ce2:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x40238:$loader_export: ReflectiveLoader 0x30fa7:$exportname: beacon.dll
00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x31b43:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x31913:$x2: %d is an x86 process (can't inject x64 content) 0x31af9:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31bdd:$x4: Failed to impersonate token from %d (%u) 0x31c34:$x5: Failed to impersonate logged on user %d (%u) 0x30fea:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x19911:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 8B 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 71 F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF 50 0x18cb5:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
Process Memory Space: JP1KbvjWcM.exe PID: 7324	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
Process Memory Space: JP1KbvjWcM.exe PID: 7324	JoeSecurity_CobaltStrike_1	Yara detected CobaltStrike	Joe Security
Process Memory Space: JP1KbvjWcM.exe PID: 7324	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: JP1KbvjWcM.exe PID: 7324	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
Process Memory Space: JP1KbvjWcM.exe PID: 7324	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Process Memory Space: JP1KbvjWcM.exe PID: 7324	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30834:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x80c01:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x308ac:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x80c79:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31011:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x813de:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x31339:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x81706:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x312cb:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x31339:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x81698:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x81706:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x3090f:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x80cdc:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30aa0:$a7: could not run command (w/ token) because of its length of %d bytes! 0x80e6d:$a7: could not run command (w/ token) because of its length of %d bytes! 0x30955:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x80d22:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30993:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x80d60:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31383:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
Process Memory Space: JP1KbvjWcM.exe PID: 7324	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x3597e:$loader_export: ReflectiveLoader 0x3599d:$loader_export: ReflectiveLoader 0x85d4b:$loader_export: ReflectiveLoader 0x85d6a:$loader_export: ReflectiveLoader 0x30672:$exportname: beacon.dll 0x307fb:$exportname: beacon.dll 0x80a3f:$exportname: beacon.dll 0x80bc8:$exportname: beacon.dll
Process Memory Space: JP1KbvjWcM.exe PID: 7324	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x31383:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x81750:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x3115d:$x2: %d is an x86 process (can't inject x64 content) 0x8152a:$x2: %d is an x86 process (can't inject x64 content) 0x31339:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x81706:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3141d:$x4: Failed to impersonate token from %d (%u) 0x817ea:$x4: Failed to impersonate token from %d (%u) 0x31474:$x5: Failed to impersonate logged on user %d (%u) 0x81841:$x5: Failed to impersonate logged on user %d (%u) 0x30834:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x80c01:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x32d6a:$a11: Could not open service control manager on %s: %d 0x3329c:$a12: %d is an x64 process (can't inject x86 content) 0x332cc:$a13: %d is an x86 process (can't inject x64 content) 0x335ed:$a14: Failed to impersonate logged on user %d (%u) 0x33255:$a15: could not create remote thread in %d: %d 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33203:$a17: could not write to process memory: %d 0x32d9b:$a18: Could not create service %s on %s: %d 0x32e24:$a19: Could not delete service %s on %s: %d 0x32c89:$a20: Could not open process token: %d (%u)
0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x334b2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x334fc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x332cc:$x3: %d is an x86 process (can't inject x64 content) 0x32c89:$s1: Could not open process token: %d (%u) 0x329a3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d47:$s4: Could not connect to pipe (%s): %d
0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x41bf1:$loader_export: ReflectiveLoader 0x32960:$exportname: beacon.dll
0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3329c:$x2: %d is an x64 process (can't inject x86 content) 0x335ed:$x3: Failed to impersonate logged on user %d (%u) 0x334fc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x334b2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x32c0f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x33203:$s4: could not write to process memory: %d 0x329a3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d47:$s6: Could not connect to pipe (%s): %d
0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x33970:$str1: %s (admin) 0x32960:$str2: beacon.dll
0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x334fc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x332cc:$x2: %d is an x86 process (can't inject x64 content) 0x334b2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33596:$x4: Failed to impersonate token from %d (%u) 0x335ed:$x5: Failed to impersonate logged on user %d (%u) 0x329a3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x3348a:$s1: %%IMPORT%% 0x32987:$s2: www6.%x%x.%s 0x3297b:$s3: cdn.%x%x.%s 0x32c03:$s4: api.%x%x.%s 0x33970:$s5: %s (admin) 0x32c72:$s6: could not spawn %s: %d 0x3352e:$s7: Could not kill %d: %d 0x32d47:$s8: Could not connect to pipe (%s): %d 0x32994:$s9: %s.1%x.%x%x.%s 0x329a3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a1b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a7e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32ac4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b02:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x32b38:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b61:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b86:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x32ba7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x32bc4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x32bdd:$s9: %s.1%08x%08x.%x%x.%s 0x32bf2:$s9: %s.1%08x.%x%x.%s
0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30fa3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31780:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x31ab2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31a44:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x31ab2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x3107e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3120f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x310c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31afc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x3136a:$a11: Could not open service control manager on %s: %d 0x3189c:$a12: %d is an x64 process (can't inject x86 content) 0x318cc:$a13: %d is an x86 process (can't inject x64 content) 0x31bed:$a14: Failed to impersonate logged on user %d (%u) 0x31855:$a15: could not create remote thread in %d: %d 0x31138:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31803:$a17: could not write to process memory: %d 0x3139b:$a18: Could not create service %s on %s: %d 0x31424:$a19: Could not delete service %s on %s: %d 0x31289:$a20: Could not open process token: %d (%u)
0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1cd3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1896a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x31ab2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31afc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x3: %d is an x86 process (can't inject x64 content) 0x31289:$s1: Could not open process token: %d (%u) 0x30fa3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s4: Could not connect to pipe (%s): %d
0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x401f1:$loader_export: ReflectiveLoader 0x30f60:$exportname: beacon.dll
0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3189c:$x2: %d is an x64 process (can't inject x86 content) 0x31bed:$x3: Failed to impersonate logged on user %d (%u) 0x31afc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x31ab2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3120f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x31803:$s4: could not write to process memory: %d 0x30fa3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s6: Could not connect to pipe (%s): %d
0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x31f70:$str1: %s (admin) 0x30f60:$str2: beacon.dll
0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x31afc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x2: %d is an x86 process (can't inject x64 content) 0x31ab2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31b96:$x4: Failed to impersonate token from %d (%u) 0x31bed:$x5: Failed to impersonate logged on user %d (%u) 0x30fa3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x31a8a:$s1: %%IMPORT%% 0x30f87:$s2: www6.%x%x.%s 0x30f7b:$s3: cdn.%x%x.%s 0x31203:$s4: api.%x%x.%s 0x31f70:$s5: %s (admin) 0x31272:$s6: could not spawn %s: %d 0x31b2e:$s7: Could not kill %d: %d 0x31347:$s8: Could not connect to pipe (%s): %d 0x30f94:$s9: %s.1%x.%x%x.%s 0x30fa3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3107e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x310c4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31138:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31161:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31186:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x311a7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x311c4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x311dd:$s9: %s.1%08x%08x.%x%x.%s 0x311f2:$s9: %s.1%08x.%x%x.%s
Click to see the 18 entries

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T23:01:59.603758+0100	2028765	3	Unknown Traffic	192.168.2.4	49731	103.19.190.184	4436	TCP
2025-01-05T23:02:03.786403+0100	2028765	3	Unknown Traffic	192.168.2.4	49733	103.19.190.184	4436	TCP
2025-01-05T23:02:05.623140+0100	2028765	3	Unknown Traffic	192.168.2.4	49734	103.19.190.184	4436	TCP
2025-01-05T23:02:07.393755+0100	2028765	3	Unknown Traffic	192.168.2.4	49735	103.19.190.184	4436	TCP
2025-01-05T23:02:09.235025+0100	2028765	3	Unknown Traffic	192.168.2.4	49736	103.19.190.184	4436	TCP
2025-01-05T23:02:11.011611+0100	2028765	3	Unknown Traffic	192.168.2.4	49737	103.19.190.184	4436	TCP
2025-01-05T23:02:12.823659+0100	2028765	3	Unknown Traffic	192.168.2.4	49738	103.19.190.184	4436	TCP
2025-01-05T23:02:14.627202+0100	2028765	3	Unknown Traffic	192.168.2.4	49739	103.19.190.184	4436	TCP
2025-01-05T23:02:16.431757+0100	2028765	3	Unknown Traffic	192.168.2.4	49742	103.19.190.184	4436	TCP
2025-01-05T23:02:18.201963+0100	2028765	3	Unknown Traffic	192.168.2.4	49747	103.19.190.184	4436	TCP
2025-01-05T23:02:19.969502+0100	2028765	3	Unknown Traffic	192.168.2.4	52090	103.19.190.184	4436	TCP
2025-01-05T23:02:21.557229+0100	2028765	3	Unknown Traffic	192.168.2.4	60047	103.19.190.184	4436	TCP
2025-01-05T23:02:23.332157+0100	2028765	3	Unknown Traffic	192.168.2.4	60050	103.19.190.184	4436	TCP
2025-01-05T23:02:25.106531+0100	2028765	3	Unknown Traffic	192.168.2.4	60052	103.19.190.184	4436	TCP
2025-01-05T23:02:26.891283+0100	2028765	3	Unknown Traffic	192.168.2.4	60055	103.19.190.184	4436	TCP
2025-01-05T23:02:28.699749+0100	2028765	3	Unknown Traffic	192.168.2.4	60056	103.19.190.184	4436	TCP
2025-01-05T23:02:30.536325+0100	2028765	3	Unknown Traffic	192.168.2.4	60057	103.19.190.184	4436	TCP
2025-01-05T23:02:32.410674+0100	2028765	3	Unknown Traffic	192.168.2.4	60058	103.19.190.184	4436	TCP
2025-01-05T23:02:34.227081+0100	2028765	3	Unknown Traffic	192.168.2.4	60059	103.19.190.184	4436	TCP
2025-01-05T23:02:36.014165+0100	2028765	3	Unknown Traffic	192.168.2.4	60060	103.19.190.184	4436	TCP
2025-01-05T23:02:37.793251+0100	2028765	3	Unknown Traffic	192.168.2.4	60061	103.19.190.184	4436	TCP
2025-01-05T23:02:39.545662+0100	2028765	3	Unknown Traffic	192.168.2.4	60062	103.19.190.184	4436	TCP
2025-01-05T23:02:41.441832+0100	2028765	3	Unknown Traffic	192.168.2.4	60063	103.19.190.184	4436	TCP
2025-01-05T23:02:43.266786+0100	2028765	3	Unknown Traffic	192.168.2.4	60064	103.19.190.184	4436	TCP
2025-01-05T23:02:45.205863+0100	2028765	3	Unknown Traffic	192.168.2.4	60065	103.19.190.184	4436	TCP
2025-01-05T23:02:46.965747+0100	2028765	3	Unknown Traffic	192.168.2.4	60066	103.19.190.184	4436	TCP
2025-01-05T23:02:48.724031+0100	2028765	3	Unknown Traffic	192.168.2.4	60067	103.19.190.184	4436	TCP
2025-01-05T23:02:50.530591+0100	2028765	3	Unknown Traffic	192.168.2.4	60068	103.19.190.184	4436	TCP
2025-01-05T23:02:52.347527+0100	2028765	3	Unknown Traffic	192.168.2.4	60069	103.19.190.184	4436	TCP
2025-01-05T23:02:54.167621+0100	2028765	3	Unknown Traffic	192.168.2.4	60070	103.19.190.184	4436	TCP
2025-01-05T23:02:55.975591+0100	2028765	3	Unknown Traffic	192.168.2.4	60071	103.19.190.184	4436	TCP
2025-01-05T23:02:57.892289+0100	2028765	3	Unknown Traffic	192.168.2.4	60072	103.19.190.184	4436	TCP
2025-01-05T23:02:59.672608+0100	2028765	3	Unknown Traffic	192.168.2.4	60079	103.19.190.184	4436	TCP
2025-01-05T23:03:01.505346+0100	2028765	3	Unknown Traffic	192.168.2.4	60090	103.19.190.184	4436	TCP
2025-01-05T23:03:03.279739+0100	2028765	3	Unknown Traffic	192.168.2.4	60106	103.19.190.184	4436	TCP
2025-01-05T23:03:05.028510+0100	2028765	3	Unknown Traffic	192.168.2.4	60117	103.19.190.184	4436	TCP
2025-01-05T23:03:06.787605+0100	2028765	3	Unknown Traffic	192.168.2.4	60126	103.19.190.184	4436	TCP
2025-01-05T23:03:08.572683+0100	2028765	3	Unknown Traffic	192.168.2.4	60136	103.19.190.184	4436	TCP
2025-01-05T23:03:10.339222+0100	2028765	3	Unknown Traffic	192.168.2.4	60150	103.19.190.184	4436	TCP
2025-01-05T23:03:12.129686+0100	2028765	3	Unknown Traffic	192.168.2.4	60163	103.19.190.184	4436	TCP
2025-01-05T23:03:13.933920+0100	2028765	3	Unknown Traffic	192.168.2.4	60175	103.19.190.184	4436	TCP
2025-01-05T23:03:15.724059+0100	2028765	3	Unknown Traffic	192.168.2.4	60189	103.19.190.184	4436	TCP
2025-01-05T23:03:17.498949+0100	2028765	3	Unknown Traffic	192.168.2.4	60200	103.19.190.184	4436	TCP
2025-01-05T23:03:19.165639+0100	2028765	3	Unknown Traffic	192.168.2.4	60207	103.19.190.184	4436	TCP
2025-01-05T23:03:20.927163+0100	2028765	3	Unknown Traffic	192.168.2.4	60220	103.19.190.184	4436	TCP
2025-01-05T23:03:22.713365+0100	2028765	3	Unknown Traffic	192.168.2.4	60232	103.19.190.184	4436	TCP
2025-01-05T23:03:24.526638+0100	2028765	3	Unknown Traffic	192.168.2.4	60244	103.19.190.184	4436	TCP
2025-01-05T23:03:26.320314+0100	2028765	3	Unknown Traffic	192.168.2.4	60256	103.19.190.184	4436	TCP
2025-01-05T23:03:28.130833+0100	2028765	3	Unknown Traffic	192.168.2.4	60270	103.19.190.184	4436	TCP
2025-01-05T23:03:29.946925+0100	2028765	3	Unknown Traffic	192.168.2.4	60282	103.19.190.184	4436	TCP
2025-01-05T23:03:32.006167+0100	2028765	3	Unknown Traffic	192.168.2.4	60297	103.19.190.184	4436	TCP
2025-01-05T23:03:33.767331+0100	2028765	3	Unknown Traffic	192.168.2.4	60308	103.19.190.184	4436	TCP
2025-01-05T23:03:35.553283+0100	2028765	3	Unknown Traffic	192.168.2.4	60323	103.19.190.184	4436	TCP
2025-01-05T23:03:37.385782+0100	2028765	3	Unknown Traffic	192.168.2.4	60335	103.19.190.184	4436	TCP
2025-01-05T23:03:39.171778+0100	2028765	3	Unknown Traffic	192.168.2.4	60347	103.19.190.184	4436	TCP
2025-01-05T23:03:41.007473+0100	2028765	3	Unknown Traffic	192.168.2.4	60359	103.19.190.184	4436	TCP
2025-01-05T23:03:42.809595+0100	2028765	3	Unknown Traffic	192.168.2.4	60364	103.19.190.184	4436	TCP
2025-01-05T23:03:44.629614+0100	2028765	3	Unknown Traffic	192.168.2.4	60365	103.19.190.184	4436	TCP
2025-01-05T23:03:46.375546+0100	2028765	3	Unknown Traffic	192.168.2.4	60366	103.19.190.184	4436	TCP
2025-01-05T23:03:48.163558+0100	2028765	3	Unknown Traffic	192.168.2.4	60367	103.19.190.184	4436	TCP
2025-01-05T23:03:49.930369+0100	2028765	3	Unknown Traffic	192.168.2.4	60368	103.19.190.184	4436	TCP
2025-01-05T23:03:51.715160+0100	2028765	3	Unknown Traffic	192.168.2.4	60369	103.19.190.184	4436	TCP
2025-01-05T23:03:53.718995+0100	2028765	3	Unknown Traffic	192.168.2.4	60370	103.19.190.184	4436	TCP
2025-01-05T23:03:55.491219+0100	2028765	3	Unknown Traffic	192.168.2.4	60371	103.19.190.184	4436	TCP
2025-01-05T23:03:57.049787+0100	2028765	3	Unknown Traffic	192.168.2.4	60372	103.19.190.184	4436	TCP
2025-01-05T23:03:58.858003+0100	2028765	3	Unknown Traffic	192.168.2.4	60373	103.19.190.184	4436	TCP
2025-01-05T23:04:00.643548+0100	2028765	3	Unknown Traffic	192.168.2.4	60374	103.19.190.184	4436	TCP
2025-01-05T23:04:02.680495+0100	2028765	3	Unknown Traffic	192.168.2.4	60375	103.19.190.184	4436	TCP
2025-01-05T23:04:04.460530+0100	2028765	3	Unknown Traffic	192.168.2.4	60376	103.19.190.184	4436	TCP

ET MALWARE Meterpreter or Other Reverse Shell SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T23:02:01.034309+0100	2035651	1	A Network Trojan was detected	103.19.190.184	4436	192.168.2.4	49731	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: CobaltStrike {"C2Server": "http://03.19.190.184:4436/Ld3z", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)\r\n"}
Source: 00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Metasploit {"Headers": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)\r\n", "Type": "Metasploit Download", "URL": "http://103.19.190.184/Ld3z"}

Multi AV Scanner detection for submitted file

Source: JP1KbvjWcM.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01A1184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		0_2_00000265B01A1184
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01D2020 CryptGenRandom,		0_2_00000265B01D2020

Source: JP1KbvjWcM.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01B9220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		0_2_00000265B01B9220
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01B1C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		0_2_00000265B01B1C30

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 103.19.190.184:4436 -> 192.168.2.4:49731

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://03.19.190.184:4436/Ld3z
Source: Malware configuration extractor	URLs: http://103.19.190.184/Ld3z

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 103.19.190.184:4436

Source: global traffic	TCP traffic: 192.168.2.4:52089 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.4:60046 -> 1.1.1.1:53

Source: Joe Sandbox View

ASN Name: SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49731 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49736 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49734 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49733 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49735 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49737 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49747 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:52090 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49742 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60059 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60047 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60066 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60064 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60065 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60063 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49738 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60062 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60071 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60058 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60106 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60079 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60072 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60050 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60052 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60055 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49739 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60068 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60117 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60057 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60090 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60069 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60126 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60060 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60056 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60061 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60136 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60189 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60067 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60207 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60070 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60200 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60220 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60232 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60163 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60244 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60175 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60256 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60150 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60270 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60282 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60308 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60297 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60323 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60335 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60347 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60359 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60364 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60365 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60367 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60368 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60370 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60371 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60366 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60376 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60373 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60369 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60374 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60372 -> 103.19.190.184:4436
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:60375 -> 103.19.190.184:4436

Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184
Source: unknown	TCP traffic detected without corresponding DNS query: 103.19.190.184

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

Code function: 0_2_00000265B01AE68C _snprintf,_snprintf,_snprintf,HttpOpenRequestA,HttpSendRequestA,InternetQueryDataAvailable,InternetCloseHandle,InternetReadFile,InternetCloseHandle,

0_2_00000265B01AE68C

Source: global traffic

DNS traffic detected: DNS query: 212.20.149.52.in-addr.arpa

Source: JP1KbvjWcM.exe, 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:%u/
Source: JP1KbvjWcM.exe, 00000000.00000003.1681676217.00000265AFFAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/a4
Source: JP1KbvjWcM.exe, 00000000.00000003.1681676217.00000265AFFAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/k4
Source: JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab0
Source: JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabT
Source: JP1KbvjWcM.exe, 00000000.00000003.1681676217.00000265AFFAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/q5
Source: JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFECC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.19.190.184/
Source: JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFECC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.19.190.184/8
Source: JP1KbvjWcM.exe, 00000000.00000003.2779450745.00000265AFF87000.00000004.00000020.00020000.00000000.sdmp, JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF87000.00000004.00000020.00020000.00000000.sdmp, JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.19.190.184:4436/
Source: JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.19.190.184:4436/Ld3z
Source: JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.19.190.184:4436/Ld3zc
Source: JP1KbvjWcM.exe, 00000000.00000003.2779450745.00000265AFF87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.19.190.184:4436/l
Source: JP1KbvjWcM.exe, 00000000.00000003.1967514509.00000265AFF85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.19.190.184:4436/match
Source: JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFFA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.19.190.184:4436/match%
Source: JP1KbvjWcM.exe, 00000000.00000003.1967322736.00000265AFFA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.19.190.184:4436/match06
Source: JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.19.190.184:4436/match32
Source: JP1KbvjWcM.exe, 00000000.00000003.1839792896.00000265AFF86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.19.190.184:4436/match7
Source: JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFFA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.19.190.184:4436/match9
Source: JP1KbvjWcM.exe, 00000000.00000003.2779558871.00000265AFFA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.19.190.184:4436/matchC
Source: JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.19.190.184:4436/matchP
Source: JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFFA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.19.190.184:4436/matchT
Source: JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF87000.00000004.00000020.00020000.00000000.sdmp, JP1KbvjWcM.exe, 00000000.00000003.1967514509.00000265AFF85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.19.190.184:4436/matche
Source: JP1KbvjWcM.exe, 00000000.00000003.1967322736.00000265AFFA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.19.190.184:4436/matchm

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: Process Memory Space: JP1KbvjWcM.exe PID: 7324, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: JP1KbvjWcM.exe PID: 7324, type: MEMORYSTR	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: JP1KbvjWcM.exe PID: 7324, type: MEMORYSTR	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

Code function: 0_2_00000265B01B0F34 CreateProcessAsUserA,GetLastError,GetLastError,CreateProcessA,GetLastError,GetCurrentDirectoryW,GetCurrentDirectoryW,CreateProcessWithTokenW,GetLastError,GetLastError,GetLastError,GetLastError,

0_2_00000265B01B0F34

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01C1E64	0_2_00000265B01C1E64
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01B867C	0_2_00000265B01B867C
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01CB6B0	0_2_00000265B01CB6B0
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01B0F34	0_2_00000265B01B0F34
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01C0F74	0_2_00000265B01C0F74
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01C2F9C	0_2_00000265B01C2F9C
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01CCF97	0_2_00000265B01CCF97
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01C01A8	0_2_00000265B01C01A8
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01CF200	0_2_00000265B01CF200
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01ADA3C	0_2_00000265B01ADA3C
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01AA280	0_2_00000265B01AA280
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01CD280	0_2_00000265B01CD280
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01B7B38	0_2_00000265B01B7B38
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01CC3B0	0_2_00000265B01CC3B0
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01CDBF0	0_2_00000265B01CDBF0
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01C6514	0_2_00000265B01C6514
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01C2528	0_2_00000265B01C2528
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01A9D6C	0_2_00000265B01A9D6C
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00007FF65B3B5120	0_2_00007FF65B3B5120
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00007FF65B3B3F40	0_2_00007FF65B3B3F40
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B208196F	0_2_00000265B208196F
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B207F5EF	0_2_00000265B207F5EF
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B20823E3	0_2_00000265B20823E3
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B20812AB	0_2_00000265B20812AB

Source: JP1KbvjWcM.exe

Static PE information: Number of sections : 11 > 10

Source: JP1KbvjWcM.exe, 00000000.00000000.1648185487.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHipsMain.exeT vs JP1KbvjWcM.exe
Source: JP1KbvjWcM.exe	Binary or memory string: OriginalFilenameHipsMain.exeT vs JP1KbvjWcM.exe

Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: Process Memory Space: JP1KbvjWcM.exe PID: 7324, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: JP1KbvjWcM.exe PID: 7324, type: MEMORYSTR	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: JP1KbvjWcM.exe PID: 7324, type: MEMORYSTR	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/3@1/1

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

Code function: 0_2_00000265B01B0B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

0_2_00000265B01B0B70

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

Code function: 0_2_00000265B01B867C TerminateProcess,GetLastError,GetCurrentProcess,CreateToolhelp32Snapshot,Process32First,ProcessIdToSessionId,Process32Next,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,htonl,htonl,GetLastError,OpenProcessToken,GetLastError,ImpersonateLoggedOnUser,GetLastError,DuplicateTokenEx,GetLastError,ImpersonateLoggedOnUser,GetLastError,

0_2_00000265B01B867C

Source: JP1KbvjWcM.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: JP1KbvjWcM.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: JP1KbvjWcM.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: JP1KbvjWcM.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

Code function: 0_2_00000265B01C9744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00000265B01C9744

Source: JP1KbvjWcM.exe

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01D916C push 0000006Ah; retf	0_2_00000265B01D9184
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B022098B push eax; ret	0_2_00000265B0220BE7
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B0220B5E push eax; ret	0_2_00000265B0220BE7
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B206B19F push ebp; iretd	0_2_00000265B206B1A0
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B20697A4 push edi; iretd	0_2_00000265B20697A5
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B208AC96 push ebp; iretd	0_2_00000265B208AC97
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B208ACB6 push ebp; iretd	0_2_00000265B208ACB7
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B208ACDF push ebp; iretd	0_2_00000265B208ACE0
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B206FD48 push ebx; iretd	0_2_00000265B206FD49
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B206BD63 pushad ; retf	0_2_00000265B206BD64
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B2069B65 push cs; retf	0_2_00000265B2069B66

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

Code function: 0_2_00000265B01C01A8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00000265B01C01A8

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01B5854		0_2_00000265B01B5854
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01AFA1C		0_2_00000265B01AFA1C

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-35573
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Evasive API call chain: GetLocalTime,DecisionNodes			graph_0-35437

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

API coverage: 6.4 %

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

Code function: 0_2_00000265B01AFA1C

0_2_00000265B01AFA1C

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe TID: 7340	Thread sleep count: 66 > 30			Jump to behavior
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe TID: 7340	Thread sleep time: -3960000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01B9220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		0_2_00000265B01B9220
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01B1C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		0_2_00000265B01B1C30

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF43000.00000004.00000020.00020000.00000000.sdmp, JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFECC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

API call chain: ExitProcess graph end node

graph_0-35504

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

0_2_00000265B01C9744

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

0_2_00000265B01C9744

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

0_2_00000265B01C9744

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

Code function: 0_2_00000265B01B76F0 InitializeProcThreadAttributeList,GetProcessHeap,HeapAlloc,InitializeProcThreadAttributeList,

0_2_00000265B01B76F0

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01D24E0 RtlVirtualUnwind,SetUnhandledExceptionFilter,	0_2_00000265B01D24E0
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00007FF65B3B1180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,	0_2_00007FF65B3B1180
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00007FF65B3BD2D0 SetUnhandledExceptionFilter,malloc,	0_2_00007FF65B3BD2D0

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: JP1KbvjWcM.exe PID: 7324, type: MEMORYSTR

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

Code function: 0_2_00000265B01BDF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,

0_2_00000265B01BDF50

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

Code function: 0_2_00000265B01BDEC8 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00000265B01BDEC8

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

Code function: 0_2_00000265B01B0920 CreateNamedPipeA,

0_2_00000265B01B0920

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

Code function: 0_2_00000265B01D22A0 ReadFile,GetLocalTime,

0_2_00000265B01D22A0

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

Code function: 0_2_00000265B01B5E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

0_2_00000265B01B5E28

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe

Code function: 0_2_00000265B01B5E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

0_2_00000265B01B5E28

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: Process Memory Space: JP1KbvjWcM.exe PID: 7324, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JP1KbvjWcM.exe.265b01a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Metasploit Payload

Source: Yara match

File source: 00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01D2630 bind,	0_2_00000265B01D2630
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01B6670 htonl,htons,socket,closesocket,bind,ioctlsocket,	0_2_00000265B01B6670
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01BEE8C socket,closesocket,htons,bind,listen,	0_2_00000265B01BEE8C
Source: C:\Users\user\Desktop\JP1KbvjWcM.exe	Code function: 0_2_00000265B01B6A78 socket,htons,ioctlsocket,closesocket,bind,listen,	0_2_00000265B01B6A78

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	21 Access Token Manipulation	11 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Process Injection	21 Access Token Manipulation	Security Account Manager	141 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Process Injection	NTDS	11 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Process Discovery	SSH	Keylogging	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	3 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
JP1KbvjWcM.exe	68%	ReversingLabs	Win64.Trojan.CobaltStrike

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://103.19.190.184:4436/match9	0%	Avira URL Cloud	safe
https://103.19.190.184:4436/	0%	Avira URL Cloud	safe
https://103.19.190.184:4436/matchP	0%	Avira URL Cloud	safe
https://103.19.190.184:4436/matchm	0%	Avira URL Cloud	safe
https://103.19.190.184:4436/Ld3zc	0%	Avira URL Cloud	safe
http://103.19.190.184/Ld3z	0%	Avira URL Cloud	safe
https://103.19.190.184:4436/matchT	0%	Avira URL Cloud	safe
https://103.19.190.184:4436/match7	0%	Avira URL Cloud	safe
https://103.19.190.184:4436/match32	0%	Avira URL Cloud	safe
https://103.19.190.184/	0%	Avira URL Cloud	safe
http://127.0.0.1:%u/	0%	Avira URL Cloud	safe
https://103.19.190.184:4436/Ld3z	0%	Avira URL Cloud	safe
http://03.19.190.184:4436/Ld3z	0%	Avira URL Cloud	safe
https://103.19.190.184:4436/match06	0%	Avira URL Cloud	safe
https://103.19.190.184:4436/match%	0%	Avira URL Cloud	safe
https://103.19.190.184:4436/l	0%	Avira URL Cloud	safe
https://103.19.190.184:4436/matche	0%	Avira URL Cloud	safe
https://103.19.190.184/8	0%	Avira URL Cloud	safe
https://103.19.190.184:4436/match	0%	Avira URL Cloud	safe
https://103.19.190.184:4436/matchC	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high
212.20.149.52.in-addr.arpa	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://103.19.190.184/Ld3z	true	Avira URL Cloud: safe	unknown
http://03.19.190.184:4436/Ld3z	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://103.19.190.184:4436/matchm	JP1KbvjWcM.exe, 00000000.00000003.1967322736.00000265AFFA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://103.19.190.184:4436/	JP1KbvjWcM.exe, 00000000.00000003.2779450745.00000265AFF87000.00000004.00000020.00020000.00000000.sdmp, JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF87000.00000004.00000020.00020000.00000000.sdmp, JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF51000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://103.19.190.184:4436/matchP	JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://103.19.190.184:4436/matchT	JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFFA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://103.19.190.184:4436/Ld3zc	JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF26000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://103.19.190.184:4436/match7	JP1KbvjWcM.exe, 00000000.00000003.1839792896.00000265AFF86000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://103.19.190.184:4436/match32	JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://103.19.190.184:4436/match9	JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFFA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://103.19.190.184/	JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFECC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://103.19.190.184/8	JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFECC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://103.19.190.184:4436/Ld3z	JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF26000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://103.19.190.184:4436/match06	JP1KbvjWcM.exe, 00000000.00000003.1967322736.00000265AFFA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:%u/	JP1KbvjWcM.exe, 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://103.19.190.184:4436/l	JP1KbvjWcM.exe, 00000000.00000003.2779450745.00000265AFF87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://103.19.190.184:4436/matchC	JP1KbvjWcM.exe, 00000000.00000003.2779558871.00000265AFFA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://103.19.190.184:4436/match%	JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFFA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://103.19.190.184:4436/matche	JP1KbvjWcM.exe, 00000000.00000002.2911305733.00000265AFF87000.00000004.00000020.00020000.00000000.sdmp, JP1KbvjWcM.exe, 00000000.00000003.1967514509.00000265AFF85000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://103.19.190.184:4436/match	JP1KbvjWcM.exe, 00000000.00000003.1967514509.00000265AFF85000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.19.190.184	unknown	Hong Kong		38197	SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584584
Start date and time:	2025-01-05 23:01:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	JP1KbvjWcM.exe renamed because original name is a hash value
Original Sample Name:	553ab6275ae084f4587840c55a7a2eeb.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/3@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 90% Number of executed functions: 15 Number of non-executed functions: 147
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 20.109.210.53, 40.69.42.241, 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: JP1KbvjWcM.exe

Simulations

Behavior and APIs

Time	Type	Description
17:02:03	API Interceptor	67x Sleep call for process: JP1KbvjWcM.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	cZO.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	jaTDEkWCbs.exe	Get hash	malicious	Quasar	Browse	199.232.210.172
	3LcZO15oTC.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	N5kEzgUBn6.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	199.232.214.172
	Tax_Refund_Claim_2024_Australian_Taxation_Office.js	Get hash	malicious	Remcos	Browse	199.232.214.172
	N5kEzgUBn6.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	199.232.210.172
	setup64v9.3.4.msi	Get hash	malicious	Unknown	Browse	199.232.210.172
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	199.232.210.172
	c2.hta	Get hash	malicious	Remcos	Browse	199.232.214.172
	phishingtest.eml	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong	armv6l.elf	Get hash	malicious	Unknown	Browse	117.19.90.30
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, XWorm	Browse	112.213.116.149
	file.exe	Get hash	malicious	XWorm	Browse	112.213.116.149
	arm5.elf	Get hash	malicious	Unknown	Browse	117.19.102.86
	jew.ppc.elf	Get hash	malicious	Unknown	Browse	112.213.114.230
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	117.19.113.75
	wFg25zfjIL.dll	Get hash	malicious	Unknown	Browse	103.45.64.91
	wFg25zfjIL.dll	Get hash	malicious	Unknown	Browse	103.45.64.91
	LSQz1xnW54.exe	Get hash	malicious	Unknown	Browse	103.45.64.91
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	121.127.231.212

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\JP1KbvjWcM.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\JP1KbvjWcM.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.238004231589766
Encrypted:	false
SSDEEP:	6:kKrSrT9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:DiqDImsLNkPlE99SNxAhUe/3
MD5:	53B0331E600515ED7CFDD1DB042D1D04
SHA1:	D10EE49348E5163DA7305EC26B2AFF388FA47655
SHA-256:	E77B65CF145A3012D3F81E9BE8613C7289D45E45AC2D56B046C6E351BEA33A95
SHA-512:	D4BE602E1FA85EBE59689C86FA815917EE8EE409AA7938607CCDB2FDEAB5D245700127AE58767866C15B54B01492192B3E9EBCFC4FA5F2D90F94760072FDA7CA
Malicious:	false
Reputation:	low
Preview:	p...... ........b3.q._..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

\Device\Mailslot\slot-80

Download File

Process:	C:\Users\user\Desktop\JP1KbvjWcM.exe
File Type:	data
Category:	dropped
Size (bytes):	928
Entropy (8bit):	7.60505190459615
Encrypted:	false
SSDEEP:	24:AIaWIM+rqSsNMOFqa3RWsmWX0Jmatg+craEDD:9ay+rqCmq8sOXo9tvcOE3
MD5:	4871B0C4A2E065F9C750B067C5B199E1
SHA1:	F67327A999D788AEE83F09AE2B35BA6A515DD687
SHA-256:	A8CA8A260A86F0E6E3B353011DF866D1567B3BF8EE36B6AD272DB4A89469FB28
SHA-512:	2BF1A0189B37F99169AA495C7C05008966559226638F45309FF794FB267CB8BE02DFF5A00942D302EFDFE79CC7AB59A35B360A2724303F9ACA072329C01DE465
Malicious:	false
Reputation:	low
Preview:	\|.Lg&.'.........Q..d...D...d...D...Y.......,....o.AZ........]..e....%n.......of....S......]...........l..]wg..E......,..J.../.s.r.@....R...............]..C.....P..........ml...)..........l....Q.....7...Fe....:...:..Z............:...q.:......f/.+...C..I..)...u._.).Ux......A.....'.......)$..x.;....U......'..........Fc.....9..qh.F..'.f4.T.\|)....Z......0VS..k..... .....\.d..>........9.....>..L.:._..".....@..j(.....(a..%.Aw.Q.....a[...Y...]........M.U!...n...............w.....3......c......s......4......s.....-.......I..O....lC..)...\|....l..s(.LQ.b...K[..w..L7.[...B.J..-.3K.[G.G...<.....TpK2.ot..5..y.S...ir...4#.N.V.<......./<?h@[.A.{....X.....<T..........!....b.\>'...;v./b.r3y.S...s...m.k...G.]..-.....Q.\.)...,.C@d{....z)U.,.Q.X..qsc..U..JlC..w..C.9....U.$.\|..\|...Fd.....I.;.c....6.lQygbl..U..k@.y.]D..C..........C.-h.2\|)r......z........iD

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	4.683408709645475
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	JP1KbvjWcM.exe
File size:	216'576 bytes
MD5:	553ab6275ae084f4587840c55a7a2eeb
SHA1:	2c237cb58b4c27b0771e769e4d47fa19b6ad8601
SHA256:	8e550081d6ce27ae8e45a5d8d9af5088e9b1f725ea6eadc47cda7b223f078ea7
SHA512:	863693d80d6cbdbb21fb1669eaaecd21b2b0ce7857911d4c0f5f1ce1d4fd874eafa261ecfcfb6fe15631d74b1d65acef15a3ba880c03df58b18e72249b57d6dd
SSDEEP:	3072:GLCP23GB0kWX9F4VhNvmvM1wnTqHcXFI:GWSY0O/vmvBn9XF
TLSH:	D424F747636138B6C52786B4D0D2C5A43DB2DC28EDE6E90743E1FE1EBA3EA416706533
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Q.&f...............).p...J.................@..........................................`... ............................

File Icon


Icon Hash:	1f346261d84c6712

Static PE Info

General

Entrypoint:	0x1400013d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6626E151 [Mon Apr 22 22:14:41 2024 UTC]
TLS Callbacks:	0x40001920, 0x1, 0x400018f0, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	826994b0b08f6b39dd6e5d89103ca266

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [000083C5h]
mov dword ptr [eax], 00000001h
call 00007F6CE856961Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [000083A5h]
mov dword ptr [eax], 00000000h
call 00007F6CE85695FFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F6CE8570144h
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F6CE8569859h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
jmp ecx
dec eax
arpl word ptr [00006BB6h], ax
test eax, eax
jle 00007F6CE85698A8h
cmp dword ptr [00006BAFh], 00000000h
jle 00007F6CE856989Fh
dec eax
mov edx, dword ptr [0000BE0Ah]
dec eax
mov dword ptr [ecx+eax], edx
dec eax
mov edx, dword ptr [0000BE07h]
dec eax
arpl word ptr [00006B94h], ax
dec eax
mov dword ptr [ecx+eax], edx
ret
push ebp
push edi
push esi
push ebx
dec eax
sub esp, 38h
dec eax
mov edi, ecx
mov ebx, edx
mov ecx, 00040000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd000	0x8b4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x2a8f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xa000	0x4b0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3b000	0x80	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x9060	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xd230	0x1f0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6eb8	0x7000	9821c01fd4747aad0230a069590b0749	False	0.583251953125	data	6.259348913480805	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x8000	0x4d0	0x600	746951e9c8e8eb0deca3e8ff0f117f17	False	0.6881510416666666	data	6.00374345728658	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x9000	0xdf0	0xe00	5fd140e418acf407f5dcca641ad3e2df	False	0.30245535714285715	data	4.649097585295043	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0xa000	0x4b0	0x600	55fba1436f2fda06c5477135a175d11a	False	0.4270833333333333	data	3.50775850606208	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0xb000	0x468	0x600	7d202bfe5864389afb40f533c27b737d	False	0.259765625	data	3.5680761976082636	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0xc000	0xc00	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xd000	0x8b4	0xa00	e1b133ef1bdd530cb98f1907953b84d0	False	0.32109375	data	3.632126266429373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0xe000	0x60	0x200	95f0bee46fc0a8d265633a8fc963552b	False	0.068359375	data	0.29046607431271465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xf000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x10000	0x2a8f0	0x2aa00	a909764dcd226089ed830a27b3add73f	False	0.23965015579178886	data	4.160599677260271	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3b000	0x80	0x200	20f73f8251a841b7032a47f27afdc011	False	0.248046875	data	1.5021486304447937	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x10388	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.3817204301075269
RT_ICON	0x10670	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5472972972972973
RT_ICON	0x10798	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.43443496801705755
RT_ICON	0x11640	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.5875451263537906
RT_ICON	0x11ee8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.671242774566474
RT_ICON	0x12450	0x3bf3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9913338111683065
RT_ICON	0x16048	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.09962439370637644
RT_ICON	0x26870	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.1279167542568846
RT_ICON	0x2fd18	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.1831601322626358
RT_ICON	0x33f40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.2337136929460581
RT_ICON	0x364e8	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720	English	United States	0.26612426035502956
RT_ICON	0x37f50	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.3320825515947467
RT_ICON	0x38ff8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.4209016393442623
RT_ICON	0x39980	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680	English	United States	0.4994186046511628
RT_ICON	0x3a038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5709219858156028
RT_GROUP_ICON	0x3a4a0	0xd8	data	English	United States	0.6296296296296297
RT_VERSION	0x3a578	0x374	data	English	United States	0.417420814479638

Imports

DLL

Import

KERNEL32.dll

CloseHandle, CreateFileA, CreateMailslotA, CreateThread, DeleteCriticalSection, EnterCriticalSection, GetCurrentProcess, GetLastError, GetMailslotInfo, GetModuleHandleA, GetProcAddress, GetTickCount, HeapAlloc, HeapCreate, HeapReAlloc, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, MultiByteToWideChar, ReadFile, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte, WriteFile

msvcrt.dll

__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _errno, _fmode, _initterm, _onexit, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, malloc, memcpy, memset, signal, strerror, strlen, strncmp, vfprintf, wcslen

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-05T23:01:59.603758+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49731	103.19.190.184	4436	TCP
2025-01-05T23:02:01.034309+0100	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	103.19.190.184	4436	192.168.2.4	49731	TCP
2025-01-05T23:02:03.786403+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49733	103.19.190.184	4436	TCP
2025-01-05T23:02:05.623140+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49734	103.19.190.184	4436	TCP
2025-01-05T23:02:07.393755+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49735	103.19.190.184	4436	TCP
2025-01-05T23:02:09.235025+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49736	103.19.190.184	4436	TCP
2025-01-05T23:02:11.011611+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49737	103.19.190.184	4436	TCP
2025-01-05T23:02:12.823659+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49738	103.19.190.184	4436	TCP
2025-01-05T23:02:14.627202+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49739	103.19.190.184	4436	TCP
2025-01-05T23:02:16.431757+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49742	103.19.190.184	4436	TCP
2025-01-05T23:02:18.201963+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49747	103.19.190.184	4436	TCP
2025-01-05T23:02:19.969502+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	52090	103.19.190.184	4436	TCP
2025-01-05T23:02:21.557229+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60047	103.19.190.184	4436	TCP
2025-01-05T23:02:23.332157+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60050	103.19.190.184	4436	TCP
2025-01-05T23:02:25.106531+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60052	103.19.190.184	4436	TCP
2025-01-05T23:02:26.891283+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60055	103.19.190.184	4436	TCP
2025-01-05T23:02:28.699749+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60056	103.19.190.184	4436	TCP
2025-01-05T23:02:30.536325+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60057	103.19.190.184	4436	TCP
2025-01-05T23:02:32.410674+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60058	103.19.190.184	4436	TCP
2025-01-05T23:02:34.227081+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60059	103.19.190.184	4436	TCP
2025-01-05T23:02:36.014165+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60060	103.19.190.184	4436	TCP
2025-01-05T23:02:37.793251+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60061	103.19.190.184	4436	TCP
2025-01-05T23:02:39.545662+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60062	103.19.190.184	4436	TCP
2025-01-05T23:02:41.441832+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60063	103.19.190.184	4436	TCP
2025-01-05T23:02:43.266786+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60064	103.19.190.184	4436	TCP
2025-01-05T23:02:45.205863+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60065	103.19.190.184	4436	TCP
2025-01-05T23:02:46.965747+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60066	103.19.190.184	4436	TCP
2025-01-05T23:02:48.724031+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60067	103.19.190.184	4436	TCP
2025-01-05T23:02:50.530591+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60068	103.19.190.184	4436	TCP
2025-01-05T23:02:52.347527+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60069	103.19.190.184	4436	TCP
2025-01-05T23:02:54.167621+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60070	103.19.190.184	4436	TCP
2025-01-05T23:02:55.975591+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60071	103.19.190.184	4436	TCP
2025-01-05T23:02:57.892289+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60072	103.19.190.184	4436	TCP
2025-01-05T23:02:59.672608+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60079	103.19.190.184	4436	TCP
2025-01-05T23:03:01.505346+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60090	103.19.190.184	4436	TCP
2025-01-05T23:03:03.279739+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60106	103.19.190.184	4436	TCP
2025-01-05T23:03:05.028510+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60117	103.19.190.184	4436	TCP
2025-01-05T23:03:06.787605+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60126	103.19.190.184	4436	TCP
2025-01-05T23:03:08.572683+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60136	103.19.190.184	4436	TCP
2025-01-05T23:03:10.339222+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60150	103.19.190.184	4436	TCP
2025-01-05T23:03:12.129686+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60163	103.19.190.184	4436	TCP
2025-01-05T23:03:13.933920+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60175	103.19.190.184	4436	TCP
2025-01-05T23:03:15.724059+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60189	103.19.190.184	4436	TCP
2025-01-05T23:03:17.498949+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60200	103.19.190.184	4436	TCP
2025-01-05T23:03:19.165639+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60207	103.19.190.184	4436	TCP
2025-01-05T23:03:20.927163+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60220	103.19.190.184	4436	TCP
2025-01-05T23:03:22.713365+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60232	103.19.190.184	4436	TCP
2025-01-05T23:03:24.526638+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60244	103.19.190.184	4436	TCP
2025-01-05T23:03:26.320314+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60256	103.19.190.184	4436	TCP
2025-01-05T23:03:28.130833+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60270	103.19.190.184	4436	TCP
2025-01-05T23:03:29.946925+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60282	103.19.190.184	4436	TCP
2025-01-05T23:03:32.006167+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60297	103.19.190.184	4436	TCP
2025-01-05T23:03:33.767331+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60308	103.19.190.184	4436	TCP
2025-01-05T23:03:35.553283+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60323	103.19.190.184	4436	TCP
2025-01-05T23:03:37.385782+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60335	103.19.190.184	4436	TCP
2025-01-05T23:03:39.171778+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60347	103.19.190.184	4436	TCP
2025-01-05T23:03:41.007473+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60359	103.19.190.184	4436	TCP
2025-01-05T23:03:42.809595+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60364	103.19.190.184	4436	TCP
2025-01-05T23:03:44.629614+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60365	103.19.190.184	4436	TCP
2025-01-05T23:03:46.375546+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60366	103.19.190.184	4436	TCP
2025-01-05T23:03:48.163558+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60367	103.19.190.184	4436	TCP
2025-01-05T23:03:49.930369+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60368	103.19.190.184	4436	TCP
2025-01-05T23:03:51.715160+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60369	103.19.190.184	4436	TCP
2025-01-05T23:03:53.718995+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60370	103.19.190.184	4436	TCP
2025-01-05T23:03:55.491219+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60371	103.19.190.184	4436	TCP
2025-01-05T23:03:57.049787+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60372	103.19.190.184	4436	TCP
2025-01-05T23:03:58.858003+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60373	103.19.190.184	4436	TCP
2025-01-05T23:04:00.643548+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60374	103.19.190.184	4436	TCP
2025-01-05T23:04:02.680495+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60375	103.19.190.184	4436	TCP
2025-01-05T23:04:04.460530+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	60376	103.19.190.184	4436	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 23:01:58.705466986 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:01:58.710396051 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:01:58.710520983 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:01:58.758284092 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:01:58.763046026 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:01:59.603626013 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:01:59.603758097 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:01:59.868544102 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:01:59.870678902 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:01.029476881 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:01.034308910 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.343396902 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.343457937 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:01.602699995 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.602762938 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:01.605307102 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:01.610095024 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.918133020 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.918157101 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.918167114 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.918179035 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.918199062 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:01.918220997 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:01.919795990 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.919804096 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.919850111 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:01.919929981 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.919974089 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:01.920002937 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.920049906 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:01.923701048 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.923710108 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.923755884 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:01.925251961 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.925261021 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.925307035 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:01.925345898 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.925354958 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.925394058 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:01.928690910 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.928702116 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.928714037 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:01.928741932 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:01.928759098 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.136092901 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.136105061 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.136118889 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.136178970 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.139223099 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.139234066 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.139245987 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.139286995 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.139298916 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.145351887 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.145363092 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.145373106 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.145416975 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.145443916 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.151545048 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.151556015 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.151565075 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.151598930 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.157448053 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.157459021 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.157468081 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.157496929 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.157517910 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.163222075 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.163232088 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.163274050 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.163356066 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.163364887 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.163403988 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.169179916 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.169190884 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.169200897 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.169229031 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.169240952 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.179043055 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.179054022 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.179063082 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.179112911 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.179143906 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.182362080 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.182372093 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.182377100 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.182432890 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.185740948 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.185795069 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.185857058 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.185857058 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.185866117 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.185905933 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.351874113 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.351900101 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.351908922 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.351974010 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.352000952 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.353328943 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.353338957 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.353348017 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.353384018 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.353406906 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.356755972 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.356765985 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.356776953 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.356825113 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.360158920 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.360167980 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.360178947 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.360213995 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.360218048 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.360238075 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.360270977 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.363389015 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.363399029 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.363408089 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.363436937 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.363462925 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.366803885 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.366815090 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.366823912 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.366863966 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.366889954 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.369843006 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.369853973 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.369863033 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.369900942 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.369924068 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.373105049 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.373114109 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.373162031 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.373193979 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.373203039 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.373241901 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.376173019 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.376183033 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.376193047 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.376235962 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.376250029 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.379462004 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.379472017 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.379481077 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.379525900 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.379545927 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.383666992 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.383677006 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.383686066 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.383732080 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.383757114 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.386584044 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.386655092 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.386665106 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.386713028 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.389667034 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.389710903 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.389770031 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.389781952 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.389791012 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.389828920 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.392777920 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.392787933 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.392797947 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.392838001 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.392849922 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.395946026 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.395956993 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.395966053 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.396007061 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.396039009 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.399020910 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.399030924 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.399039984 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.399079084 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.399102926 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.403196096 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.403207064 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.403217077 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.403263092 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.403289080 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.406342030 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.406352043 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.406359911 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.406415939 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.409578085 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.409590006 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.409595013 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.409656048 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.412703037 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.412714005 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.412724972 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.412777901 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.412787914 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.567831039 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.567842007 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.567913055 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.567917109 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.568089008 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.569123983 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.569135904 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.569144964 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.569205046 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.572166920 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.572177887 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.572187901 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.572246075 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.575299978 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.575309992 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.575323105 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.575371027 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.575396061 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.579730034 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.579740047 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.579749107 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.579797983 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.583085060 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.583095074 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.583105087 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.583152056 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.583163977 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.586553097 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.586563110 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.586584091 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.586628914 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.586662054 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.589812994 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.589823008 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.589833021 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.589879990 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.589909077 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.593265057 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.593275070 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.593283892 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.593332052 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.597625017 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.597635031 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.597644091 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.597687006 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.597709894 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.602216959 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.602227926 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.602232933 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.602293015 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.606497049 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.606508017 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.606517076 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.606559992 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.606581926 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.609532118 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.609543085 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.609551907 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.609599113 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.609627008 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.613925934 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.613936901 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.613946915 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.613992929 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.614026070 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.616796017 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.616803885 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.616863012 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.616904020 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.616914034 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.616951942 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.620049000 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.620059013 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.620069027 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.620104074 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.620126009 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.623163939 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.623176098 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.623192072 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.623239040 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.623265982 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.626161098 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.626213074 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.626262903 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.626348019 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.626355886 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.626389980 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.629386902 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.629395962 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.629442930 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.629479885 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.629487991 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.629518032 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.634149075 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.634159088 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.634170055 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.634212017 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.637459993 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.637489080 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.637511969 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.637546062 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.637631893 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.637640953 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.637684107 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.640536070 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.640546083 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.640557051 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.640588999 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.640615940 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.643991947 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.644005060 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.644013882 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.644043922 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.644077063 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.647022963 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.647033930 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.647043943 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.647094011 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.650432110 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.650443077 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.650453091 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.650485992 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.650506020 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.653563023 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.653573036 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.653579950 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.653630018 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.657701015 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.657717943 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.657768011 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.657800913 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.657809973 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.657849073 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.660945892 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.660957098 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.660965919 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.661004066 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.661035061 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.663969040 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.663980007 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.664028883 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.664104939 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.664114952 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.664140940 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.667237997 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.667248964 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.667263031 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.667309999 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.667326927 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.670558929 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.670569897 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.670581102 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.670619965 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.670653105 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.673876047 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.673887968 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.673898935 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.673942089 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.677335024 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.677345037 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.677354097 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.677392960 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.677405119 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.680814028 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.680824041 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.680834055 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.680879116 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.680911064 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.684220076 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.684237957 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.684247017 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.684299946 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.688756943 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.688767910 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.688777924 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.688812971 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.688846111 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.691787958 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.691798925 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.691807985 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.691847086 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.691879034 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.694876909 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.694889069 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.694900036 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.694946051 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.694973946 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.697880983 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.697890997 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.697901011 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.697943926 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.697973967 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.701180935 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.701190948 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.701239109 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.701302052 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.701311111 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.701343060 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.783612013 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.783624887 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.783637047 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.783673048 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.783706903 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.784944057 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.784955978 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.784971952 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.785000086 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.785024881 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.787976027 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.788016081 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.788057089 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.788105965 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.788115978 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.788142920 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.793445110 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.793456078 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.793467045 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.793508053 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.793529987 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.796390057 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.796428919 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.796446085 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.796479940 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.796511889 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.799415112 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.799424887 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.799434900 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.799469948 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.799503088 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.802897930 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.802908897 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.802918911 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.802953959 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.802983046 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.807131052 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.807142973 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.807153940 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.807200909 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.807236910 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.810456038 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.810467005 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.810477018 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.810511112 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.810539961 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.813515902 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.813538074 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.813548088 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.813585997 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.813616037 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.817027092 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.817037106 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.817047119 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.817076921 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.817102909 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.820398092 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.820409060 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.820417881 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.820452929 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.820481062 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.823317051 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.823328972 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.823340893 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.823378086 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.823402882 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.827855110 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.827924013 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.827975988 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.828047037 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.828054905 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.828094006 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.832839012 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.832849026 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.832887888 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.832988024 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.832998037 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.833030939 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.836178064 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.836189032 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.836199045 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.836232901 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.836265087 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.839226961 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.839237928 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.839247942 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.839291096 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.839317083 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.842358112 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.842375040 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.842425108 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.842509985 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.842519999 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.842555046 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.845468044 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.845478058 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.845487118 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.845541000 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.848742008 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.848752975 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.848762989 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.848814011 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.851794958 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.851805925 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.851815939 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.851891041 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.856154919 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.856163979 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.856221914 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.856306076 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.856314898 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.856352091 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.859287024 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.859297037 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.859307051 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.859369040 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.862508059 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.862523079 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.862580061 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.862634897 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.862643957 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.862673998 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.865859032 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.865870953 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.865876913 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.865952969 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.870371103 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.870388031 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.870398045 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.870457888 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.874589920 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.874599934 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.874609947 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.874645948 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.874674082 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.878808975 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.878818035 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.878868103 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.878889084 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.878896952 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.878938913 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.883505106 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.883514881 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.883586884 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.883615971 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.883625031 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.883714914 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.886642933 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.886662006 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.886694908 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.886717081 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.886737108 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.886750937 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.886775017 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.886796951 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.889659882 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.889668941 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.889674902 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.889820099 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.892668009 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.892714977 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.892740965 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.892788887 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.897902012 CET	49731	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.902657986 CET	4436	49731	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.904058933 CET	49733	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.908859015 CET	4436	49733	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.908927917 CET	49733	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.936741114 CET	49733	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:02.941728115 CET	4436	49733	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:02.941736937 CET	4436	49733	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:03.786344051 CET	4436	49733	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:03.786402941 CET	49733	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:04.054630041 CET	4436	49733	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:04.054713964 CET	49733	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:04.055149078 CET	49733	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:04.056159019 CET	49733	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:04.059870958 CET	4436	49733	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:04.060899019 CET	4436	49733	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:04.617054939 CET	4436	49733	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:04.617125988 CET	4436	49733	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:04.617132902 CET	49733	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:04.617265940 CET	49733	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:04.733493090 CET	49734	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:04.738274097 CET	4436	49734	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:04.738365889 CET	49734	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:04.738641977 CET	49734	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:04.743433952 CET	4436	49734	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:05.623020887 CET	4436	49734	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:05.623140097 CET	49734	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:05.881767035 CET	4436	49734	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:05.882019043 CET	49734	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:05.888931036 CET	49734	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:05.890527964 CET	49734	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:05.893740892 CET	4436	49734	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:05.895369053 CET	4436	49734	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:06.413908005 CET	4436	49734	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:06.414004087 CET	49734	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:06.414083004 CET	4436	49734	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:06.414139032 CET	49734	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:06.529973984 CET	49733	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:06.530368090 CET	49735	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:06.534785032 CET	4436	49733	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:06.535161972 CET	4436	49735	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:06.535218954 CET	49735	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:06.535473108 CET	49735	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:06.541861057 CET	4436	49735	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:07.393696070 CET	4436	49735	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:07.393754959 CET	49735	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:07.655111074 CET	4436	49735	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:07.655262947 CET	49735	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:07.657347918 CET	49735	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:07.660501957 CET	49735	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:07.662130117 CET	4436	49735	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:07.665350914 CET	4436	49735	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:08.173631907 CET	4436	49735	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:08.173646927 CET	4436	49735	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:08.173657894 CET	4436	49735	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:08.173701048 CET	49735	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:08.173729897 CET	49735	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:08.238152981 CET	49735	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:08.238183022 CET	49735	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:08.242909908 CET	4436	49735	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:08.242986917 CET	49735	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:08.349386930 CET	49736	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:08.354221106 CET	4436	49736	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:08.355658054 CET	49736	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:08.357470036 CET	49736	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:08.362337112 CET	4436	49736	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:09.234971046 CET	4436	49736	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:09.235024929 CET	49736	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:09.490783930 CET	4436	49736	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:09.490840912 CET	49736	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:09.491164923 CET	49736	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:09.492444038 CET	49736	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:09.495888948 CET	4436	49736	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:09.497275114 CET	4436	49736	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:10.019084930 CET	4436	49736	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:10.019174099 CET	4436	49736	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:10.019186020 CET	4436	49736	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:10.019196987 CET	49736	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:10.019231081 CET	49736	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:10.019737005 CET	49736	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:10.019773960 CET	49736	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:10.024502993 CET	4436	49736	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:10.027641058 CET	49736	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:10.124509096 CET	49737	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:10.129286051 CET	4436	49737	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:10.131661892 CET	49737	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:10.131897926 CET	49737	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:10.136718988 CET	4436	49737	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:11.011528969 CET	4436	49737	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:11.011610985 CET	49737	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:11.268418074 CET	4436	49737	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:11.268594980 CET	49737	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:11.278270960 CET	49737	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:11.279208899 CET	49737	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:11.283041954 CET	4436	49737	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:11.283999920 CET	4436	49737	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:11.797965050 CET	4436	49737	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:11.798016071 CET	4436	49737	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:11.798017025 CET	49737	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:11.798058987 CET	49737	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:11.798293114 CET	49737	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:11.803194046 CET	4436	49737	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:11.906024933 CET	49738	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:11.910907984 CET	4436	49738	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:11.911003113 CET	49738	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:11.911209106 CET	49738	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:11.916107893 CET	4436	49738	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:12.822966099 CET	4436	49738	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:12.823658943 CET	49738	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:13.082498074 CET	4436	49738	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:13.082561016 CET	49738	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:13.083409071 CET	49738	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:13.084790945 CET	49738	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:13.088200092 CET	4436	49738	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:13.089565039 CET	4436	49738	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:13.610188961 CET	4436	49738	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:13.610253096 CET	49738	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:13.610301971 CET	4436	49738	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:13.610450029 CET	49738	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:13.612591982 CET	49738	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:13.617351055 CET	4436	49738	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:13.718569040 CET	49739	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:13.723368883 CET	4436	49739	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:13.723448038 CET	49739	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:13.724315882 CET	49739	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:13.729090929 CET	4436	49739	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:14.627144098 CET	4436	49739	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:14.627202034 CET	49739	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:14.884342909 CET	4436	49739	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:14.884428978 CET	49739	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:14.884748936 CET	49739	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:14.885735989 CET	49739	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:14.889508009 CET	4436	49739	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:14.890531063 CET	4436	49739	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:15.435960054 CET	4436	49739	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:15.436039925 CET	49739	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:15.436058998 CET	4436	49739	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:15.436100006 CET	49739	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:15.436459064 CET	49739	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:15.441186905 CET	4436	49739	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:15.546150923 CET	49742	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:15.550992966 CET	4436	49742	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:15.551059008 CET	49742	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:15.551474094 CET	49742	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:15.556257963 CET	4436	49742	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:16.431600094 CET	4436	49742	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:16.431756973 CET	49742	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:16.696863890 CET	4436	49742	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:16.696974993 CET	49742	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:16.697242022 CET	49742	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:16.702039003 CET	4436	49742	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:16.837373972 CET	49742	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:16.842233896 CET	4436	49742	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:17.234661102 CET	4436	49742	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:17.234719992 CET	49742	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:17.234843016 CET	4436	49742	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:17.234896898 CET	49742	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:17.342494965 CET	49734	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:17.343015909 CET	49747	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:17.347265959 CET	4436	49734	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:17.347801924 CET	4436	49747	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:17.347867966 CET	49747	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:17.348098040 CET	49747	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:17.352891922 CET	4436	49747	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:18.201906919 CET	4436	49747	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:18.201962948 CET	49747	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:18.448924065 CET	4436	49747	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:18.449167013 CET	49747	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:18.449517965 CET	49747	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:18.454376936 CET	4436	49747	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:18.676253080 CET	49747	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:18.681063890 CET	4436	49747	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:18.979686022 CET	4436	49747	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:18.979742050 CET	49747	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:18.979819059 CET	4436	49747	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:18.979896069 CET	49747	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:19.037132978 CET	52089	53	192.168.2.4	1.1.1.1
Jan 5, 2025 23:02:19.041985989 CET	53	52089	1.1.1.1	192.168.2.4
Jan 5, 2025 23:02:19.042177916 CET	52089	53	192.168.2.4	1.1.1.1
Jan 5, 2025 23:02:19.047054052 CET	53	52089	1.1.1.1	192.168.2.4
Jan 5, 2025 23:02:19.092595100 CET	49742	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:19.093575001 CET	52090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:19.097459078 CET	4436	49742	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:19.098397970 CET	4436	52090	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:19.098469019 CET	52090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:19.098648071 CET	52090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:19.103482962 CET	4436	52090	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:19.486495972 CET	52089	53	192.168.2.4	1.1.1.1
Jan 5, 2025 23:02:19.491578102 CET	53	52089	1.1.1.1	192.168.2.4
Jan 5, 2025 23:02:19.491662025 CET	52089	53	192.168.2.4	1.1.1.1
Jan 5, 2025 23:02:19.969393969 CET	4436	52090	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:19.969501972 CET	52090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:20.256123066 CET	4436	52090	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:20.259078026 CET	52090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:20.260591984 CET	52090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:20.260591984 CET	52090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:20.265383959 CET	4436	52090	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:20.265396118 CET	4436	52090	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:20.499614000 CET	60046	53	192.168.2.4	1.1.1.1
Jan 5, 2025 23:02:20.504393101 CET	53	60046	1.1.1.1	192.168.2.4
Jan 5, 2025 23:02:20.507694006 CET	60046	53	192.168.2.4	1.1.1.1
Jan 5, 2025 23:02:20.512473106 CET	53	60046	1.1.1.1	192.168.2.4
Jan 5, 2025 23:02:20.575309038 CET	4436	52090	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:20.575532913 CET	4436	52090	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:20.579869032 CET	52090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:20.579869032 CET	52090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:20.584647894 CET	4436	52090	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:20.687608957 CET	60047	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:20.692497015 CET	4436	60047	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:20.692662001 CET	60047	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:20.692852974 CET	60047	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:20.697623014 CET	4436	60047	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:20.973977089 CET	60046	53	192.168.2.4	1.1.1.1
Jan 5, 2025 23:02:20.979059935 CET	53	60046	1.1.1.1	192.168.2.4
Jan 5, 2025 23:02:20.979120016 CET	60046	53	192.168.2.4	1.1.1.1
Jan 5, 2025 23:02:21.557142973 CET	4436	60047	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:21.557229042 CET	60047	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:21.812340975 CET	4436	60047	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:21.812408924 CET	60047	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:21.812654972 CET	60047	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:21.813596964 CET	60047	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:21.817365885 CET	4436	60047	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:21.818386078 CET	4436	60047	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:22.329946041 CET	4436	60047	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:22.330002069 CET	60047	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:22.330101013 CET	4436	60047	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:22.330146074 CET	60047	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:22.436292887 CET	49747	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:22.437072039 CET	60050	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:22.441690922 CET	4436	49747	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:22.442311049 CET	4436	60050	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:22.442365885 CET	60050	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:22.442655087 CET	60050	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:22.448829889 CET	4436	60050	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:23.332086086 CET	4436	60050	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:23.332156897 CET	60050	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:23.594023943 CET	4436	60050	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:23.594083071 CET	60050	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:23.594433069 CET	60050	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:23.595468044 CET	60050	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:23.599204063 CET	4436	60050	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:23.600276947 CET	4436	60050	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:24.113631964 CET	4436	60050	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:24.113694906 CET	60050	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:24.113746881 CET	4436	60050	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:24.113842964 CET	60050	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:24.217463970 CET	60047	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:24.218051910 CET	60052	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:24.224066973 CET	4436	60047	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:24.224603891 CET	4436	60052	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:24.224673986 CET	60052	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:24.224911928 CET	60052	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:24.230935097 CET	4436	60052	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:25.106422901 CET	4436	60052	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:25.106530905 CET	60052	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:25.366677999 CET	4436	60052	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:25.366733074 CET	60052	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:25.367409945 CET	60052	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:25.368565083 CET	60052	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:25.372200012 CET	4436	60052	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:25.373353958 CET	4436	60052	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:25.897882938 CET	4436	60052	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:25.897957087 CET	60052	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:25.898004055 CET	4436	60052	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:25.898046970 CET	60052	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:25.998823881 CET	60050	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:25.999180079 CET	60055	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:26.004020929 CET	4436	60050	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:26.004447937 CET	4436	60055	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:26.004511118 CET	60055	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:26.004740000 CET	60055	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:26.009824991 CET	4436	60055	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:26.891227007 CET	4436	60055	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:26.891283035 CET	60055	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:27.144942045 CET	4436	60055	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:27.145690918 CET	60055	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:27.148843050 CET	60055	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:27.149857044 CET	60055	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:27.153669119 CET	4436	60055	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:27.154648066 CET	4436	60055	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:27.673551083 CET	4436	60055	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:27.673566103 CET	4436	60055	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:27.673624039 CET	60055	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:27.673908949 CET	60055	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:27.678730011 CET	4436	60055	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:27.781724930 CET	60056	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:27.786567926 CET	4436	60056	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:27.786633015 CET	60056	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:27.786873102 CET	60056	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:27.791713953 CET	4436	60056	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:28.694521904 CET	4436	60056	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:28.699748993 CET	60056	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:28.963032007 CET	4436	60056	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:28.963093042 CET	60056	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:28.963397980 CET	60056	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:28.964812994 CET	60056	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:28.968174934 CET	4436	60056	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:28.969614983 CET	4436	60056	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:29.495851040 CET	4436	60056	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:29.495877981 CET	4436	60056	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:29.495904922 CET	60056	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:29.495934963 CET	60056	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:29.495963097 CET	4436	60056	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:29.496005058 CET	60056	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:29.496165037 CET	60056	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:29.496190071 CET	60056	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:29.500926018 CET	4436	60056	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:29.500998020 CET	60056	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:29.655525923 CET	60057	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:29.660366058 CET	4436	60057	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:29.660442114 CET	60057	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:29.660712004 CET	60057	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:29.665488958 CET	4436	60057	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:30.536264896 CET	4436	60057	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:30.536324978 CET	60057	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:30.795875072 CET	4436	60057	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:30.795960903 CET	60057	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:30.796329021 CET	60057	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:30.797369003 CET	60057	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:30.801105022 CET	4436	60057	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:30.802207947 CET	4436	60057	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:31.339796066 CET	4436	60057	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:31.339865923 CET	4436	60057	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:31.339924097 CET	60057	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:31.341792107 CET	60057	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:31.346551895 CET	4436	60057	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:31.532488108 CET	60058	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:31.537400007 CET	4436	60058	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:31.537451982 CET	60058	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:31.540570974 CET	60058	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:31.545368910 CET	4436	60058	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:32.410613060 CET	4436	60058	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:32.410674095 CET	60058	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:32.677437067 CET	4436	60058	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:32.677490950 CET	60058	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:32.678086042 CET	60058	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:32.680066109 CET	60058	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:32.682821989 CET	4436	60058	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:32.684904099 CET	4436	60058	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:33.211116076 CET	4436	60058	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:33.211206913 CET	60058	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:33.211230040 CET	4436	60058	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:33.211515903 CET	60058	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:33.333978891 CET	60052	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:33.334392071 CET	60059	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:33.338845968 CET	4436	60052	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:33.339234114 CET	4436	60059	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:33.343647003 CET	60059	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:33.343854904 CET	60059	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:33.348624945 CET	4436	60059	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:34.227009058 CET	4436	60059	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:34.227081060 CET	60059	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:34.490423918 CET	4436	60059	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:34.490483999 CET	60059	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:34.490803003 CET	60059	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:34.492166996 CET	60059	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:34.495527983 CET	4436	60059	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:34.496927977 CET	4436	60059	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:35.014478922 CET	4436	60059	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:35.014530897 CET	60059	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:35.014689922 CET	4436	60059	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:35.014746904 CET	60059	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:35.123902082 CET	60058	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:35.124474049 CET	60060	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:35.128837109 CET	4436	60058	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:35.129312038 CET	4436	60060	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:35.129380941 CET	60060	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:35.129645109 CET	60060	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:35.134419918 CET	4436	60060	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:36.014070034 CET	4436	60060	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:36.014164925 CET	60060	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:36.268798113 CET	4436	60060	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:36.268873930 CET	60060	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:36.269207001 CET	60060	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:36.270282030 CET	60060	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:36.274013042 CET	4436	60060	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:36.275111914 CET	4436	60060	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:36.788726091 CET	4436	60060	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:36.788786888 CET	4436	60060	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:36.788801908 CET	60060	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:36.788830042 CET	60060	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:36.790062904 CET	60060	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:36.794780970 CET	4436	60060	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:36.925729990 CET	60061	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:36.930687904 CET	4436	60061	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:36.930757046 CET	60061	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:36.936681032 CET	60061	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:36.941531897 CET	4436	60061	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:37.793114901 CET	4436	60061	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:37.793251038 CET	60061	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:38.048095942 CET	4436	60061	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:38.048177004 CET	60061	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:38.048506021 CET	60061	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:38.049519062 CET	60061	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:38.053266048 CET	4436	60061	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:38.054261923 CET	4436	60061	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:38.569736958 CET	4436	60061	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:38.569797039 CET	60061	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:38.569803953 CET	4436	60061	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:38.569849968 CET	60061	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:38.570116997 CET	60061	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:38.574896097 CET	4436	60061	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:38.670917988 CET	60062	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:38.675761938 CET	4436	60062	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:38.675831079 CET	60062	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:38.676150084 CET	60062	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:38.680939913 CET	4436	60062	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:39.543663025 CET	4436	60062	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:39.545661926 CET	60062	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:39.799609900 CET	4436	60062	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:39.801691055 CET	60062	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:39.880645990 CET	60062	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:39.884408951 CET	60062	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:39.885499001 CET	4436	60062	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:39.889225006 CET	4436	60062	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:40.404581070 CET	4436	60062	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:40.404611111 CET	4436	60062	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:40.404643059 CET	60062	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:40.404654980 CET	4436	60062	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:40.404661894 CET	60062	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:40.404895067 CET	60062	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:40.404989958 CET	60062	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:40.405014038 CET	60062	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:40.409857035 CET	4436	60062	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:40.409910917 CET	60062	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:40.514714956 CET	60063	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:40.519557953 CET	4436	60063	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:40.519630909 CET	60063	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:40.519850016 CET	60063	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:40.524746895 CET	4436	60063	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:41.441279888 CET	4436	60063	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:41.441832066 CET	60063	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:41.713344097 CET	4436	60063	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:41.713413000 CET	60063	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:41.713763952 CET	60063	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:41.714757919 CET	60063	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:41.718600988 CET	4436	60063	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:41.719568014 CET	4436	60063	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:42.248173952 CET	4436	60063	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:42.248260975 CET	60063	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:42.248305082 CET	4436	60063	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:42.248321056 CET	4436	60063	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:42.248349905 CET	60063	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:42.248373985 CET	60063	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:42.273004055 CET	60063	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:42.273031950 CET	60063	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:42.277817965 CET	4436	60063	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:42.277873993 CET	60063	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:42.389563084 CET	60064	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:42.394438028 CET	4436	60064	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:42.394496918 CET	60064	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:42.398452997 CET	60064	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:42.403285980 CET	4436	60064	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:43.266721010 CET	4436	60064	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:43.266786098 CET	60064	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:43.646033049 CET	4436	60064	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:43.646080017 CET	60064	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:43.646517038 CET	60064	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:43.647516966 CET	60064	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:43.651264906 CET	4436	60064	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:43.652297020 CET	4436	60064	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:44.180751085 CET	4436	60064	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:44.180907011 CET	4436	60064	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:44.180989027 CET	60064	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:44.181021929 CET	4436	60064	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:44.181071997 CET	60064	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:44.181241035 CET	60064	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:44.181241035 CET	60064	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:44.186060905 CET	4436	60064	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:44.191613913 CET	60064	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:44.295929909 CET	60065	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:44.300892115 CET	4436	60065	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:44.301654100 CET	60065	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:44.302061081 CET	60065	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:44.306864023 CET	4436	60065	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:45.204982996 CET	4436	60065	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:45.205862999 CET	60065	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:45.460880995 CET	4436	60065	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:45.461611032 CET	60065	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:45.461916924 CET	60065	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:45.462991953 CET	60065	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:45.466697931 CET	4436	60065	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:45.467823029 CET	4436	60065	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:45.988104105 CET	4436	60065	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:45.988184929 CET	4436	60065	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:45.988233089 CET	60065	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:45.988293886 CET	60065	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:45.988533974 CET	60065	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:45.993495941 CET	4436	60065	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:46.092833042 CET	60066	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:46.097652912 CET	4436	60066	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:46.097755909 CET	60066	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:46.097984076 CET	60066	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:46.103173018 CET	4436	60066	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:46.965114117 CET	4436	60066	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:46.965747118 CET	60066	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:47.221209049 CET	4436	60066	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:47.221826077 CET	60066	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:47.222064972 CET	60066	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:47.223062992 CET	60066	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:47.226902962 CET	4436	60066	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:47.227865934 CET	4436	60066	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:47.743294954 CET	4436	60066	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:47.743354082 CET	4436	60066	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:47.743385077 CET	60066	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:47.743415117 CET	60066	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:47.743494987 CET	4436	60066	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:47.743591070 CET	60066	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:47.743701935 CET	60066	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:47.743714094 CET	60066	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:47.748469114 CET	4436	60066	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:47.749461889 CET	60066	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:47.858361959 CET	60067	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:47.863275051 CET	4436	60067	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:47.863630056 CET	60067	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:47.863842964 CET	60067	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:47.868638039 CET	4436	60067	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:48.723974943 CET	4436	60067	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:48.724030972 CET	60067	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:48.984482050 CET	4436	60067	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:48.987725019 CET	60067	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:48.998014927 CET	60067	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:48.999083996 CET	60067	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:49.002799034 CET	4436	60067	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:49.003978968 CET	4436	60067	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:49.514627934 CET	4436	60067	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:49.514693975 CET	60067	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:49.514789104 CET	4436	60067	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:49.514842033 CET	60067	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:49.623781919 CET	60059	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:49.624227047 CET	60068	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:49.628598928 CET	4436	60059	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:49.629055977 CET	4436	60068	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:49.629125118 CET	60068	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:49.629374027 CET	60068	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:49.634145021 CET	4436	60068	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:50.530514002 CET	4436	60068	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:50.530591011 CET	60068	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:50.790504932 CET	4436	60068	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:50.790561914 CET	60068	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:50.790894985 CET	60068	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:50.792113066 CET	60068	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:50.795663118 CET	4436	60068	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:50.796897888 CET	4436	60068	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:51.319082975 CET	4436	60068	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:51.319256067 CET	4436	60068	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:51.319338083 CET	60068	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:51.324347973 CET	60068	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:51.329173088 CET	4436	60068	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:51.462614059 CET	60069	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:51.467494965 CET	4436	60069	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:51.467561960 CET	60069	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:51.468528986 CET	60069	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:51.473366022 CET	4436	60069	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:52.347450018 CET	4436	60069	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:52.347527027 CET	60069	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:52.633177996 CET	4436	60069	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:52.633255959 CET	60069	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:52.633559942 CET	60069	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:52.634491920 CET	60069	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:52.638397932 CET	4436	60069	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:52.639704943 CET	4436	60069	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:53.167279005 CET	4436	60069	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:53.167433023 CET	60069	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:53.167546988 CET	4436	60069	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:53.167639971 CET	4436	60069	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:53.167726040 CET	60069	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:53.167726040 CET	60069	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:53.280142069 CET	60067	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:53.280565977 CET	60070	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:53.284936905 CET	4436	60067	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:53.285414934 CET	4436	60070	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:53.285482883 CET	60070	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:53.285769939 CET	60070	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:53.290595055 CET	4436	60070	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:54.165285110 CET	4436	60070	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:54.167620897 CET	60070	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:54.443042040 CET	4436	60070	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:54.445590973 CET	60070	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:54.445880890 CET	60070	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:54.446734905 CET	60070	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:54.450658083 CET	4436	60070	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:54.451535940 CET	4436	60070	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:54.984981060 CET	4436	60070	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:54.985040903 CET	4436	60070	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:54.985045910 CET	60070	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:54.985085964 CET	60070	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:54.985392094 CET	60070	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:54.990102053 CET	4436	60070	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:55.092905998 CET	60071	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:55.097819090 CET	4436	60071	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:55.097884893 CET	60071	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:55.098170042 CET	60071	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:55.102951050 CET	4436	60071	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:55.973512888 CET	4436	60071	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:55.975590944 CET	60071	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:56.236175060 CET	4436	60071	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:56.239603043 CET	60071	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:56.239898920 CET	60071	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:56.240837097 CET	60071	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:56.244663954 CET	4436	60071	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:56.245582104 CET	4436	60071	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:56.782871962 CET	4436	60071	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:56.782993078 CET	4436	60071	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:56.783067942 CET	60071	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:56.796821117 CET	60071	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:56.801630974 CET	4436	60071	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:56.967283010 CET	60072	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:56.972179890 CET	4436	60072	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:56.972244978 CET	60072	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:56.972485065 CET	60072	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:56.977322102 CET	4436	60072	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:57.892221928 CET	4436	60072	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:57.892288923 CET	60072	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:58.150765896 CET	4436	60072	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:58.150827885 CET	60072	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:58.151093006 CET	60072	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:58.151909113 CET	60072	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:58.155884981 CET	4436	60072	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:58.156686068 CET	4436	60072	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:58.683245897 CET	4436	60072	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:58.683259010 CET	4436	60072	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:58.683336973 CET	60072	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:58.683547974 CET	60072	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:58.688285112 CET	4436	60072	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:58.795861959 CET	60079	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:58.800780058 CET	4436	60079	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:58.800849915 CET	60079	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:58.801085949 CET	60079	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:58.806071997 CET	4436	60079	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:59.672532082 CET	4436	60079	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:59.672607899 CET	60079	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:59.943536043 CET	4436	60079	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:59.943604946 CET	60079	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:59.957447052 CET	60079	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:59.958945990 CET	60079	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:02:59.962258101 CET	4436	60079	103.19.190.184	192.168.2.4
Jan 5, 2025 23:02:59.963788986 CET	4436	60079	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:00.486684084 CET	4436	60079	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:00.486757994 CET	60079	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:00.486800909 CET	4436	60079	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:00.486944914 CET	60079	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:00.487003088 CET	60079	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:00.492655993 CET	4436	60079	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:00.592792034 CET	60090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:00.597656012 CET	4436	60090	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:00.597728968 CET	60090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:00.598141909 CET	60090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:00.602900028 CET	4436	60090	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:01.505287886 CET	4436	60090	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:01.505346060 CET	60090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:01.777318001 CET	4436	60090	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:01.777384043 CET	60090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:01.777632952 CET	60090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:01.778809071 CET	60090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:01.782372952 CET	4436	60090	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:01.783562899 CET	4436	60090	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:02.311460018 CET	4436	60090	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:02.311511040 CET	60090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:02.311589003 CET	4436	60090	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:02.311642885 CET	60090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:02.311747074 CET	60090	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:02.316540003 CET	4436	60090	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:02.420928001 CET	60106	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:02.425889015 CET	4436	60106	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:02.425966024 CET	60106	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:02.426166058 CET	60106	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:02.430984974 CET	4436	60106	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:03.278970957 CET	4436	60106	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:03.279738903 CET	60106	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:03.527704000 CET	4436	60106	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:03.527786970 CET	60106	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:03.528147936 CET	60106	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:03.529875994 CET	60106	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:03.532955885 CET	4436	60106	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:03.534645081 CET	4436	60106	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:04.039885998 CET	4436	60106	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:04.039978981 CET	4436	60106	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:04.040065050 CET	60106	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:04.040265083 CET	60106	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:04.045013905 CET	4436	60106	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:04.155241966 CET	60117	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:04.160268068 CET	4436	60117	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:04.160756111 CET	60117	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:04.161015987 CET	60117	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:04.165781975 CET	4436	60117	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:05.028450966 CET	4436	60117	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:05.028510094 CET	60117	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:05.284274101 CET	4436	60117	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:05.284360886 CET	60117	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:05.284683943 CET	60117	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:05.285640955 CET	60117	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:05.289522886 CET	4436	60117	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:05.290493011 CET	4436	60117	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:05.805879116 CET	4436	60117	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:05.805959940 CET	60117	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:05.806027889 CET	4436	60117	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:05.806047916 CET	4436	60117	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:05.806083918 CET	60117	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:05.806099892 CET	60117	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:05.806225061 CET	60117	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:05.806255102 CET	60117	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:05.810955048 CET	4436	60117	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:05.811042070 CET	60117	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:05.920828104 CET	60126	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:05.925662041 CET	4436	60126	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:05.925740004 CET	60126	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:05.926029921 CET	60126	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:05.930818081 CET	4436	60126	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:06.785757065 CET	4436	60126	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:06.787605047 CET	60126	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:07.047036886 CET	4436	60126	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:07.047106981 CET	60126	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:07.047378063 CET	60126	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:07.048352003 CET	60126	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:07.052170038 CET	4436	60126	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:07.053086996 CET	4436	60126	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:07.563859940 CET	4436	60126	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:07.563870907 CET	4436	60126	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:07.563918114 CET	60126	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:07.564142942 CET	60126	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:07.569675922 CET	4436	60126	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:07.671056986 CET	60136	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:07.675940990 CET	4436	60136	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:07.678855896 CET	60136	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:07.679390907 CET	60136	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:07.684221983 CET	4436	60136	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:08.572630882 CET	4436	60136	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:08.572683096 CET	60136	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:08.829895020 CET	4436	60136	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:08.829946041 CET	60136	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:08.830172062 CET	60136	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:08.831171989 CET	60136	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:08.834944963 CET	4436	60136	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:08.836010933 CET	4436	60136	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:09.348764896 CET	4436	60136	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:09.348809004 CET	4436	60136	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:09.348839998 CET	60136	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:09.348859072 CET	60136	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:09.349046946 CET	60136	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:09.353852987 CET	4436	60136	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:09.452131033 CET	60150	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:09.456904888 CET	4436	60150	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:09.459597111 CET	60150	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:09.459800959 CET	60150	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:09.464632034 CET	4436	60150	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:10.339163065 CET	4436	60150	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:10.339221954 CET	60150	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:10.599948883 CET	4436	60150	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:10.599998951 CET	60150	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:10.600441933 CET	60150	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:10.601501942 CET	60150	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:10.605184078 CET	4436	60150	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:10.606256962 CET	4436	60150	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:11.133140087 CET	4436	60150	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:11.133275986 CET	60150	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:11.133405924 CET	4436	60150	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:11.133539915 CET	4436	60150	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:11.133621931 CET	60150	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:11.248670101 CET	60069	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:11.248687029 CET	60069	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:11.249015093 CET	60163	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:11.253510952 CET	4436	60069	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:11.253567934 CET	60069	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:11.253835917 CET	4436	60163	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:11.253895044 CET	60163	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:11.254163027 CET	60163	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:11.258927107 CET	4436	60163	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:12.129617929 CET	4436	60163	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:12.129686117 CET	60163	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:12.391360998 CET	4436	60163	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:12.392787933 CET	60163	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:12.393055916 CET	60163	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:12.394135952 CET	60163	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:12.397888899 CET	4436	60163	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:12.398876905 CET	4436	60163	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:12.925036907 CET	4436	60163	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:12.925105095 CET	60163	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:12.925194025 CET	4436	60163	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:12.925255060 CET	60163	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:13.030085087 CET	60150	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:13.030085087 CET	60150	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:13.030338049 CET	60175	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:13.035554886 CET	4436	60150	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:13.035567045 CET	4436	60175	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:13.035613060 CET	60150	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:13.035645008 CET	60175	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:13.035777092 CET	60175	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:13.042227030 CET	4436	60175	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:13.933866024 CET	4436	60175	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:13.933919907 CET	60175	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:14.213990927 CET	4436	60175	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:14.214047909 CET	60175	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:14.214389086 CET	60175	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:14.215516090 CET	60175	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:14.219173908 CET	4436	60175	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:14.220335960 CET	4436	60175	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:14.743973017 CET	4436	60175	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:14.744023085 CET	60175	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:14.744054079 CET	4436	60175	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:14.744091034 CET	60175	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:14.744110107 CET	4436	60175	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:14.744158983 CET	60175	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:14.744247913 CET	60175	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:14.744261980 CET	60175	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:14.749021053 CET	4436	60175	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:14.749067068 CET	60175	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:14.858374119 CET	60189	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:14.864015102 CET	4436	60189	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:14.864114046 CET	60189	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:14.864363909 CET	60189	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:14.870019913 CET	4436	60189	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:15.724011898 CET	4436	60189	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:15.724059105 CET	60189	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:15.982511997 CET	4436	60189	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:15.982562065 CET	60189	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:15.982829094 CET	60189	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:15.984333038 CET	60189	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:15.987596035 CET	4436	60189	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:15.989161968 CET	4436	60189	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:16.508059978 CET	4436	60189	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:16.508112907 CET	60189	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:16.508239985 CET	4436	60189	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:16.508425951 CET	60189	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:16.623986959 CET	60163	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:16.624377966 CET	60200	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:16.628761053 CET	4436	60163	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:16.629115105 CET	4436	60200	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:16.629173994 CET	60200	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:16.629426956 CET	60200	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:16.634211063 CET	4436	60200	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:17.498887062 CET	4436	60200	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:17.498949051 CET	60200	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:17.754838943 CET	4436	60200	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:17.754909039 CET	60200	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:17.755183935 CET	60200	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:17.756504059 CET	60200	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:17.760005951 CET	4436	60200	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:17.761297941 CET	4436	60200	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:18.169517994 CET	4436	60200	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:18.169538021 CET	4436	60200	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:18.169548035 CET	4436	60200	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:18.169578075 CET	60200	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:18.169599056 CET	60200	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:18.169599056 CET	60200	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:18.169837952 CET	60200	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:18.174542904 CET	4436	60200	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:18.281267881 CET	60207	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:18.286091089 CET	4436	60207	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:18.286149025 CET	60207	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:18.286386013 CET	60207	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:18.291977882 CET	4436	60207	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:19.165153027 CET	4436	60207	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:19.165638924 CET	60207	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:19.424272060 CET	4436	60207	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:19.424365044 CET	60207	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:19.424632072 CET	60207	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:19.425539970 CET	60207	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:19.430291891 CET	4436	60207	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:19.431031942 CET	4436	60207	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:19.944931984 CET	4436	60207	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:19.945070028 CET	4436	60207	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:19.945116043 CET	60207	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:19.945310116 CET	60207	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:19.950067043 CET	4436	60207	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:20.061559916 CET	60220	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:20.066386938 CET	4436	60220	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:20.066457033 CET	60220	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:20.066715956 CET	60220	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:20.071481943 CET	4436	60220	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:20.926985025 CET	4436	60220	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:20.927162886 CET	60220	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:21.191035032 CET	4436	60220	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:21.191589117 CET	60220	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:21.191876888 CET	60220	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:21.192929029 CET	60220	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:21.197830915 CET	4436	60220	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:21.198887110 CET	4436	60220	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:21.709985018 CET	4436	60220	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:21.710055113 CET	60220	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:21.710170984 CET	4436	60220	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:21.710227966 CET	60220	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:21.811212063 CET	60189	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:21.811678886 CET	60232	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:21.816060066 CET	4436	60189	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:21.816504955 CET	4436	60232	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:21.816612005 CET	60232	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:21.816814899 CET	60232	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:21.821578979 CET	4436	60232	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:22.713294983 CET	4436	60232	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:22.713365078 CET	60232	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:22.980397940 CET	4436	60232	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:22.980457067 CET	60232	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:22.980684996 CET	60232	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:22.981753111 CET	60232	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:22.985416889 CET	4436	60232	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:22.986489058 CET	4436	60232	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:23.528903008 CET	4436	60232	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:23.528923035 CET	4436	60232	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:23.529000998 CET	60232	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:23.529007912 CET	4436	60232	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:23.529364109 CET	60232	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:23.529944897 CET	60232	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:23.529944897 CET	60232	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:23.534701109 CET	4436	60232	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:23.534945011 CET	60232	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:23.639976978 CET	60244	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:23.644723892 CET	4436	60244	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:23.645219088 CET	60244	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:23.645294905 CET	60244	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:23.650106907 CET	4436	60244	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:24.526534081 CET	4436	60244	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:24.526638031 CET	60244	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:24.788614988 CET	4436	60244	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:24.788680077 CET	60244	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:24.788943052 CET	60244	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:24.790164948 CET	60244	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:24.794512987 CET	4436	60244	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:24.795718908 CET	4436	60244	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:25.320560932 CET	4436	60244	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:25.320693016 CET	4436	60244	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:25.323584080 CET	60244	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:25.323788881 CET	60244	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:25.328571081 CET	4436	60244	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:25.440447092 CET	60256	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:25.445332050 CET	4436	60256	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:25.445424080 CET	60256	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:25.445631027 CET	60256	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:25.450448036 CET	4436	60256	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:26.320254087 CET	4436	60256	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:26.320313931 CET	60256	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:26.590256929 CET	4436	60256	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:26.590326071 CET	60256	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:26.590646029 CET	60256	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:26.591860056 CET	60256	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:26.595385075 CET	4436	60256	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:26.596678019 CET	4436	60256	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:27.118278027 CET	4436	60256	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:27.118370056 CET	4436	60256	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:27.118426085 CET	4436	60256	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:27.118669987 CET	60256	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:27.118669987 CET	60256	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:27.119543076 CET	60256	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:27.123466969 CET	4436	60256	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:27.124784946 CET	60256	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:27.233314991 CET	60270	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:27.238095045 CET	4436	60270	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:27.238183975 CET	60270	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:27.241592884 CET	60270	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:27.246381044 CET	4436	60270	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:28.130734921 CET	4436	60270	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:28.130832911 CET	60270	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:28.401947021 CET	4436	60270	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:28.402004004 CET	60270	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:28.402307034 CET	60270	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:28.403889894 CET	60270	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:28.407118082 CET	4436	60270	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:28.408740044 CET	4436	60270	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:28.937860012 CET	4436	60270	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:28.938043118 CET	4436	60270	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:28.938102007 CET	60270	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:28.947665930 CET	60270	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:28.952433109 CET	4436	60270	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:29.061482906 CET	60282	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:29.066315889 CET	4436	60282	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:29.066397905 CET	60282	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:29.066642046 CET	60282	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:29.071614981 CET	4436	60282	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:29.946870089 CET	4436	60282	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:29.946924925 CET	60282	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:30.215517044 CET	4436	60282	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:30.215572119 CET	60282	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:30.215848923 CET	60282	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:30.216818094 CET	60282	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:30.220578909 CET	4436	60282	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:30.221559048 CET	4436	60282	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:30.766638041 CET	4436	60282	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:30.766712904 CET	4436	60282	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:30.766813040 CET	60282	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:30.769805908 CET	60282	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:30.774579048 CET	4436	60282	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:30.874430895 CET	60297	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:31.142985106 CET	4436	60297	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:31.145627975 CET	60297	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:31.145922899 CET	60297	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:31.150700092 CET	4436	60297	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:32.005903006 CET	4436	60297	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:32.006166935 CET	60297	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:32.266498089 CET	4436	60297	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:32.266570091 CET	60297	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:32.266824007 CET	60297	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:32.268069983 CET	60297	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:32.271586895 CET	4436	60297	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:32.272927046 CET	4436	60297	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:32.782325029 CET	4436	60297	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:32.782418966 CET	60297	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:32.782489061 CET	4436	60297	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:32.782521963 CET	4436	60297	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:32.782550097 CET	60297	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:32.782565117 CET	60297	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:32.889763117 CET	60220	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:32.890391111 CET	60308	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:32.894593954 CET	4436	60220	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:32.895231009 CET	4436	60308	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:32.895299911 CET	60308	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:32.895502090 CET	60308	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:32.900227070 CET	4436	60308	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:33.767237902 CET	4436	60308	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:33.767330885 CET	60308	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:34.017179966 CET	4436	60308	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:34.017255068 CET	60308	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:34.023629904 CET	60308	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:34.024732113 CET	60308	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:34.028428078 CET	4436	60308	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:34.029576063 CET	4436	60308	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:34.543163061 CET	4436	60308	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:34.543221951 CET	60308	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:34.543278933 CET	4436	60308	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:34.543334007 CET	60308	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:34.544037104 CET	60308	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:34.548851967 CET	4436	60308	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:34.656032085 CET	60323	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:34.660881996 CET	4436	60323	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:34.660943985 CET	60323	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:34.661226034 CET	60323	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:34.666042089 CET	4436	60323	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:35.553203106 CET	4436	60323	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:35.553282976 CET	60323	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:35.823223114 CET	4436	60323	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:35.823317051 CET	60323	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:35.823609114 CET	60323	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:35.824701071 CET	60323	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:35.828388929 CET	4436	60323	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:35.829581022 CET	4436	60323	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:36.379503012 CET	4436	60323	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:36.379585981 CET	4436	60323	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:36.379615068 CET	60323	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:36.379638910 CET	60323	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:36.379878044 CET	60323	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:36.384605885 CET	4436	60323	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:36.483396053 CET	60335	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:36.488277912 CET	4436	60335	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:36.488338947 CET	60335	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:36.488548994 CET	60335	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:36.493302107 CET	4436	60335	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:37.382216930 CET	4436	60335	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:37.385782003 CET	60335	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:37.652252913 CET	4436	60335	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:37.652405977 CET	60335	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:37.652646065 CET	60335	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:37.653605938 CET	60335	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:37.657381058 CET	4436	60335	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:37.658418894 CET	4436	60335	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:38.194447041 CET	4436	60335	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:38.194459915 CET	4436	60335	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:38.194506884 CET	60335	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:38.194740057 CET	60335	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:38.199501038 CET	4436	60335	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:38.295748949 CET	60347	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:38.300493002 CET	4436	60347	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:38.300673008 CET	60347	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:38.300904036 CET	60347	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:38.305668116 CET	4436	60347	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:39.171711922 CET	4436	60347	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:39.171777964 CET	60347	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:39.428235054 CET	4436	60347	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:39.428303003 CET	60347	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:39.428555012 CET	60347	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:39.429501057 CET	60347	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:39.433346033 CET	4436	60347	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:39.434207916 CET	4436	60347	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:39.959276915 CET	4436	60347	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:39.959423065 CET	4436	60347	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:39.959498882 CET	60347	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:39.982255936 CET	60347	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:39.987059116 CET	4436	60347	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:40.135337114 CET	60359	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:40.140103102 CET	4436	60359	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:40.142721891 CET	60359	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:40.195996046 CET	60359	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:40.200779915 CET	4436	60359	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:41.007426023 CET	4436	60359	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:41.007472992 CET	60359	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:41.269053936 CET	4436	60359	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:41.269114017 CET	60359	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:41.269427061 CET	60359	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:41.271218061 CET	60359	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:41.274221897 CET	4436	60359	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:41.275978088 CET	4436	60359	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:41.790199995 CET	4436	60359	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:41.790281057 CET	4436	60359	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:41.790357113 CET	60359	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:41.790565014 CET	60359	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:41.795285940 CET	4436	60359	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:41.905256987 CET	60364	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:41.910083055 CET	4436	60364	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:41.910152912 CET	60364	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:41.910455942 CET	60364	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:41.915235996 CET	4436	60364	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:42.806917906 CET	4436	60364	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:42.809595108 CET	60364	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:43.086440086 CET	4436	60364	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:43.086492062 CET	60364	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:43.088352919 CET	60364	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:43.092521906 CET	60364	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:43.096256018 CET	4436	60364	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:43.097402096 CET	4436	60364	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:43.619019985 CET	4436	60364	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:43.619074106 CET	60364	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:43.619127989 CET	4436	60364	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:43.619183064 CET	60364	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:43.619316101 CET	60364	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:43.624171972 CET	4436	60364	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:43.733464956 CET	60365	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:43.738380909 CET	4436	60365	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:43.738465071 CET	60365	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:43.738676071 CET	60365	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:43.743442059 CET	4436	60365	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:44.629549980 CET	4436	60365	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:44.629614115 CET	60365	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:44.877327919 CET	4436	60365	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:44.879451036 CET	60365	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:44.879813910 CET	60365	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:44.880892038 CET	60365	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:44.884628057 CET	4436	60365	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:44.885700941 CET	4436	60365	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:45.392992020 CET	4436	60365	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:45.393172026 CET	60365	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:45.393182993 CET	4436	60365	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:45.393229961 CET	60365	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:45.501728058 CET	60297	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:45.501729012 CET	60297	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:45.502125978 CET	60366	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:45.506603956 CET	4436	60297	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:45.506665945 CET	60297	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:45.506917953 CET	4436	60366	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:45.506974936 CET	60366	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:45.509994984 CET	60366	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:45.514816999 CET	4436	60366	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:46.373779058 CET	4436	60366	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:46.375545979 CET	60366	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:46.629100084 CET	4436	60366	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:46.631542921 CET	60366	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:46.631870985 CET	60366	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:46.632863998 CET	60366	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:46.636699915 CET	4436	60366	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:46.637602091 CET	4436	60366	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:47.158245087 CET	4436	60366	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:47.158272028 CET	4436	60366	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:47.158283949 CET	4436	60366	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:47.158297062 CET	60366	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:47.158323050 CET	60366	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:47.158329964 CET	60366	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:47.158512115 CET	60366	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:47.158525944 CET	60366	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:47.163281918 CET	4436	60366	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:47.163332939 CET	60366	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:47.264683962 CET	60367	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:47.269493103 CET	4436	60367	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:47.269562006 CET	60367	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:47.269834042 CET	60367	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:47.274723053 CET	4436	60367	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:48.159018993 CET	4436	60367	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:48.163558006 CET	60367	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:48.417007923 CET	4436	60367	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:48.419537067 CET	60367	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:48.419845104 CET	60367	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:48.420912027 CET	60367	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:48.424642086 CET	4436	60367	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:48.425726891 CET	4436	60367	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:48.951605082 CET	4436	60367	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:48.951661110 CET	60367	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:48.951690912 CET	4436	60367	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:48.951719999 CET	4436	60367	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:48.951746941 CET	60367	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:48.951767921 CET	60367	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:48.951946020 CET	60367	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:48.951967001 CET	60367	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:48.956684113 CET	4436	60367	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:48.956733942 CET	60367	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:49.063721895 CET	60368	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:49.068588972 CET	4436	60368	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:49.068660975 CET	60368	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:49.068933964 CET	60368	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:49.073741913 CET	4436	60368	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:49.930301905 CET	4436	60368	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:49.930368900 CET	60368	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:50.189311028 CET	4436	60368	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:50.191360950 CET	60368	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:50.191696882 CET	60368	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:50.192776918 CET	60368	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:50.196511984 CET	4436	60368	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:50.197546005 CET	4436	60368	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:50.711556911 CET	4436	60368	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:50.711651087 CET	60368	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:50.711703062 CET	4436	60368	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:50.711750984 CET	60368	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:50.711893082 CET	60368	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:50.716636896 CET	4436	60368	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:50.842765093 CET	60369	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:50.847564936 CET	4436	60369	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:50.847664118 CET	60369	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:50.847971916 CET	60369	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:50.852735996 CET	4436	60369	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:51.715090990 CET	4436	60369	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:51.715159893 CET	60369	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:51.971203089 CET	4436	60369	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:51.971265078 CET	60369	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:51.971560955 CET	60369	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:51.972851038 CET	60369	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:51.976389885 CET	4436	60369	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:51.977577925 CET	4436	60369	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:52.493829966 CET	4436	60369	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:52.493930101 CET	4436	60369	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:52.494012117 CET	60369	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:52.659300089 CET	60369	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:52.665090084 CET	4436	60369	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:52.819410086 CET	60370	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:52.824326992 CET	4436	60370	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:52.825723886 CET	60370	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:52.826004028 CET	60370	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:52.830892086 CET	4436	60370	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:53.718828917 CET	4436	60370	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:53.718995094 CET	60370	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:53.980062008 CET	4436	60370	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:53.980120897 CET	60370	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:53.980437994 CET	60370	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:53.981419086 CET	60370	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:53.985193014 CET	4436	60370	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:53.986255884 CET	4436	60370	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:54.516180992 CET	4436	60370	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:54.516303062 CET	60370	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:54.516362906 CET	4436	60370	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:54.516597033 CET	60370	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:54.623667955 CET	60365	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:54.624083042 CET	60371	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:54.628478050 CET	4436	60365	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:54.628906965 CET	4436	60371	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:54.628967047 CET	60371	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:54.629134893 CET	60371	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:54.633903980 CET	4436	60371	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:55.491156101 CET	4436	60371	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:55.491219044 CET	60371	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:55.751128912 CET	4436	60371	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:55.751178026 CET	60371	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:55.753043890 CET	60371	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:55.754895926 CET	60371	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:55.757832050 CET	4436	60371	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:55.759694099 CET	4436	60371	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:56.067668915 CET	4436	60371	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:56.067727089 CET	60371	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:56.067770004 CET	4436	60371	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:56.067821026 CET	60371	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:56.067990065 CET	60371	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:56.072727919 CET	4436	60371	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:56.170914888 CET	60372	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:56.175748110 CET	4436	60372	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:56.175829887 CET	60372	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:56.176042080 CET	60372	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:56.180934906 CET	4436	60372	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:57.049731970 CET	4436	60372	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:57.049787045 CET	60372	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:57.320588112 CET	4436	60372	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:57.320641994 CET	60372	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:57.320981979 CET	60372	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:57.321999073 CET	60372	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:57.325802088 CET	4436	60372	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:57.326752901 CET	4436	60372	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:57.851809978 CET	4436	60372	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:57.852103949 CET	4436	60372	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:57.852164030 CET	60372	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:57.852168083 CET	4436	60372	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:57.852214098 CET	60372	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:57.852374077 CET	60372	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:57.852391958 CET	60372	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:57.857177973 CET	4436	60372	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:57.857933044 CET	60372	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:57.968020916 CET	60373	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:57.972948074 CET	4436	60373	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:57.975549936 CET	60373	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:57.975792885 CET	60373	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:57.980601072 CET	4436	60373	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:58.856384993 CET	4436	60373	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:58.858002901 CET	60373	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:59.114797115 CET	4436	60373	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:59.114855051 CET	60373	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:59.115183115 CET	60373	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:59.116353035 CET	60373	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:59.119955063 CET	4436	60373	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:59.121263027 CET	4436	60373	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:59.634938955 CET	4436	60373	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:59.635083914 CET	4436	60373	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:59.635210037 CET	60373	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:59.635409117 CET	60373	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:59.640166044 CET	4436	60373	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:59.749098063 CET	60374	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:59.753968954 CET	4436	60374	103.19.190.184	192.168.2.4
Jan 5, 2025 23:03:59.755537033 CET	60374	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:59.755745888 CET	60374	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:03:59.760548115 CET	4436	60374	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:00.643132925 CET	4436	60374	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:00.643548012 CET	60374	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:00.907713890 CET	4436	60374	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:00.911554098 CET	60374	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:01.182034016 CET	60374	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:01.184978008 CET	60374	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:01.186790943 CET	4436	60374	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:01.189733982 CET	4436	60374	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:01.698339939 CET	4436	60374	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:01.698396921 CET	60374	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:01.698438883 CET	4436	60374	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:01.698487043 CET	60374	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:01.698627949 CET	60374	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:01.703367949 CET	4436	60374	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:01.811708927 CET	60375	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:01.816911936 CET	4436	60375	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:01.817001104 CET	60375	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:01.817226887 CET	60375	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:01.822025061 CET	4436	60375	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:02.680437088 CET	4436	60375	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:02.680495024 CET	60375	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:02.940757990 CET	4436	60375	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:02.943563938 CET	60375	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:02.943876028 CET	60375	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:02.945014000 CET	60375	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:02.948607922 CET	4436	60375	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:02.949768066 CET	4436	60375	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:03.467637062 CET	4436	60375	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:03.467703104 CET	4436	60375	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:03.467818022 CET	60375	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:03.468144894 CET	60375	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:03.472882986 CET	4436	60375	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:03.577164888 CET	60376	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:03.582007885 CET	4436	60376	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:03.583565950 CET	60376	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:03.583745956 CET	60376	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:03.588495970 CET	4436	60376	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:04.460472107 CET	4436	60376	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:04.460530043 CET	60376	4436	192.168.2.4	103.19.190.184
Jan 5, 2025 23:04:04.722882986 CET	4436	60376	103.19.190.184	192.168.2.4
Jan 5, 2025 23:04:04.722994089 CET	60376	4436	192.168.2.4	103.19.190.184

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 23:02:19.036746979 CET	53	57308	1.1.1.1	192.168.2.4
Jan 5, 2025 23:02:20.489938021 CET	53	49756	1.1.1.1	192.168.2.4
Jan 5, 2025 23:02:22.575628996 CET	62150	53	192.168.2.4	1.1.1.1
Jan 5, 2025 23:02:22.586031914 CET	53	62150	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 5, 2025 23:02:22.575628996 CET	192.168.2.4	1.1.1.1	0x361a	Standard query (0)	212.20.149.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 5, 2025 23:02:00.196707964 CET	1.1.1.1	192.168.2.4	0x24b	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 5, 2025 23:02:00.196707964 CET	1.1.1.1	192.168.2.4	0x24b	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 5, 2025 23:02:22.586031914 CET	1.1.1.1	192.168.2.4	0x361a	Name error (3)	212.20.149.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	17:01:56
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\JP1KbvjWcM.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\JP1KbvjWcM.exe"
Imagebase:	0x7ff65b3b0000
File size:	216'576 bytes
MD5 hash:	553AB6275AE084F4587840C55A7A2EEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	81.8%
Signature Coverage:	10.9%
Total number of Nodes:	329
Total number of Limit Nodes:	14

Executed Functions

Function 00000265B01AE68C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 165
networkfileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_snprintf.LIBCMT ref: 00000265B01AE725

Part of subcall function 00000265B01BF63C: _errno.LIBCMT ref: 00000265B01BF673
Part of subcall function 00000265B01BF63C: _invalid_parameter_noinfo.LIBCMT ref: 00000265B01BF67E

Part of subcall function 00000265B01B7B38: _snprintf.LIBCMT ref: 00000265B01B7CA5

_snprintf.LIBCMT ref: 00000265B01AE7BD
_snprintf.LIBCMT ref: 00000265B01AE7D4
HttpOpenRequestA.WININET ref: 00000265B01AE818
HttpSendRequestA.WININET ref: 00000265B01AE84A
InternetQueryDataAvailable.WININET ref: 00000265B01AE87A
InternetCloseHandle.WININET ref: 00000265B01AE898

Part of subcall function 00000265B01B2D70: strchr.LIBCMT ref: 00000265B01B2DD6
Part of subcall function 00000265B01B2D70: _snprintf.LIBCMT ref: 00000265B01B2E0C

Part of subcall function 00000265B01B2C0C: strchr.LIBCMT ref: 00000265B01B2C69
Part of subcall function 00000265B01B2C0C: _snprintf.LIBCMT ref: 00000265B01B2CB3

InternetReadFile.WININET ref: 00000265B01AE8D4
InternetCloseHandle.WININET ref: 00000265B01AE8F5

Strings

*/*, xrefs: 00000265B01AE6CB
%s%s, xrefs: 00000265B01AE7C9

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _snprintf$Internet$CloseHandleHttpRequeststrchr$AvailableDataFileOpenQueryReadSend_errno_invalid_parameter_noinfo
String ID: %s%s$*/*
API String ID: 3536628738-856325523
Opcode ID: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
Instruction ID: 50f5915c7f2e241ee0ac1eee831ab7967e328a55ddd6e4ab0271c6ae6fac4158
Opcode Fuzzy Hash: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
Instruction Fuzzy Hash: 97718D32700FE086EB18DF61E8487AA77A1FB84B9CF484116EE5A57A9DDF39C506C740

Function 00000265B01B5E28 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000265B01B5FEC: malloc.LIBCMT ref: 00000265B01B6008

GetUserNameA.ADVAPI32 ref: 00000265B01B5EAF
GetComputerNameA.KERNEL32 ref: 00000265B01B5EC2
GetModuleFileNameA.KERNEL32 ref: 00000265B01B5EDB
strrchr.LIBCMT ref: 00000265B01B5EED
GetVersionExA.KERNEL32 ref: 00000265B01B5F10
_snprintf.LIBCMT ref: 00000265B01B5F9B

Strings

%s%s%s, xrefs: 00000265B01B5F7F

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: Name$ComputerFileModuleUserVersion_snprintfmallocstrrchr
String ID: %s%s%s
API String ID: 1671524875-1891519693
Opcode ID: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
Instruction ID: b2fb2ad50ac61a3bd542c7160e4aaf871464551a7d18744145369df253ffca69
Opcode Fuzzy Hash: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
Instruction Fuzzy Hash: CC414035604EE046FA0CFB62AD1976A6791BF85BDCF5C4225EE660779ACF3EC4428700

Function 00007FF65B3B1180 Relevance: 10.6, APIs: 7, Instructions: 138
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF65B3B13E6), ref: 00007FF65B3B11BE
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF65B3B122F
malloc.MSVCRT ref: 00007FF65B3B1263
strlen.MSVCRT ref: 00007FF65B3B1284
malloc.MSVCRT ref: 00007FF65B3B1290
memcpy.MSVCRT ref: 00007FF65B3B12A8

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandledmemcpystrlen
String ID:
API String ID: 3806033187-0
Opcode ID: 1a15f57e95588fd6eb37859caae9805e746058b134bde1b939e5e1975ac52fd3
Instruction ID: cd123f3a989c53f95d8397aba7ae8bbe019868c17695dbca2a3f8e564714d2d6
Opcode Fuzzy Hash: 1a15f57e95588fd6eb37859caae9805e746058b134bde1b939e5e1975ac52fd3
Instruction Fuzzy Hash: F6511436E19E4685EA60AF15E89127963A1BF8DBC0F5C4135D90CFB7B9DE3CE8418340

Function 00000265B01A1184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
encryptionCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32 ref: 00000265B01A11B8
CryptAcquireContextA.ADVAPI32 ref: 00000265B01A11DC
CryptGenRandom.ADVAPI32 ref: 00000265B01A11F0
CryptReleaseContext.ADVAPI32 ref: 00000265B01A1204

Strings

Microsoft Base Cryptographic Provider v1.0, xrefs: 00000265B01A11A2, 00000265B01A11C6
(, xrefs: 00000265B01A11D4

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$RandomRelease
String ID: ($Microsoft Base Cryptographic Provider v1.0
API String ID: 685801729-4046902070
Opcode ID: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
Instruction ID: b73b170a81a0efedc180439ce2ddd48e89c8ee95da8abe2be2f9cb4a3e930dec
Opcode Fuzzy Hash: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
Instruction Fuzzy Hash: AD018031700F9082E718CF69EC8C359A7A2FBD8B8CF588525D65983368CF79C94AC740

Function 00000265B01ACA74 Relevance: 7.8, APIs: 6, Instructions: 296
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000265B01B5FEC: malloc.LIBCMT ref: 00000265B01B6008

malloc.LIBCMT ref: 00000265B01ACB3B

Part of subcall function 00000265B01BF284: _FF_MSGBANNER.LIBCMT ref: 00000265B01BF2B4
Part of subcall function 00000265B01BF284: _NMSG_WRITE.LIBCMT ref: 00000265B01BF2BE
Part of subcall function 00000265B01BF284: HeapAlloc.KERNEL32 ref: 00000265B01BF2D9
Part of subcall function 00000265B01BF284: _callnewh.LIBCMT ref: 00000265B01BF2F2
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF2FD
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF308

Part of subcall function 00000265B01BC230: _time64.LIBCMT ref: 00000265B01BC254
Part of subcall function 00000265B01BC230: malloc.LIBCMT ref: 00000265B01BC29C
Part of subcall function 00000265B01BC230: strtok.LIBCMT ref: 00000265B01BC300
Part of subcall function 00000265B01BC230: strtok.LIBCMT ref: 00000265B01BC311

Part of subcall function 00000265B01B34A0: _time64.LIBCMT ref: 00000265B01B34AE

Part of subcall function 00000265B01BEAA8: malloc.LIBCMT ref: 00000265B01BEAF8

Part of subcall function 00000265B01BEAA8: realloc.LIBCMT ref: 00000265B01BEB07

Part of subcall function 00000265B01AF3C0: GetLocalTime.KERNEL32 ref: 00000265B01AF3DF

malloc.LIBCMT ref: 00000265B01ACC4A
_snprintf.LIBCMT ref: 00000265B01ACCC1
_snprintf.LIBCMT ref: 00000265B01ACCE7
free.LIBCMT ref: 00000265B01ACEC6

Part of subcall function 00000265B01BAD44: malloc.LIBCMT ref: 00000265B01BAD78
Part of subcall function 00000265B01BAD44: free.LIBCMT ref: 00000265B01BAF2F

Part of subcall function 00000265B01B8E0C: htonl.WS2_32 ref: 00000265B01B8E3D
Part of subcall function 00000265B01B8E0C: htonl.WS2_32 ref: 00000265B01B8E4A

_snprintf.LIBCMT ref: 00000265B01ACD0E

Part of subcall function 00000265B01BDA74: Sleep.KERNEL32 ref: 00000265B01BDABC
Part of subcall function 00000265B01BDA74: ExitThread.KERNEL32 ref: 00000265B01BDAC6

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errno_time64freehtonlstrtok$AllocExitHeapLocalSleepThreadTime_callnewhrealloc
String ID:
API String ID: 548016584-0
Opcode ID: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
Instruction ID: 7d05fd9a3c4479ceeb59d4e3b56407a193e28e8344ec365be5c1a4b84ae93a2d
Opcode Fuzzy Hash: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
Instruction Fuzzy Hash: A1C16A71200FF146FA1CFB629D997AA6295BFC578CF4C4528AA26476DFDF3AC4058700

Function 00000265B022098B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 00000265B02209A6
VirtualAlloc.KERNELBASE ref: 00000265B0220BAB
InternetReadFile.WININET(00000265B02209B9,00000265B02209B9), ref: 00000265B0220BC9

Strings

U.;, xrefs: 00000265B02209A1

Memory Dump Source

Source File: 00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp, Offset: 00000265B0220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b0220000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: AllocFileHttpInternetOpenReadRequestVirtual
String ID: U.;
API String ID: 1187293180-4213443877
Opcode ID: 384db265c013720a470dfad14405f5eea7b7aafc50a111f5be8b2763f8998fcb
Instruction ID: 00714b5dcb421578151980b07f23fabfcdca1cbc9504926a9608639b3f025874
Opcode Fuzzy Hash: 384db265c013720a470dfad14405f5eea7b7aafc50a111f5be8b2763f8998fcb
Instruction Fuzzy Hash: FB119D7034894D1BF62C859DBC9A73661CAE7D8729F24812FB50EC33DADC68CC864069

Function 00007FF65B3B1485 Relevance: 6.1, APIs: 4, Instructions: 53
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32 ref: 00007FF65B3B149F
HeapAlloc.KERNEL32 ref: 00007FF65B3B14B3
HeapReAlloc.KERNEL32 ref: 00007FF65B3B14C8
CreateThread.KERNEL32 ref: 00007FF65B3B1510

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID: Heap$AllocCreate$Thread
String ID:
API String ID: 393545303-0
Opcode ID: 922fbbbaed78c000fb9e9957fdd4b777d08603adf046f57d23e7a85043c6e6ab
Instruction ID: 68aac8d04b090a3101677ae18e1178330cd1a2ac2573c9244af62f54eefea160
Opcode Fuzzy Hash: 922fbbbaed78c000fb9e9957fdd4b777d08603adf046f57d23e7a85043c6e6ab
Instruction Fuzzy Hash: 6F01C412B18E8546E7188B77E94516A5792ABCEBC8F5CC134DE0EF7739ED3C91058200

Function 00007FF65B3B1550 Relevance: 6.1, APIs: 4, Instructions: 53
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32 ref: 00007FF65B3B158B
WriteFile.KERNEL32 ref: 00007FF65B3B15C6
CloseHandle.KERNEL32 ref: 00007FF65B3B15D3
Sleep.KERNEL32 ref: 00007FF65B3B15E9

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID: File$CloseCreateHandleSleepWrite
String ID:
API String ID: 1443029356-0
Opcode ID: b522a17bd575cebcc94371981c6cfc1a90ee7fcafc91a37c2c9c97fe51e6a9e2
Instruction ID: 6874f3f4318829e770349a057765b05c858cf870e5945aa9091b7e7703e73754
Opcode Fuzzy Hash: b522a17bd575cebcc94371981c6cfc1a90ee7fcafc91a37c2c9c97fe51e6a9e2
Instruction Fuzzy Hash: 5A11E721B28E4146F7649B16F940A35B661BB8CBA4F184335ED6EA2BE8DF3CD4458700

Function 00000265B0220932 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 544
librarynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000265B022094D
InternetOpenA.WININET(00000000,00000000), ref: 00000265B0220965

Strings

wini, xrefs: 00000265B0220936

Memory Dump Source

Source File: 00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp, Offset: 00000265B0220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b0220000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: InternetLibraryLoadOpen
String ID: wini
API String ID: 2559873147-1606035523
Opcode ID: 5b8962ddd29d251976deea026fb88fece5b42db5fb6a2c386323d91ec97e9d21
Instruction ID: d39dff5cf7045a303a26d02e43cddb4a7c6ead9b257deee56ef65651d22bb1ec
Opcode Fuzzy Hash: 5b8962ddd29d251976deea026fb88fece5b42db5fb6a2c386323d91ec97e9d21
Instruction Fuzzy Hash: 3A01DAB251DBD40FE31F0FB49C1A2627FA4EF03219F1A40EBD082CB0A3C812480A8662

Function 00000265B01AF014 Relevance: 4.6, APIs: 3, Instructions: 66
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000265B01AF118: WSAStartup.WS2_32 ref: 00000265B01AF136

WSASocketA.WS2_32 ref: 00000265B01AF042
WSAIoctl.WS2_32 ref: 00000265B01AF08F
closesocket.WS2_32 ref: 00000265B01AF0EE

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: IoctlSocketStartupclosesocket
String ID:
API String ID: 365704328-0
Opcode ID: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
Instruction ID: 6174244009bfc2ca071f45b512584e56b16670e93a2d8f5db7f6a9d6064c553a
Opcode Fuzzy Hash: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
Instruction Fuzzy Hash: C321EA72304BE042E7248F54F94475A7795FB887ECF544629EEAD03B89CB3AC5068B00

Function 00000265B0220B5E Relevance: 3.1, APIs: 2, Instructions: 74
memoryfilenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00000265B0220BAB
InternetReadFile.WININET(00000265B02209B9,00000265B02209B9), ref: 00000265B0220BC9

Memory Dump Source

Source File: 00000000.00000002.2911695185.00000265B0220000.00000040.00000020.00020000.00000000.sdmp, Offset: 00000265B0220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b0220000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: AllocFileInternetReadVirtual
String ID:
API String ID: 3591508208-0
Opcode ID: e830f2f3305a6c03536cb13fc9f87c9bb4fc1b2b0712b4c1918eebbe9fcd4fc9
Instruction ID: 7fa9a22bbace680af7f584a4b47a13f6280aa3d55d7182a43663c05eb050adc6
Opcode Fuzzy Hash: e830f2f3305a6c03536cb13fc9f87c9bb4fc1b2b0712b4c1918eebbe9fcd4fc9
Instruction Fuzzy Hash: E3113A6130898A0BE72A95F8AC5579756E5DF4531CF28406FF44DC32C7CA19CC0BC295

Function 00007FF65B3B161A Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetMailslotInfo.KERNEL32 ref: 00007FF65B3B165E
ReadFile.KERNEL32 ref: 00007FF65B3B1689

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID: FileInfoMailslotRead
String ID:
API String ID: 1548164602-0
Opcode ID: 66d42c6e48568a3c20a91a95a7cade6158a7edf899b4214132c5ceef055053fa
Instruction ID: e82da093dae011e92ff31c6083b83a64ebdf23f72d498d3db0b3faf78e2b7260
Opcode Fuzzy Hash: 66d42c6e48568a3c20a91a95a7cade6158a7edf899b4214132c5ceef055053fa
Instruction Fuzzy Hash: FA018273629A419AD754CB26F44056AB7B1BB88794F588135FD5EE3768DE3CC800CB00

Function 00007FF65B3B16A9 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF65B3B16BC
SleepEx.KERNELBASE ref: 00007FF65B3B16DB

Part of subcall function 00007FF65B3B161A: GetMailslotInfo.KERNEL32 ref: 00007FF65B3B165E
Part of subcall function 00007FF65B3B161A: ReadFile.KERNEL32 ref: 00007FF65B3B1689

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID: FileInfoMailslotReadSleepmalloc
String ID:
API String ID: 873109203-0
Opcode ID: e6197d36fbd3103d4a50ca53c577c31a4c8971b37b11a622475542fefe56c484
Instruction ID: 4a91d12acb251f80a022190302424dd2ab185c016dc9b95bcf862982139ee1ea
Opcode Fuzzy Hash: e6197d36fbd3103d4a50ca53c577c31a4c8971b37b11a622475542fefe56c484
Instruction Fuzzy Hash: BFF06222B149829AE614AF22E9015AA67A0AB49784F5C5135DF4DF7269DD3CE442C700

Function 00007FF65B3B7E50 Relevance: 3.0, APIs: 2, Instructions: 13
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,-00000008,00000001,00007FF65B3B12EE,?,?,?,00007FF65B3B13E6), ref: 00007FF65B3B7E70
WaitForSingleObject.KERNEL32(?,?,-00000008,00000001,00007FF65B3B12EE,?,?,?,00007FF65B3B13E6), ref: 00007FF65B3B7E7A

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID: CurrentObjectProcessSingleWait
String ID:
API String ID: 256417062-0
Opcode ID: c1dd2d7d938631d4f64d6ca566ec5bbe9b3de8b65e8f1a3089ffaa226a068756
Instruction ID: 64efbf9c85d3fb95d924a84f6f39aea2968a34d655760299d9c5940d1e25bf73
Opcode Fuzzy Hash: c1dd2d7d938631d4f64d6ca566ec5bbe9b3de8b65e8f1a3089ffaa226a068756
Instruction Fuzzy Hash: F7D0C918E2DE5A90E9586336EC170B92651BF4C780F2C0436DD0DBB3BA9C3CF8524300

Function 00000265B207936B Relevance: 1.4, APIs: 1, Instructions: 136
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00000265B20794B8

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
Instruction ID: a8231e14bca35286cd7d29ee7c9b86d04584844c62178651666951559be14896
Opcode Fuzzy Hash: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
Instruction Fuzzy Hash: 7E418670618B989FD784EB2CC49CB2AB7E1FBA8355F50096DF489C7264D735D881CB02

Non-executed Functions

Function 00000265B01C6514 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 460COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00000265B01C656A
_errno.LIBCMT ref: 00000265B01C6571
_invalid_parameter_noinfo.LIBCMT ref: 00000265B01C657C

Strings

U, xrefs: 00000265B01C6ADE

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
Instruction ID: 25c3eb6216fefede7bfa63f3a7a0d17f77c96da6fed2cbb75cd5bd53c53b4c6f
Opcode Fuzzy Hash: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
Instruction Fuzzy Hash: BC12E832314EE18AEB388F15D84835E7BA1FB8476CF584116EA494BB9DDB3EC845CB10

Function 00000265B01B867C Relevance: 46.6, APIs: 22, Strings: 4, Instructions: 1078processCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00000265B01B8FA0
CreateToolhelp32Snapshot.KERNEL32 ref: 00000265B01B8FD9
Process32First.KERNEL32 ref: 00000265B01B8FFB

Strings

x64, xrefs: 00000265B01B8FB2, 00000265B01B8FC0
%s%d%d, xrefs: 00000265B01B9046
x86, xrefs: 00000265B01B8FC7, 00000265B01B90B0
%s%d%d%s%s%d, xrefs: 00000265B01B90E0

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: CreateCurrentFirstProcessProcess32SnapshotToolhelp32
String ID: %s%d%d%s%s%d$%s%d%d$x64$x86
API String ID: 718051232-1833344708
Opcode ID: 44ee8957408f2f3c2d0d1c1155748847862033341b6ca19cb8ca6a6e19bffbea
Instruction ID: a744816dc3660d98bc54f59e9026db8028163c299c8b0dc9bd9d64ac944619f1
Opcode Fuzzy Hash: 44ee8957408f2f3c2d0d1c1155748847862033341b6ca19cb8ca6a6e19bffbea
Instruction Fuzzy Hash: B2826E31B04EF086EA6CFB269C597A912D1BFD9B8CF9C4115D90A877DDEF2AC5428700

Function 00000265B01C2F9C Relevance: 37.4, APIs: 19, Strings: 2, Instructions: 694COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00000265B01C2FFD

Part of subcall function 00000265B01C1600: _getptd.LIBCMT ref: 00000265B01C1616
Part of subcall function 00000265B01C1600: __updatetlocinfo.LIBCMT ref: 00000265B01C164B
Part of subcall function 00000265B01C1600: __updatetmbcinfo.LIBCMT ref: 00000265B01C1672

_errno.LIBCMT ref: 00000265B01C3002

Part of subcall function 00000265B01C1D18: _getptd_noexit.LIBCMT ref: 00000265B01C1D1C

_fileno.LIBCMT ref: 00000265B01C302F

Part of subcall function 00000265B01C5A54: _errno.LIBCMT ref: 00000265B01C5A5D
Part of subcall function 00000265B01C5A54: _invalid_parameter_noinfo.LIBCMT ref: 00000265B01C5A68

write_multi_char.LIBCMT ref: 00000265B01C366B
write_string.LIBCMT ref: 00000265B01C3688
write_multi_char.LIBCMT ref: 00000265B01C36A5
write_string.LIBCMT ref: 00000265B01C3704
write_string.LIBCMT ref: 00000265B01C373B
write_multi_char.LIBCMT ref: 00000265B01C375D
free.LIBCMT ref: 00000265B01C3771
_isleadbyte_l.LIBCMT ref: 00000265B01C3842
write_char.LIBCMT ref: 00000265B01C3858
write_char.LIBCMT ref: 00000265B01C3879
_errno.LIBCMT ref: 00000265B01C397C
_invalid_parameter_noinfo.LIBCMT ref: 00000265B01C3987

Strings

@, xrefs: 00000265B01C301B
, xrefs: 00000265B01C363F

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3318157856-1077428164
Opcode ID: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
Instruction ID: 9e2b1f036e599ce1165ef3decfb21b9df83c84cbbe54375082cf6cc51497f0be
Opcode Fuzzy Hash: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
Instruction Fuzzy Hash: 8952BFB260CEF486FB7D8A15994C36E7AA0BF417BCF1C1105DA464AADCDB7AC941CB01

Function 00000265B01C2528 Relevance: 35.7, APIs: 19, Strings: 1, Instructions: 687COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00000265B01C2589

Part of subcall function 00000265B01C1600: _getptd.LIBCMT ref: 00000265B01C1616
Part of subcall function 00000265B01C1600: __updatetlocinfo.LIBCMT ref: 00000265B01C164B
Part of subcall function 00000265B01C1600: __updatetmbcinfo.LIBCMT ref: 00000265B01C1672

_errno.LIBCMT ref: 00000265B01C258E

Part of subcall function 00000265B01C1D18: _getptd_noexit.LIBCMT ref: 00000265B01C1D1C

_fileno.LIBCMT ref: 00000265B01C25BB

Part of subcall function 00000265B01C5A54: _errno.LIBCMT ref: 00000265B01C5A5D
Part of subcall function 00000265B01C5A54: _invalid_parameter_noinfo.LIBCMT ref: 00000265B01C5A68

write_multi_char.LIBCMT ref: 00000265B01C2BEB
write_string.LIBCMT ref: 00000265B01C2C08
write_multi_char.LIBCMT ref: 00000265B01C2C25
write_string.LIBCMT ref: 00000265B01C2C84
write_string.LIBCMT ref: 00000265B01C2CBB
write_multi_char.LIBCMT ref: 00000265B01C2CDD
free.LIBCMT ref: 00000265B01C2CF1
_isleadbyte_l.LIBCMT ref: 00000265B01C2DC2
write_char.LIBCMT ref: 00000265B01C2DD8
write_char.LIBCMT ref: 00000265B01C2DF9
_errno.LIBCMT ref: 00000265B01C2EF3
_invalid_parameter_noinfo.LIBCMT ref: 00000265B01C2EFE

Strings

, xrefs: 00000265B01C2BBF

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID:
API String ID: 3318157856-3916222277
Opcode ID: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
Instruction ID: 295dbc23cf6da91fdf6b63d54dfbb3268f4fc36c1acb08190815bedb52da247a
Opcode Fuzzy Hash: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
Instruction Fuzzy Hash: 2852A132608EF487FB7D8A5D994836E6BA0BF457ACF2C1005DA465BADCD77AC940CB40

Function 00000265B20823E3 Relevance: 30.8, APIs: 15, Strings: 2, Instructions: 1030COMMON

Download Yara Rule

APIs

Part of subcall function 00000265B2080A47: _getptd.LIBCMT ref: 00000265B2080A5D
Part of subcall function 00000265B2080A47: __updatetlocinfo.LIBCMT ref: 00000265B2080A92
Part of subcall function 00000265B2080A47: __updatetmbcinfo.LIBCMT ref: 00000265B2080AB9

_errno.LIBCMT ref: 00000265B2082449

Part of subcall function 00000265B208115F: _getptd_noexit.LIBCMT ref: 00000265B2081163

_fileno.LIBCMT ref: 00000265B2082476

Part of subcall function 00000265B2084E9B: _errno.LIBCMT ref: 00000265B2084EA4
Part of subcall function 00000265B2084E9B: _invalid_parameter_noinfo.LIBCMT ref: 00000265B2084EAF

write_multi_char.LIBCMT ref: 00000265B2082AB2
write_string.LIBCMT ref: 00000265B2082ACF
write_multi_char.LIBCMT ref: 00000265B2082AEC
write_string.LIBCMT ref: 00000265B2082B4B
write_multi_char.LIBCMT ref: 00000265B2082BA4
free.LIBCMT ref: 00000265B2082BB8
_isleadbyte_l.LIBCMT ref: 00000265B2082C89
write_char.LIBCMT ref: 00000265B2082C9F
write_char.LIBCMT ref: 00000265B2082CC0
_errno.LIBCMT ref: 00000265B2082DC3
_invalid_parameter_noinfo.LIBCMT ref: 00000265B2082DCE

Strings

@, xrefs: 00000265B2082462
, xrefs: 00000265B2082A86

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3613058218-1077428164
Opcode ID: 0599035506f01076b605f9026c3628a483f4ccd483033c44f83e2593a1d2db07
Instruction ID: 1d87c2098c9b706854f5dd19b263c5c17f3e0620f57319476aed66973643a5ba
Opcode Fuzzy Hash: 0599035506f01076b605f9026c3628a483f4ccd483033c44f83e2593a1d2db07
Instruction Fuzzy Hash: 0E622931918EED8FFB6C9A1884E93BB77D1FB55308F24011DD887CB9D9D63688428762

Function 00000265B208196F Relevance: 29.0, APIs: 15, Strings: 1, Instructions: 1022COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000265B2080A47: _getptd.LIBCMT ref: 00000265B2080A5D
Part of subcall function 00000265B2080A47: __updatetlocinfo.LIBCMT ref: 00000265B2080A92
Part of subcall function 00000265B2080A47: __updatetmbcinfo.LIBCMT ref: 00000265B2080AB9

_errno.LIBCMT ref: 00000265B20819D5

Part of subcall function 00000265B208115F: _getptd_noexit.LIBCMT ref: 00000265B2081163

_fileno.LIBCMT ref: 00000265B2081A02

Part of subcall function 00000265B2084E9B: _errno.LIBCMT ref: 00000265B2084EA4
Part of subcall function 00000265B2084E9B: _invalid_parameter_noinfo.LIBCMT ref: 00000265B2084EAF

write_multi_char.LIBCMT ref: 00000265B2082032
write_string.LIBCMT ref: 00000265B208204F
write_multi_char.LIBCMT ref: 00000265B208206C
write_string.LIBCMT ref: 00000265B20820CB
write_multi_char.LIBCMT ref: 00000265B2082124
free.LIBCMT ref: 00000265B2082138
_isleadbyte_l.LIBCMT ref: 00000265B2082209
write_char.LIBCMT ref: 00000265B208221F
write_char.LIBCMT ref: 00000265B2082240
_errno.LIBCMT ref: 00000265B208233A
_invalid_parameter_noinfo.LIBCMT ref: 00000265B2082345

Strings

, xrefs: 00000265B2082006

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID:
API String ID: 3613058218-3916222277
Opcode ID: 99560b4e6a3ba651302837abcdacc877c80be0c82fbf8e81c16206e006ab6ccb
Instruction ID: 8d6b9145b50729ab0893b35aa6366f4dc20bef4e07ecfd62368a12ef045f11eb
Opcode Fuzzy Hash: 99560b4e6a3ba651302837abcdacc877c80be0c82fbf8e81c16206e006ab6ccb
Instruction Fuzzy Hash: F0622C31918EAD8EFB6C8A18C4E93BBB7D1FF55308F24011DD587CBADAD63698028751

Function 00000265B01B7B38 Relevance: 26.0, APIs: 10, Strings: 7, Instructions: 545COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 00000265B01B7D66
_snprintf.LIBCMT ref: 00000265B01B7D83
_snprintf.LIBCMT ref: 00000265B01B7CA5

Part of subcall function 00000265B01BF63C: _errno.LIBCMT ref: 00000265B01BF673
Part of subcall function 00000265B01BF63C: _invalid_parameter_noinfo.LIBCMT ref: 00000265B01BF67E

_snprintf.LIBCMT ref: 00000265B01B7FD8
_snprintf.LIBCMT ref: 00000265B01B8334

Strings

?%s=%s, xrefs: 00000265B01B7D5A
%s&%s, xrefs: 00000265B01B826A
?%s, xrefs: 00000265B01B8257
%s%s, xrefs: 00000265B01B80D7
%s%s: %s, xrefs: 00000265B01B7C94
%s%s, xrefs: 00000265B01B7FC7, 00000265B01B7FF1, 00000265B01B8195, 00000265B01B8326
%s&%s=%s, xrefs: 00000265B01B7D77

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID: %s%s$%s%s$%s%s: %s$%s&%s$%s&%s=%s$?%s$?%s=%s
API String ID: 3442832105-1222817042
Opcode ID: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
Instruction ID: d3f26a745d5523a118b411569f298f4c5cd75b1cb0095743bd779b62c9f44abc
Opcode Fuzzy Hash: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
Instruction Fuzzy Hash: 3642B771614ED492EB29AB2DD4453E8A3A0FFD875DF085101DF8917B69EF39D2A2C340

Function 00000265B01B1C30 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 150filetimeCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B01B1C63

Part of subcall function 00000265B01BF284: _FF_MSGBANNER.LIBCMT ref: 00000265B01BF2B4
Part of subcall function 00000265B01BF284: _NMSG_WRITE.LIBCMT ref: 00000265B01BF2BE
Part of subcall function 00000265B01BF284: HeapAlloc.KERNEL32 ref: 00000265B01BF2D9
Part of subcall function 00000265B01BF284: _callnewh.LIBCMT ref: 00000265B01BF2F2
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF2FD
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF308

Part of subcall function 00000265B01AD044: malloc.LIBCMT ref: 00000265B01AD057

Part of subcall function 00000265B01AD074: htonl.WS2_32 ref: 00000265B01AD07F

GetCurrentDirectoryA.KERNEL32 ref: 00000265B01B1CDB
FindFirstFileA.KERNEL32 ref: 00000265B01B1D14
GetLastError.KERNEL32 ref: 00000265B01B1D23
free.LIBCMT ref: 00000265B01B1D5E
free.LIBCMT ref: 00000265B01B1D6B

Part of subcall function 00000265B01BF244: HeapFree.KERNEL32 ref: 00000265B01BF25A
Part of subcall function 00000265B01BF244: _errno.LIBCMT ref: 00000265B01BF264
Part of subcall function 00000265B01BF244: GetLastError.KERNEL32 ref: 00000265B01BF26C

FileTimeToSystemTime.KERNEL32 ref: 00000265B01B1D78
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 00000265B01B1D89
FindNextFileA.KERNEL32 ref: 00000265B01B1E46
FindClose.KERNEL32 ref: 00000265B01B1E57

Strings

F%I64d%02d/%02d/%02d %02d:%02d:%02d%s, xrefs: 00000265B01B1E29
.\*, xrefs: 00000265B01B1CBF
D0%02d/%02d/%02d %02d:%02d:%02d%s, xrefs: 00000265B01B1DCB
%s, xrefs: 00000265B01B1CF9

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: Time$FileFind_errno$ErrorHeapLastSystemfreemalloc$AllocCloseCurrentDirectoryFirstFreeLocalNextSpecific_callnewhhtonl
String ID: %s$.\*$D0%02d/%02d/%02d %02d:%02d:%02d%s$F%I64d%02d/%02d/%02d %02d:%02d:%02d%s
API String ID: 723279517-1754256099
Opcode ID: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
Instruction ID: 931ae54c93189cfd78a421516bb11d76ff25b1a368854a10c2beaeecfe5442eb
Opcode Fuzzy Hash: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
Instruction Fuzzy Hash: 6961D072304FA096EB18EB61E84929DA3A1FB94B8CF444015EE5A43B9DDB7EC506CB00

Function 00000265B01B0F34 Relevance: 18.2, APIs: 12, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserA.ADVAPI32 ref: 00000265B01B0F8F
GetLastError.KERNEL32 ref: 00000265B01B0F9D
GetLastError.KERNEL32 ref: 00000265B01B0FC1

Part of subcall function 00000265B01AFE54: MultiByteToWideChar.KERNEL32 ref: 00000265B01AFE81
Part of subcall function 00000265B01AFE54: MultiByteToWideChar.KERNEL32 ref: 00000265B01AFEA9

CreateProcessA.KERNEL32 ref: 00000265B01B1013
GetLastError.KERNEL32 ref: 00000265B01B101D
GetCurrentDirectoryW.KERNEL32 ref: 00000265B01B1374
GetCurrentDirectoryW.KERNEL32 ref: 00000265B01B1388
CreateProcessWithTokenW.ADVAPI32 ref: 00000265B01B13D1

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: CreateErrorLastProcess$ByteCharCurrentDirectoryMultiWide$TokenUserWith
String ID:
API String ID: 3044875250-0
Opcode ID: 1d990aa2536e0bdd41909587e15d765ca5c4192818fd4d96a304531b1bef1f0e
Instruction ID: 263b62a0c9e712316d8a0a26b2c0e2ffdceb8bc5492a6917a911e80f3e5d501b
Opcode Fuzzy Hash: 1d990aa2536e0bdd41909587e15d765ca5c4192818fd4d96a304531b1bef1f0e
Instruction Fuzzy Hash: 2B719332204F9092E728AF21EC8935D73A1FF98B9CF594129EA5943BACDF7AC455C700

Function 00000265B01B9220 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B01B924F

Part of subcall function 00000265B01BF284: _FF_MSGBANNER.LIBCMT ref: 00000265B01BF2B4
Part of subcall function 00000265B01BF284: _NMSG_WRITE.LIBCMT ref: 00000265B01BF2BE
Part of subcall function 00000265B01BF284: HeapAlloc.KERNEL32 ref: 00000265B01BF2D9
Part of subcall function 00000265B01BF284: _callnewh.LIBCMT ref: 00000265B01BF2F2
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF2FD
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF308

_snprintf.LIBCMT ref: 00000265B01B9267

Part of subcall function 00000265B01BF63C: _errno.LIBCMT ref: 00000265B01BF673
Part of subcall function 00000265B01BF63C: _invalid_parameter_noinfo.LIBCMT ref: 00000265B01BF67E

FindFirstFileA.KERNEL32 ref: 00000265B01B9272
free.LIBCMT ref: 00000265B01B927E

Part of subcall function 00000265B01BF244: HeapFree.KERNEL32 ref: 00000265B01BF25A
Part of subcall function 00000265B01BF244: _errno.LIBCMT ref: 00000265B01BF264
Part of subcall function 00000265B01BF244: GetLastError.KERNEL32 ref: 00000265B01BF26C

malloc.LIBCMT ref: 00000265B01B92CE
_snprintf.LIBCMT ref: 00000265B01B92E6
free.LIBCMT ref: 00000265B01B930E
FindNextFileA.KERNEL32 ref: 00000265B01B9327
FindClose.KERNEL32 ref: 00000265B01B9338

Strings

%s\*, xrefs: 00000265B01B9254

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno$Find$FileHeap_snprintffreemalloc$AllocCloseErrorFirstFreeLastNext_callnewh_invalid_parameter_noinfo
String ID: %s\*
API String ID: 2620626937-766152087
Opcode ID: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
Instruction ID: e9e93c717748e9c3343cd8b4b77163a91dcf2b01478aca3790c23fdf9e30dccf
Opcode Fuzzy Hash: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
Instruction Fuzzy Hash: E9316F35204DE115EA1D6B626C193A97BA17F96FDCF8C8151DEA5077DACF3AC4438300

Function 00000265B01B6A78 Relevance: 9.1, APIs: 6, Instructions: 60networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00000265B01B6AB0
htons.WS2_32 ref: 00000265B01B6AD0
ioctlsocket.WS2_32 ref: 00000265B01B6AEC
closesocket.WS2_32 ref: 00000265B01B6AFA
bind.WS2_32 ref: 00000265B01B6B0D
listen.WS2_32 ref: 00000265B01B6B1D

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: bindclosesockethtonsioctlsocketlistensocket
String ID:
API String ID: 1767165869-0
Opcode ID: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
Instruction ID: 8eaec8323ec306b830540f36bebb1ed5e18cadb016229a0dcedb52b945b16cba
Opcode Fuzzy Hash: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
Instruction Fuzzy Hash: C121EB31304FE486EB285F16AC1925977A0FB94F6CF4C4724DE6653798CB3ED4468700

Function 00000265B01B6670 Relevance: 9.1, APIs: 6, Instructions: 57networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00000265B01B6698
htons.WS2_32 ref: 00000265B01B66A4
socket.WS2_32 ref: 00000265B01B66BC
closesocket.WS2_32 ref: 00000265B01B66CE
bind.WS2_32 ref: 00000265B01B66FB
ioctlsocket.WS2_32 ref: 00000265B01B6715

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: bindclosesockethtonlhtonsioctlsocketsocket
String ID:
API String ID: 3910169428-0
Opcode ID: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
Instruction ID: 8c8da1c621952b3c22a60d249396e24cd088df8b0917a601c55d321d0fc43353
Opcode Fuzzy Hash: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
Instruction Fuzzy Hash: FC215135210FA096E718AF21E8197997760BB98BACF584325DE69433D8DF3DC54AC640

Function 00007FF65B3B5120 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 1385COMMON

Download Yara Rule

Strings

, xrefs: 00007FF65B3B68C4
Infinity, xrefs: 00007FF65B3B5478
NaN, xrefs: 00007FF65B3B53F7
, xrefs: 00007FF65B3B65E0

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: 5facf488f1f244cafe667ee773a1f67a142571c84910a82704edcb4632f78b71
Instruction ID: cc8527c66e1801b44a69c5e103dc7a38a9e9963267e6d4daf438cbb12a26bed7
Opcode Fuzzy Hash: 5facf488f1f244cafe667ee773a1f67a142571c84910a82704edcb4632f78b71
Instruction Fuzzy Hash: FFD2B572A1CA818BE7518F25E45072AB791FB89780F194135EA8AF7B6DDF3DE4418F00

Function 00000265B01BDF50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000265B01BDCC0: RevertToSelf.ADVAPI32 ref: 00000265B01BDCDD

LogonUserA.ADVAPI32 ref: 00000265B01BDF98
GetLastError.KERNEL32 ref: 00000265B01BDFA2

Part of subcall function 00000265B01B5FEC: malloc.LIBCMT ref: 00000265B01B6008

Part of subcall function 00000265B01AFE54: MultiByteToWideChar.KERNEL32 ref: 00000265B01AFE81
Part of subcall function 00000265B01AFE54: MultiByteToWideChar.KERNEL32 ref: 00000265B01AFEA9

Part of subcall function 00000265B01AD044: malloc.LIBCMT ref: 00000265B01AD057

ImpersonateLoggedOnUser.ADVAPI32 ref: 00000265B01BDFC0
GetLastError.KERNEL32 ref: 00000265B01BDFCA

Strings

%s\%s, xrefs: 00000265B01BE084

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiUserWidemalloc$ImpersonateLoggedLogonRevertSelf
String ID: %s\%s
API String ID: 3621627092-4073750446
Opcode ID: 21501fd99f5b763e027db7a7b361eaf12fbcf34ba50608c9b89ed7353f562f62
Instruction ID: 97b3aeee6c046c5e3a50e53c66bcb234f144d0af44c3033510b2e373fbe961b3
Opcode Fuzzy Hash: 21501fd99f5b763e027db7a7b361eaf12fbcf34ba50608c9b89ed7353f562f62
Instruction Fuzzy Hash: 5C412E70314FA081FA08AB62EC5975E63A1FF95B8CF480129E95E4779EDF3EC5468740

Function 00000265B01AFA1C Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00000265B01AFA3D
Sleep.KERNEL32 ref: 00000265B01AFAAC
GetTickCount.KERNEL32 ref: 00000265B01AFAB2
Sleep.KERNEL32 ref: 00000265B01AFACB
closesocket.WS2_32 ref: 00000265B01AFAD4

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: CountSleepTick$closesocket
String ID:
API String ID: 2363407838-0
Opcode ID: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
Instruction ID: 51095a5a31c435d0d47219e4963a5ca8ac15b55e30224d232aad0ad8861ae889
Opcode Fuzzy Hash: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
Instruction Fuzzy Hash: 2321C531704FE081EA14A762BC4929A6250BBD5BBCF484725EDBE477DEDE3DC5068700

Function 00000265B01BEE8C Relevance: 7.6, APIs: 5, Instructions: 53networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

socket.WS2_32 ref: 00000265B01BEEC1
closesocket.WS2_32 ref: 00000265B01BEED3
htons.WS2_32 ref: 00000265B01BEEE4
bind.WS2_32 ref: 00000265B01BEF05
listen.WS2_32 ref: 00000265B01BEF1A

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: bindclosesockethtonslistensocket
String ID:
API String ID: 564772725-0
Opcode ID: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
Instruction ID: cdb241aaaf5c1ba2ea01b17715f9fddc7c34d798ce4bdf07f05770c8279682c0
Opcode Fuzzy Hash: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
Instruction Fuzzy Hash: 3111B735614FE481E628EF15EC19219B3A0FB84BACF484325EEA6077D8DF3EC1058704

Function 00000265B01B0B70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

LookupPrivilegeValueA.ADVAPI32 ref: 00000265B01B0BEA
AdjustTokenPrivileges.ADVAPI32 ref: 00000265B01B0C1A
GetLastError.KERNEL32 ref: 00000265B01B0C24

Strings

%s, xrefs: 00000265B01B0C32

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID: %s
API String ID: 4244140340-620797490
Opcode ID: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
Instruction ID: 7176356826f8d50eec0f920e18040da539260ca7b2009f89c1c5c5af0dbcd608
Opcode Fuzzy Hash: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
Instruction Fuzzy Hash: 42217E72B00F9099FB189B61D8497EC33A5FB98B8CF484555CE4C93A49EF35C515C380

Function 00000265B01B5854 Relevance: 6.1, APIs: 4, Instructions: 73sleepnetworkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00000265B01B587B
Sleep.KERNEL32 ref: 00000265B01B58CA
GetTickCount.KERNEL32 ref: 00000265B01B58D0
WSAGetLastError.WS2_32 ref: 00000265B01B58DA

Part of subcall function 00000265B01B5A20: ioctlsocket.WS2_32 ref: 00000265B01B5A42

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: CountTick$ErrorLastSleepioctlsocket
String ID:
API String ID: 1121440892-0
Opcode ID: 7368cb6fa517e1a070c78e6e07bfa46b364e9fef9c30544ba018e77da25e9e41
Instruction ID: f1653cec0562a96eda720a7e21a7747f94356450874b629d054a51ec27c5d604
Opcode Fuzzy Hash: 7368cb6fa517e1a070c78e6e07bfa46b364e9fef9c30544ba018e77da25e9e41
Instruction Fuzzy Hash: A0315E36B00FA095EB14EBA2E84829C33B5FB88B98F550225DF6D93799DF35C505C340

Function 00000265B01B76F0 Relevance: 6.0, APIs: 4, Instructions: 32memorythreadCOMMON

Download Yara Rule

APIs

InitializeProcThreadAttributeList.KERNEL32 ref: 00000265B01B770E
GetProcessHeap.KERNEL32 ref: 00000265B01B7714
HeapAlloc.KERNEL32 ref: 00000265B01B7724
InitializeProcThreadAttributeList.KERNEL32 ref: 00000265B01B773F

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: AttributeHeapInitializeListProcThread$AllocProcess
String ID:
API String ID: 1212816094-0
Opcode ID: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
Instruction ID: e23d472ed9bdfe9741f23c5e70d0ded375a536f3195cca1997ded654bc8ec642
Opcode Fuzzy Hash: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
Instruction Fuzzy Hash: E5F0C236324ED092EB588B25AC4975AA2A0FF88B98F5C9425EA0B4375CCE3EC4458A10

Function 00000265B01ADA3C Relevance: 4.9, APIs: 3, Instructions: 374memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000265B01B6114: htonl.WS2_32 ref: 00000265B01B6131

GetLastError.KERNEL32 ref: 00000265B01ADD33

Part of subcall function 00000265B01BCC00: GetCurrentProcess.KERNEL32 ref: 00000265B01BCC8D

HeapCreate.KERNEL32 ref: 00000265B01ADCDA
HeapAlloc.KERNEL32 ref: 00000265B01ADCF8

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: Heap$AllocCreateCurrentErrorLastProcesshtonl
String ID:
API String ID: 3419463915-0
Opcode ID: ec0623d855ca9fea6adc12097b57476b8ed8efbce5d3b57090cc4cf496277255
Instruction ID: 97f21b70898ba868a3f88785c78cd0c1938be72f4def7c81f72263e0be61a483
Opcode Fuzzy Hash: ec0623d855ca9fea6adc12097b57476b8ed8efbce5d3b57090cc4cf496277255
Instruction Fuzzy Hash: DCE18272610FA187FB289B25EC493AA63A1FB9475CF4C4125DB9B8769ADF3DE045C300

Function 00000265B01BDEC8 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 00000265B01BDF17
CheckTokenMembership.ADVAPI32 ref: 00000265B01BDF2E
FreeSid.ADVAPI32 ref: 00000265B01BDF3F

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 133629f3ff4376339bdb4199f1e62c11324afdffa1ae21ac4a70826d2a5797c2
Instruction ID: 044fa89cc85414392cde0d756fe0b178d62eb0a222b4a8d3a2093530d6272b44
Opcode Fuzzy Hash: 133629f3ff4376339bdb4199f1e62c11324afdffa1ae21ac4a70826d2a5797c2
Instruction Fuzzy Hash: C0015A73624A818FE7248F20E8493AE33B0F76476EF010A09F65946A98CB7DC159CF80

Function 00000265B01CC3B0 Relevance: 3.4, Strings: 2, Instructions: 884COMMONLIBRARYCODE

Download Yara Rule

Strings

<, xrefs: 00000265B01CCA6E
, xrefs: 00000265B01CCA63

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID:
String ID: $<
API String ID: 0-428540627
Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
Instruction ID: b1e7504c12a95a1bb801bdedd71bc525dbb33a943d210fcb764e297e63be3d80
Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
Instruction Fuzzy Hash: 1A92F3B2325A8087DB58CB1DE4A573AB7A1F3C8B84F44512AE79B87798CE3DC551CB04

Function 00000265B207F5EF Relevance: 1.8, APIs: 1, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

_initp_misc_winsig.LIBCMT ref: 00000265B207F623

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _initp_misc_winsig
String ID:
API String ID: 2710132595-0
Opcode ID: c8c90554330dcabd03fa81e8dd660722591610607187a6cda5de2b4df199049a
Instruction ID: 160cb55158b31eb8fa6eef1a7c97e44644c71df3a3f6f0c574793462f80950bf
Opcode Fuzzy Hash: c8c90554330dcabd03fa81e8dd660722591610607187a6cda5de2b4df199049a
Instruction Fuzzy Hash: DFA1EB71619A098FEF94FF75E8986AA37B2F768301721893A900AC3174DABCD545CB40

Function 00007FF65B3B3F40 Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

., xrefs: 00007FF65B3B406E

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: dc7c95912ea179b4376ebdfd1fe7d6f82869dd945337f08c514ca93ba6913bec
Instruction ID: 8c592b85fa661ffe5a760a63826ff3865378b6b11585e7dada97eda442b1b74f
Opcode Fuzzy Hash: dc7c95912ea179b4376ebdfd1fe7d6f82869dd945337f08c514ca93ba6913bec
Instruction Fuzzy Hash: 46B1F562E1CA5642FB698E25D40577DA652BB58B84F0C8134DE0EFB7ECDE7CE9408700

Function 00000265B01B0920 Relevance: 1.5, APIs: 1, Instructions: 33pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32 ref: 00000265B01B098A

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: ffc033c595a008210ccbf7715394fddec234f51f7fbc04560c83c088a3818f65
Instruction ID: 2478374fdcca897d85e491929338c9e39506317d75c4e64b8d1968ca1379fc2b
Opcode Fuzzy Hash: ffc033c595a008210ccbf7715394fddec234f51f7fbc04560c83c088a3818f65
Instruction Fuzzy Hash: AB016932510F908AEB19DB20E89835977A1FB9977DF584314E6AC026DAEB7EC119CB00

Function 00000265B01CDBF0 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction ID: 4fc64af387cb4e7fd985f2fe44b66169ab58e1aac022ab4f59a111e521175504
Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction Fuzzy Hash: 4C526FB221499587D708CF1CE4A173AB7E1F7C9B84F44862AE78B8B799CE2DD541DB00

Function 00000265B01CD280 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction ID: cf01a654f1a21af9258314ccdd183a3bbdc47bf65d7715f86c00ffba75ea821d
Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction Fuzzy Hash: 165253B221499087D708CF1DE4A573AB7E1F3C9B84F44862AE78B8B799CA3DD545CB40

Function 00000265B01AA280 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 40c53b571594c944c6c42c99c95be119a294f9789df234ffb94304ec201d3ca9
Instruction ID: dee5c8319b28edca5ab1043385df369583f0f951b72d51d8a2aa44c1bfa8be9d
Opcode Fuzzy Hash: 40c53b571594c944c6c42c99c95be119a294f9789df234ffb94304ec201d3ca9
Instruction Fuzzy Hash: FFF1C572305FB282EB24DB65DC487AE63A1FB9478CF984111EB598768DEB36C905CB40

Function 00000265B01A9D6C Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1b3d1c8f5ea9877e8ed1206496e01479fe179dcfc2b543a7d16d2e920dbf27a1
Instruction ID: bf193c178038854d633b98a0ae23ee3f522cf7c15490a0e81336b7ec8c615189
Opcode Fuzzy Hash: 1b3d1c8f5ea9877e8ed1206496e01479fe179dcfc2b543a7d16d2e920dbf27a1
Instruction Fuzzy Hash: 34E1B272304FF291EB249B65DC843EE67A1FB9479CF880012EA698769DEF36C945C740

Function 00000265B01CCF97 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
Instruction ID: 56bb7855f2265d436dd1c769b6664470bbe63607a4aa0987c3a2289e6738c0e3
Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
Instruction Fuzzy Hash: CD610FB5214A9087D718CB0DE4D572AB7E2F3CC7D8F88461AE38A87768DA3DD545CB40

Function 00007FF65B3BD2D0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c619139f7531ec7fad6b3bf9a30fe3ab1bdcd9abfa9aa3a719cf8d3fb33ffc0e
Instruction ID: c1ce15b3d2554b6cff18fbd512a0cbcbc11e1a3eeafde3476d50834f1c1c53ed
Opcode Fuzzy Hash: c619139f7531ec7fad6b3bf9a30fe3ab1bdcd9abfa9aa3a719cf8d3fb33ffc0e
Instruction Fuzzy Hash: 0941CB87E1DED14AE35256244C7B1A42FA1BFA7B2174C40BECA4CA36D7EC1E7C069301

Function 00000265B01D22A0 Relevance: .1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388fc0e8d687ba06ef0eb527d504c82e799ab2ec37b671ef82ec32a114372916
Instruction ID: d577b84233c69dbc5f5f4b7fbc8389908681cfc8d1d845e612ffbd1e22b2ee54
Opcode Fuzzy Hash: 388fc0e8d687ba06ef0eb527d504c82e799ab2ec37b671ef82ec32a114372916
Instruction Fuzzy Hash: 8E1181E7ED9FE43AE76A81500CAF6541F90BBB1B0CF5D424EDA64432DBB84E5E064250

Function 00000265B01D2020 Relevance: .0, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2449b57596a50ad70bf5a79ad03ba1278d28424a0d500497218b9da266a4c145
Instruction ID: bf8a89a24dd0262084798414e3bc4c5d7e2d2e35fc79d9d8933dc60e06a5a829
Opcode Fuzzy Hash: 2449b57596a50ad70bf5a79ad03ba1278d28424a0d500497218b9da266a4c145
Instruction Fuzzy Hash: 99F012A7E1DEF066F26646140C6F3582F91BBB6A1DF4D824AEA60435DBA4070803D212

Function 00000265B01D24E0 Relevance: .0, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29815153074e48871c3a2db5cbc692924d6533ff20b66ed198598eb5028f0353
Instruction ID: 5346d219b272771fa0c5f5ce861df9ae328da2ed7013aaaea4b99fcb48cf2922
Opcode Fuzzy Hash: 29815153074e48871c3a2db5cbc692924d6533ff20b66ed198598eb5028f0353
Instruction Fuzzy Hash: F9E0C0AB91DEE05AF36B45740C7E55D2FD1BBB690CF5E8246CB50432C7A54B0C064351

Function 00000265B01D2630 Relevance: .0, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346746c420873f5115eefdb694fe7c4ecc9345e885989bf490d76ed756ab699a
Instruction ID: 0522c61c11d7f225a0bfaa5d64818673812a23bf05e255c3d89a87cb4bd8a32d
Opcode Fuzzy Hash: 346746c420873f5115eefdb694fe7c4ecc9345e885989bf490d76ed756ab699a
Instruction Fuzzy Hash: 74D012F7A1DFE015F2A742244C2E3481F917B72528F4C414FCA90062D7A44B58038211

Function 00000265B01B6BE0 Relevance: 22.7, APIs: 15, Instructions: 195networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

htonl.WS2_32 ref: 00000265B01B6C3D
select.WS2_32 ref: 00000265B01B6CAB
__WSAFDIsSet.WS2_32 ref: 00000265B01B6CC3
accept.WS2_32 ref: 00000265B01B6CE0
ioctlsocket.WS2_32 ref: 00000265B01B6CF8
__WSAFDIsSet.WS2_32 ref: 00000265B01B6D9B
accept.WS2_32 ref: 00000265B01B6DB1

Part of subcall function 00000265B01B5A20: ioctlsocket.WS2_32 ref: 00000265B01B5A42

__WSAFDIsSet.WS2_32 ref: 00000265B01B6E33
__WSAFDIsSet.WS2_32 ref: 00000265B01B6E4B
closesocket.WS2_32 ref: 00000265B01B6F0D

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: acceptioctlsocket$closesockethtonlselect
String ID:
API String ID: 2003300010-0
Opcode ID: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
Instruction ID: 758905496993353217d729707a16ab6c86c2eecff340e11901e46c07b949d611
Opcode Fuzzy Hash: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
Instruction Fuzzy Hash: 8C918B32610EE09AE728EF25ED4879D33A1FB9879CF040125EB5D47A99DF3AC565C700

Function 00000265B01AEC04 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 165networksleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 00000265B01AECD3
_snprintf.LIBCMT ref: 00000265B01AECFE
_snprintf.LIBCMT ref: 00000265B01AED1A
_snprintf.LIBCMT ref: 00000265B01AEDCF
_snprintf.LIBCMT ref: 00000265B01AEDE6
HttpOpenRequestA.WININET ref: 00000265B01AEE32
HttpSendRequestA.WININET ref: 00000265B01AEE65
InternetCloseHandle.WININET ref: 00000265B01AEE7A
Sleep.KERNEL32 ref: 00000265B01AEE85
InternetCloseHandle.WININET ref: 00000265B01AEE98

Strings

*/*, xrefs: 00000265B01AEC2A
%s%s, xrefs: 00000265B01AEDDB

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _snprintf$CloseHandleHttpInternetRequest$OpenSendSleep
String ID: %s%s$*/*
API String ID: 3787158362-856325523
Opcode ID: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
Instruction ID: 0b3d1085e64daf33043b7642477162ceb238a87781473ddcbcedd1444acf2a90
Opcode Fuzzy Hash: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
Instruction Fuzzy Hash: 0E813972200FE495EB18EB65EC883D977A0FB9474CF480526EA5E437A9DF3AC506C740

Function 00000265B01B53E4 Relevance: 18.1, APIs: 12, Instructions: 105pipesleepfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00000265B01B55E4
GetTickCount.KERNEL32 ref: 00000265B01B55F0
CreateFileA.KERNEL32 ref: 00000265B01B561E
GetLastError.KERNEL32 ref: 00000265B01B562D
WaitNamedPipeA.KERNEL32 ref: 00000265B01B5642
Sleep.KERNEL32 ref: 00000265B01B564F
GetTickCount.KERNEL32 ref: 00000265B01B5655
GetLastError.KERNEL32 ref: 00000265B01B566B
GetLastError.KERNEL32 ref: 00000265B01B5683
SetNamedPipeHandleState.KERNEL32 ref: 00000265B01B56AE
GetLastError.KERNEL32 ref: 00000265B01B56B8
DisconnectNamedPipe.KERNEL32 ref: 00000265B01B5732

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: ErrorLast$CountNamedPipeTick$CreateDisconnectFileHandleSleepStateWait
String ID:
API String ID: 34948862-0
Opcode ID: fe9bced31039d2455b0d079955692a562236962e25bf66d1b7588840a9b4026e
Instruction ID: c4964f1021083a9390b319396d16a1f7aeadbd9b78d62bf6b864be252e29c1a8
Opcode Fuzzy Hash: fe9bced31039d2455b0d079955692a562236962e25bf66d1b7588840a9b4026e
Instruction Fuzzy Hash: 01416031704FA096F718EB61EC5979D33A5FB98BACF584620DE2A47798DF3AC4458700

Function 00000265B01BFE10 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B01BFE36

Part of subcall function 00000265B01C1D18: _getptd_noexit.LIBCMT ref: 00000265B01C1D1C

_invalid_parameter_noinfo.LIBCMT ref: 00000265B01BFE42
__crtIsPackagedApp.LIBCMT ref: 00000265B01BFE53
AreFileApisANSI.KERNEL32 ref: 00000265B01BFE62
MultiByteToWideChar.KERNEL32 ref: 00000265B01BFE88
GetLastError.KERNEL32 ref: 00000265B01BFE95
_dosmaperr.LIBCMT ref: 00000265B01BFE9D

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: ApisByteCharErrorFileLastMultiPackagedWide__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1138158220-0
Opcode ID: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
Instruction ID: d423fd30f4106d944ddaf5930589b1b757b9ae9c888e15fd04ffc0a231e1099f
Opcode Fuzzy Hash: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
Instruction Fuzzy Hash: 9C319631200FA082FB28AB659C5936D66E1BFD9BACF1D4628EA55477EEDF3DC4418300

Function 00000265B01BFF6C Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 00000265B01BFF7D
free.LIBCMT ref: 00000265B01BFF9A

Part of subcall function 00000265B01BF244: HeapFree.KERNEL32 ref: 00000265B01BF25A
Part of subcall function 00000265B01BF244: _errno.LIBCMT ref: 00000265B01BF264
Part of subcall function 00000265B01BF244: GetLastError.KERNEL32 ref: 00000265B01BF26C

free.LIBCMT ref: 00000265B01BFFAF
free.LIBCMT ref: 00000265B01BFFD0
free.LIBCMT ref: 00000265B01BFFE5
free.LIBCMT ref: 00000265B01BFFF9
free.LIBCMT ref: 00000265B01C0005
free.LIBCMT ref: 00000265B01C0030
EncodePointer.KERNEL32 ref: 00000265B01C0038
free.LIBCMT ref: 00000265B01C0051
free.LIBCMT ref: 00000265B01C006A
free.LIBCMT ref: 00000265B01C009B

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
String ID:
API String ID: 4099253644-0
Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction ID: f3e58972325384cb5429dc5b8ea673ecf93f4d946eed60964df7b4043f1f71e9
Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction Fuzzy Hash: 8E31CA35201EE181FE5DEB51EC6D7A823A4BF88BACF0C0619DE590A6EDDF6AC4458310

Function 00000265B01B7308 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00000265B01B7336
select.WS2_32 ref: 00000265B01B738D
__WSAFDIsSet.WS2_32 ref: 00000265B01B739C
__WSAFDIsSet.WS2_32 ref: 00000265B01B73B4
GetTickCount.KERNEL32 ref: 00000265B01B73BD
gethostbyname.WS2_32 ref: 00000265B01B73D0
htons.WS2_32 ref: 00000265B01B73E8
inet_addr.WS2_32 ref: 00000265B01B73FA
sendto.WS2_32 ref: 00000265B01B7423

Strings

d, xrefs: 00000265B01B7347

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: CountTick$gethostbynamehtonsinet_addrselectsendto
String ID: d
API String ID: 1257931466-2564639436
Opcode ID: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
Instruction ID: 35fd7a97ad7fcb6eab08dcde9d179495a0901578876f0dc7b778e9799d6f8568
Opcode Fuzzy Hash: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
Instruction Fuzzy Hash: 34318D32214FD196EB248F61EC4979A77A4FB88B8CF085116EE8D47B28DF79C555CB00

Function 00000265B2086263 Relevance: 16.6, APIs: 11, Instructions: 108COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B2086295

Part of subcall function 00000265B208115F: _getptd_noexit.LIBCMT ref: 00000265B2081163

__doserrno.LIBCMT ref: 00000265B208628C

Part of subcall function 00000265B20810EF: _getptd_noexit.LIBCMT ref: 00000265B20810F3

__doserrno.LIBCMT ref: 00000265B20862F2
_errno.LIBCMT ref: 00000265B20862F9
_invalid_parameter_noinfo.LIBCMT ref: 00000265B208635D

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: f569b21a01fad2a92039226acf8a97d91cb16fac7f3924a9cc2c8e1a455bf938
Instruction ID: d54195015986b5b480fae033f10d88a1169a41464e980058af8a31283e6b486b
Opcode Fuzzy Hash: f569b21a01fad2a92039226acf8a97d91cb16fac7f3924a9cc2c8e1a455bf938
Instruction Fuzzy Hash: CD31F930208F6D4EF3157F58D8EA37A7692EF46328F12065CE4268F6DBDA7698014761

Function 00000265B01B71FC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57networksleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00000265B01B721C
select.WS2_32 ref: 00000265B01B7282
__WSAFDIsSet.WS2_32 ref: 00000265B01B7291
__WSAFDIsSet.WS2_32 ref: 00000265B01B72A6
send.WS2_32 ref: 00000265B01B72BC
WSAGetLastError.WS2_32 ref: 00000265B01B72C7
Sleep.KERNEL32 ref: 00000265B01B72D9
GetTickCount.KERNEL32 ref: 00000265B01B72DF

Strings

d, xrefs: 00000265B01B722A

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: CountTick$ErrorLastSleepselectsend
String ID: d
API String ID: 2152284305-2564639436
Opcode ID: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
Instruction ID: 53b8a90e6cfe9c1d67dd7e72c5259f6ec333545abe7aeb17be38fa804d29dfe0
Opcode Fuzzy Hash: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
Instruction Fuzzy Hash: FF217F32214ED096E7649F21F8483897361FB8478CF584225EBAD47A98DF39C4558B44

Function 00000265B208704F Relevance: 15.1, APIs: 10, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B208707A

Part of subcall function 00000265B208115F: _getptd_noexit.LIBCMT ref: 00000265B2081163

__doserrno.LIBCMT ref: 00000265B2087072

Part of subcall function 00000265B20810EF: _getptd_noexit.LIBCMT ref: 00000265B20810F3

__lock_fhandle.LIBCMT ref: 00000265B20870BE
_lseeki64_nolock.LIBCMT ref: 00000265B20870D7
_unlock_fhandle.LIBCMT ref: 00000265B20870FA

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
String ID:
API String ID: 2644381645-0
Opcode ID: 1a0056bbafc3a7faafb75a0a5683c60387dc6450d26c6e1c9b28f7a797692c5c
Instruction ID: de798710277f389ec24ef48c547b8d2a27056d859419dbc6257465556dad9657
Opcode Fuzzy Hash: 1a0056bbafc3a7faafb75a0a5683c60387dc6450d26c6e1c9b28f7a797692c5c
Instruction Fuzzy Hash: 0A213A31618E584EF7197B5CDCEA3BA72D2EF82324F050248E41A8F6EFC66A48414775

Function 00000265B01AFB08 Relevance: 15.1, APIs: 10, Instructions: 91sleepfilepipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00000265B01AFB29
GetLastError.KERNEL32 ref: 00000265B01AFB83
GetTickCount.KERNEL32 ref: 00000265B01AFB8E
Sleep.KERNEL32 ref: 00000265B01AFB9E
GetLastError.KERNEL32 ref: 00000265B01AFBAB
WriteFile.KERNEL32 ref: 00000265B01AFBDE
WriteFile.KERNEL32 ref: 00000265B01AFC0D
FlushFileBuffers.KERNEL32 ref: 00000265B01AFC25
DisconnectNamedPipe.KERNEL32 ref: 00000265B01AFC2F
Sleep.KERNEL32 ref: 00000265B01AFC43

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: File$CountErrorLastSleepTickWrite$BuffersDisconnectFlushNamedPipe
String ID:
API String ID: 3101085627-0
Opcode ID: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
Instruction ID: 17cddfa089c2535c3aca1e2b6e190003d806caa24a47b05e36697e4af1db843b
Opcode Fuzzy Hash: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
Instruction Fuzzy Hash: 4F418232700EA09AE714AFB5D88879C3371FB98B9CF580226EE1957A5DDF3AC509C350

Function 00000265B2086ED7 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B2086F02

Part of subcall function 00000265B208115F: _getptd_noexit.LIBCMT ref: 00000265B2081163

__doserrno.LIBCMT ref: 00000265B2086EFA

Part of subcall function 00000265B20810EF: _getptd_noexit.LIBCMT ref: 00000265B20810F3

__lock_fhandle.LIBCMT ref: 00000265B2086F46
_lseek_nolock.LIBCMT ref: 00000265B2086F5F
_unlock_fhandle.LIBCMT ref: 00000265B2086F80

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock_unlock_fhandle
String ID:
API String ID: 1078912150-0
Opcode ID: af586274eb7c0247a5ed565ce490a43ddd2b1adc4c580e4a875ff27a69eb19f0
Instruction ID: 3e40df24dfa01fec38fa2d81cae280e081140105c514ed3a31b1de77d555b0bb
Opcode Fuzzy Hash: af586274eb7c0247a5ed565ce490a43ddd2b1adc4c580e4a875ff27a69eb19f0
Instruction Fuzzy Hash: A5213E31608A684EF318775CDCEA37E72D1DF85329F16025CE01A8F6DBD6A598014771

Function 00000265B01C6E1C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B01C6E4E

Part of subcall function 00000265B01C1D18: _getptd_noexit.LIBCMT ref: 00000265B01C1D1C

__doserrno.LIBCMT ref: 00000265B01C6E45

Part of subcall function 00000265B01C1CA8: _getptd_noexit.LIBCMT ref: 00000265B01C1CAC

__doserrno.LIBCMT ref: 00000265B01C6EAB
_errno.LIBCMT ref: 00000265B01C6EB2
_invalid_parameter_noinfo.LIBCMT ref: 00000265B01C6F16

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
Instruction ID: 39e91dede449f05d69b025202cbe9d5f6c34b9fd0f8d49ec11bde49758afa342
Opcode Fuzzy Hash: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
Instruction Fuzzy Hash: 2D31A932210AF08AE73E9FA5AC9936D2A51BF817BCF9D4119E9111F7DAC63AC4418710

Function 00000265B01CFD50 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000265B01CFD76
_errno.LIBCMT ref: 00000265B01CFD6B

Part of subcall function 00000265B01C1D18: _getptd_noexit.LIBCMT ref: 00000265B01C1D1C

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1812809483-0
Opcode ID: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
Instruction ID: 36d8568fad6458f60ea978f15e6ec891c912e9c9a8951dd81d1ce97cbee4a438
Opcode Fuzzy Hash: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
Instruction Fuzzy Hash: DC41F771600AF185FB789B529C083BD27E0FF54BBCF694129EA514BADED72AC8518700

Function 00000265B01C027C Relevance: 13.6, APIs: 9, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000265B01C0264: _mtinitlocknum.LIBCMT ref: 00000265B01C3DAA
Part of subcall function 00000265B01C0264: _amsg_exit.LIBCMT ref: 00000265B01C3DB6

DecodePointer.KERNEL32 ref: 00000265B01C02D8
DecodePointer.KERNEL32 ref: 00000265B01C02F6
EncodePointer.KERNEL32 ref: 00000265B01C0324
DecodePointer.KERNEL32 ref: 00000265B01C0339
EncodePointer.KERNEL32 ref: 00000265B01C0344
DecodePointer.KERNEL32 ref: 00000265B01C0356
DecodePointer.KERNEL32 ref: 00000265B01C0366
__crtCorExitProcess.LIBCMT ref: 00000265B01C03EA
ExitProcess.KERNEL32 ref: 00000265B01C03F2

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$EncodeExitProcess$__crt_amsg_exit_mtinitlocknum
String ID:
API String ID: 1550138920-0
Opcode ID: c0449f3fef6a4d8576451ebf1d27e0541d416188840e9d96df55a1b66d98fc2d
Instruction ID: c3105fca853df362a98876166dab6bf7bccb4678e3f03048d06968e589046ea9
Opcode Fuzzy Hash: c0449f3fef6a4d8576451ebf1d27e0541d416188840e9d96df55a1b66d98fc2d
Instruction Fuzzy Hash: 01418030206FE096E6699F11FC4931963A4BF98BACF4C1129DD8E47B6DDF3AC4968300

Function 00000265B01B6500 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00000265B01B6541
htons.WS2_32 ref: 00000265B01B6552
socket.WS2_32 ref: 00000265B01B6594
closesocket.WS2_32 ref: 00000265B01B65A9
gethostbyname.WS2_32 ref: 00000265B01B65C8
htons.WS2_32 ref: 00000265B01B65F8
ioctlsocket.WS2_32 ref: 00000265B01B6612
connect.WS2_32 ref: 00000265B01B662A
WSAGetLastError.WS2_32 ref: 00000265B01B6634

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: htons$ErrorLastclosesocketconnectgethostbynamehtonlioctlsocketsocket
String ID:
API String ID: 3339321253-0
Opcode ID: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
Instruction ID: d42e08e2c6b237fa0c6f613a9c63334bc5be2445f5f591dff555c454f5d5baf6
Opcode Fuzzy Hash: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
Instruction Fuzzy Hash: D031C631314EE096EB299F25EC5979A6361FB94B9CF480224DE1A4769CDF3DC546C700

Function 00000265B208587B Relevance: 13.6, APIs: 9, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B20858A6

Part of subcall function 00000265B208115F: _getptd_noexit.LIBCMT ref: 00000265B2081163

__doserrno.LIBCMT ref: 00000265B208589E

Part of subcall function 00000265B20810EF: _getptd_noexit.LIBCMT ref: 00000265B20810F3

__lock_fhandle.LIBCMT ref: 00000265B20858EA
_unlock_fhandle.LIBCMT ref: 00000265B2085924

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 2464146582-0
Opcode ID: c89056d156aae0bb9c491ae48c02d203d405bbf82af9f534bcd04b22b5544d86
Instruction ID: 80e83fc5346e838b1fdb6882ddd4b5f5029a87cb35e521f31a1e72c16e74c3bb
Opcode Fuzzy Hash: c89056d156aae0bb9c491ae48c02d203d405bbf82af9f534bcd04b22b5544d86
Instruction Fuzzy Hash: A8214E31618E584EF3146758DCEA3BE76D1DF81334F02024CE06A8F6DBE6A158014375

Function 00000265B01B6B98 Relevance: 13.6, APIs: 9, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000265B01B6BE0: htonl.WS2_32 ref: 00000265B01B6C3D
Part of subcall function 00000265B01B6BE0: select.WS2_32 ref: 00000265B01B6CAB
Part of subcall function 00000265B01B6BE0: __WSAFDIsSet.WS2_32 ref: 00000265B01B6CC3
Part of subcall function 00000265B01B6BE0: accept.WS2_32 ref: 00000265B01B6CE0
Part of subcall function 00000265B01B6BE0: ioctlsocket.WS2_32 ref: 00000265B01B6CF8
Part of subcall function 00000265B01B6BE0: __WSAFDIsSet.WS2_32 ref: 00000265B01B6D9B

GetTickCount.KERNEL32 ref: 00000265B01B6BAA

Part of subcall function 00000265B01B6F2C: malloc.LIBCMT ref: 00000265B01B6F5E
Part of subcall function 00000265B01B6F2C: htonl.WS2_32 ref: 00000265B01B6F91
Part of subcall function 00000265B01B6F2C: recvfrom.WS2_32 ref: 00000265B01B6FD5
Part of subcall function 00000265B01B6F2C: WSAGetLastError.WS2_32 ref: 00000265B01B6FE2

GetTickCount.KERNEL32 ref: 00000265B01B6BC2
GetTickCount.KERNEL32 ref: 00000265B01B70E0
GetTickCount.KERNEL32 ref: 00000265B01B70F6
shutdown.WS2_32 ref: 00000265B01B7115
shutdown.WS2_32 ref: 00000265B01B712A
closesocket.WS2_32 ref: 00000265B01B7134
free.LIBCMT ref: 00000265B01B7154
free.LIBCMT ref: 00000265B01B7169

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: CountTick$freehtonlshutdown$ErrorLastacceptclosesocketioctlsocketmallocrecvfromselect
String ID:
API String ID: 3610715900-0
Opcode ID: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
Instruction ID: 183180d27769613ddb34213c0cec76f74e91d1b7995d4c158c93c91dbbe6ba5f
Opcode Fuzzy Hash: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
Instruction Fuzzy Hash: 6A314331600EE186EB68BF65ED4D32933B0FF98B4CF1C8625EA594629DDF36C4518721

Function 00000265B208509F Relevance: 13.6, APIs: 9, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B20850C0

Part of subcall function 00000265B208115F: _getptd_noexit.LIBCMT ref: 00000265B2081163

__doserrno.LIBCMT ref: 00000265B20850B8

Part of subcall function 00000265B20810EF: _getptd_noexit.LIBCMT ref: 00000265B20810F3

__lock_fhandle.LIBCMT ref: 00000265B2085104
_close_nolock.LIBCMT ref: 00000265B2085117
_unlock_fhandle.LIBCMT ref: 00000265B2085130

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 2140805544-0
Opcode ID: d63a0d9a057a00514656f61d256491cfcc4309f98023220473e92bade8306c33
Instruction ID: b645e812c1005636191aa1074c18fcecbc256c7f103a342c90c7816406a8ac6d
Opcode Fuzzy Hash: d63a0d9a057a00514656f61d256491cfcc4309f98023220473e92bade8306c33
Instruction Fuzzy Hash: 4C21F631125E684EE6156F648CF93BA7992EF41328F12061CE01A8F6DBE6B688004770

Function 00000265B01C7A90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B01C7ABB

Part of subcall function 00000265B01C1D18: _getptd_noexit.LIBCMT ref: 00000265B01C1D1C

__doserrno.LIBCMT ref: 00000265B01C7AB3

Part of subcall function 00000265B01C1CA8: _getptd_noexit.LIBCMT ref: 00000265B01C1CAC

__lock_fhandle.LIBCMT ref: 00000265B01C7AFF
_lseek_nolock.LIBCMT ref: 00000265B01C7B18

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
String ID:
API String ID: 310312816-0
Opcode ID: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
Instruction ID: 8d2538d6e3f9d23ad2683fb4ace8b3f979c930a011b54f71d109c6410b3bed97
Opcode Fuzzy Hash: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
Instruction Fuzzy Hash: 8521C332600EE046F73E6F659C8D3AD6551BF817BDF5D8114AA150F3EACBBAC8818724

Function 00000265B01C7C08 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B01C7C33

Part of subcall function 00000265B01C1D18: _getptd_noexit.LIBCMT ref: 00000265B01C1D1C

__doserrno.LIBCMT ref: 00000265B01C7C2B

Part of subcall function 00000265B01C1CA8: _getptd_noexit.LIBCMT ref: 00000265B01C1CAC

__lock_fhandle.LIBCMT ref: 00000265B01C7C77
_lseeki64_nolock.LIBCMT ref: 00000265B01C7C90

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
String ID:
API String ID: 4140391395-0
Opcode ID: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
Instruction ID: e1b10df3ab49ef760039d509d88a55428ed0b03ca861388ff60c356576ffee9a
Opcode Fuzzy Hash: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
Instruction Fuzzy Hash: 1621D032600DE242F62E6B559C4A3AD6551BF81BBDF5D8604AA350F7EAC77AC4418328

Function 00000265B207F3B3 Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00000265B207F3E1

Part of subcall function 00000265B207E68B: _errno.LIBCMT ref: 00000265B207E6AB

free.LIBCMT ref: 00000265B207F3F6
free.LIBCMT ref: 00000265B207F417
free.LIBCMT ref: 00000265B207F42C
free.LIBCMT ref: 00000265B207F440
free.LIBCMT ref: 00000265B207F44C
free.LIBCMT ref: 00000265B207F477
free.LIBCMT ref: 00000265B207F498
free.LIBCMT ref: 00000265B207F4B1
free.LIBCMT ref: 00000265B207F4E2

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction ID: 90f13a327c962bf344f16379c372b9bc4d46bb511af6f36d59c17fc55bd9a17c
Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction Fuzzy Hash: CA415234255E1E8FFBA4EB58D9ED77432D1F76835AF6444399009C21F6CA3D8846CB22

Function 00007FF65B3B1AD0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF65B3B1BEB

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF65B3B1C81
VirtualProtect failed with code 0x%x, xrefs: 00007FF65B3B1C5E
Address %p has no image-section, xrefs: 00007FF65B3B1B42, 00007FF65B3B1C95
Mingw-w64 runtime failure:, xrefs: 00007FF65B3B1B07

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: c5a47b6f6d891a9f207a9c246c0f995efe0e8e3112593621035a99a2761c38b2
Instruction ID: 0425d59e96acd6af37b4ae42459a90f7624644a710f9d4c9ef66a70764fb3f54
Opcode Fuzzy Hash: c5a47b6f6d891a9f207a9c246c0f995efe0e8e3112593621035a99a2761c38b2
Instruction Fuzzy Hash: C7517D72B18E4682EA109B11E8416A97B60FB8DBD4F588235DE4CB73B8EF3CE545C740

Function 00000265B01B3A64 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 113sleepprocesslibraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000265B01B3ACE
GetProcAddress.KERNEL32 ref: 00000265B01B3ADE

Part of subcall function 00000265B01B3984: malloc.LIBCMT ref: 00000265B01B39C2
Part of subcall function 00000265B01B3984: free.LIBCMT ref: 00000265B01B3A45

CreateToolhelp32Snapshot.KERNEL32 ref: 00000265B01B3B10
Thread32Next.KERNEL32 ref: 00000265B01B3B7A
Sleep.KERNEL32 ref: 00000265B01B3B90

Strings

ntdll, xrefs: 00000265B01B3A99
NtQueueApcThread, xrefs: 00000265B01B3AD4

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: AddressCreateHandleModuleNextProcSleepSnapshotThread32Toolhelp32freemalloc
String ID: NtQueueApcThread$ntdll
API String ID: 1427994231-1374908105
Opcode ID: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
Instruction ID: 60f0be30e85583e9f422ae70f9ac8b7cd76b43e798abc877ec9115112de42a6c
Opcode Fuzzy Hash: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
Instruction Fuzzy Hash: 9A418D32701FA199EB18EB61E84839C73A4BB8878CF584125DE4C53B4CEF39C556C750

Function 00000265B01C6434 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B01C645F

Part of subcall function 00000265B01C1D18: _getptd_noexit.LIBCMT ref: 00000265B01C1D1C

__doserrno.LIBCMT ref: 00000265B01C6457

Part of subcall function 00000265B01C1CA8: _getptd_noexit.LIBCMT ref: 00000265B01C1CAC

__lock_fhandle.LIBCMT ref: 00000265B01C64A3

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
String ID:
API String ID: 2611593033-0
Opcode ID: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
Instruction ID: df6de5b8cfbd959ccd0cb4d8d022f01b2c3309243cd3af3d5ab9f2e7d3d14a22
Opcode Fuzzy Hash: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
Instruction Fuzzy Hash: 0621FF32604AE04AF73E6F649C4D3AD7950BF81BBDF6D0114AA160F3EACA7AC8418710

Function 00000265B01CA73C Relevance: 12.1, APIs: 8, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B01CA755

Part of subcall function 00000265B01C1D18: _getptd_noexit.LIBCMT ref: 00000265B01C1D1C

__lock_fhandle.LIBCMT ref: 00000265B01CA79D
FlushFileBuffers.KERNEL32 ref: 00000265B01CA7B8
GetLastError.KERNEL32 ref: 00000265B01CA7C2
__doserrno.LIBCMT ref: 00000265B01CA7D2
_errno.LIBCMT ref: 00000265B01CA7D9

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno__lock_fhandle_getptd_noexit
String ID:
API String ID: 2289611984-0
Opcode ID: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
Instruction ID: 19748c5867244da095da79287b46add4df2273576e24a1aa3bffdf3ee4734649
Opcode Fuzzy Hash: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
Instruction Fuzzy Hash: 1421A431201FE046E63E5FA59C8D36D7664BF8177CF9D0158D6160F2EACA7BC8828354

Function 00000265B01C5C58 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B01C5C79

Part of subcall function 00000265B01C1D18: _getptd_noexit.LIBCMT ref: 00000265B01C1D1C

__doserrno.LIBCMT ref: 00000265B01C5C71

Part of subcall function 00000265B01C1CA8: _getptd_noexit.LIBCMT ref: 00000265B01C1CAC

__lock_fhandle.LIBCMT ref: 00000265B01C5CBD
_close_nolock.LIBCMT ref: 00000265B01C5CD0

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
String ID:
API String ID: 4060740672-0
Opcode ID: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
Instruction ID: 9cf95f2d9798874ec2f798787ce6a47af56cf6f44be96c493e33e6c68f9838c3
Opcode Fuzzy Hash: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
Instruction Fuzzy Hash: EA119632640FE046F33D6FA59C8D36C6551BF8177DF6D0615D9160F2EAC67AC4818714

Function 00000265B2063A53 Relevance: 11.6, APIs: 9, Instructions: 305COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B2063AF0

Part of subcall function 00000265B207E6CB: _FF_MSGBANNER.LIBCMT ref: 00000265B207E6FB
Part of subcall function 00000265B207E6CB: _NMSG_WRITE.LIBCMT ref: 00000265B207E705
Part of subcall function 00000265B207E6CB: _callnewh.LIBCMT ref: 00000265B207E739
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E744
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E74F

malloc.LIBCMT ref: 00000265B2063AFA

Part of subcall function 00000265B207E6CB: _callnewh.LIBCMT ref: 00000265B207E75F
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E764

malloc.LIBCMT ref: 00000265B2063B05
free.LIBCMT ref: 00000265B2063CC5
free.LIBCMT ref: 00000265B2063CCD
free.LIBCMT ref: 00000265B2063CD5

Part of subcall function 00000265B2064937: malloc.LIBCMT ref: 00000265B2064981
Part of subcall function 00000265B2064937: malloc.LIBCMT ref: 00000265B206498C
Part of subcall function 00000265B2064937: free.LIBCMT ref: 00000265B2064A73
Part of subcall function 00000265B2064937: free.LIBCMT ref: 00000265B2064A7B

free.LIBCMT ref: 00000265B2063CE1
free.LIBCMT ref: 00000265B2063CEE
free.LIBCMT ref: 00000265B2063CFB

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh
String ID:
API String ID: 4160633307-0
Opcode ID: 78c5723810e6e6d18fab4a62d391ea0db65c57382cb75ed74f6abc212771b6cb
Instruction ID: 2154d469198ba98d4344391739f3f7fe03f837733e8b9a0de1b63400ba6e52fb
Opcode Fuzzy Hash: 78c5723810e6e6d18fab4a62d391ea0db65c57382cb75ed74f6abc212771b6cb
Instruction Fuzzy Hash: 67910730318F1D4BD72AAF2D94A97B973D1EB95B18F40421EE48AC3297DE219C0287D7

Function 00000265B01A460C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B01A46A9

Part of subcall function 00000265B01BF284: _FF_MSGBANNER.LIBCMT ref: 00000265B01BF2B4
Part of subcall function 00000265B01BF284: _NMSG_WRITE.LIBCMT ref: 00000265B01BF2BE
Part of subcall function 00000265B01BF284: HeapAlloc.KERNEL32 ref: 00000265B01BF2D9
Part of subcall function 00000265B01BF284: _callnewh.LIBCMT ref: 00000265B01BF2F2
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF2FD
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF308

malloc.LIBCMT ref: 00000265B01A46B3

Part of subcall function 00000265B01BF284: _callnewh.LIBCMT ref: 00000265B01BF318
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF31D

malloc.LIBCMT ref: 00000265B01A46BE
free.LIBCMT ref: 00000265B01A487E
free.LIBCMT ref: 00000265B01A4886
free.LIBCMT ref: 00000265B01A488E

Part of subcall function 00000265B01A54F0: malloc.LIBCMT ref: 00000265B01A553A
Part of subcall function 00000265B01A54F0: malloc.LIBCMT ref: 00000265B01A5545
Part of subcall function 00000265B01A54F0: free.LIBCMT ref: 00000265B01A562C
Part of subcall function 00000265B01A54F0: free.LIBCMT ref: 00000265B01A5634

free.LIBCMT ref: 00000265B01A489A
free.LIBCMT ref: 00000265B01A48A7
free.LIBCMT ref: 00000265B01A48B4

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh$AllocHeap
String ID:
API String ID: 3534990644-0
Opcode ID: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
Instruction ID: 8cc4b7f88f1d41727e5ef417cdb8deee373e5bfb01e7709390ea09677eb60ef9
Opcode Fuzzy Hash: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
Instruction Fuzzy Hash: 0171D536304BF447EF29AAA6A8587AA7791FFC5BCCF0841199E4657B8ADB3DC405C700

Function 00000265B01BB47C Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 258COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000265B01B5FEC: malloc.LIBCMT ref: 00000265B01B6008

malloc.LIBCMT ref: 00000265B01BB528

Part of subcall function 00000265B01BF284: _FF_MSGBANNER.LIBCMT ref: 00000265B01BF2B4
Part of subcall function 00000265B01BF284: _NMSG_WRITE.LIBCMT ref: 00000265B01BF2BE
Part of subcall function 00000265B01BF284: HeapAlloc.KERNEL32 ref: 00000265B01BF2D9
Part of subcall function 00000265B01BF284: _callnewh.LIBCMT ref: 00000265B01BF2F2
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF2FD
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF308

Part of subcall function 00000265B01BEAA8: malloc.LIBCMT ref: 00000265B01BEAF8

GetComputerNameExA.KERNEL32 ref: 00000265B01BB5EA
GetComputerNameA.KERNEL32 ref: 00000265B01BB61F
GetUserNameA.ADVAPI32 ref: 00000265B01BB654

Part of subcall function 00000265B01AF014: WSASocketA.WS2_32 ref: 00000265B01AF042

malloc.LIBCMT ref: 00000265B01BB76D

Strings

VUUU, xrefs: 00000265B01BB6B0

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: malloc$Name$Computer_errno$AllocHeapSocketUser_callnewh
String ID: VUUU
API String ID: 632458648-2040033107
Opcode ID: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
Instruction ID: 2a8b3c2b06f27ac703a47f1b4932de86a278ceb191799609d01b5136f589160d
Opcode Fuzzy Hash: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
Instruction Fuzzy Hash: 03A18235700EF046FB18BB6A9D993A92261BFD57CCF888025E94957B9EDF7AC9058300

Function 00000265B01B1478 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128processCOMMON

Download Yara Rule

APIs

Part of subcall function 00000265B01B5FEC: malloc.LIBCMT ref: 00000265B01B6008

GetStartupInfoA.KERNEL32 ref: 00000265B01B1540

Part of subcall function 00000265B01AFE54: MultiByteToWideChar.KERNEL32 ref: 00000265B01AFE81
Part of subcall function 00000265B01AFE54: MultiByteToWideChar.KERNEL32 ref: 00000265B01AFEA9

GetCurrentDirectoryW.KERNEL32 ref: 00000265B01B15CD
GetCurrentDirectoryW.KERNEL32 ref: 00000265B01B15DC
CreateProcessWithLogonW.ADVAPI32 ref: 00000265B01B1637
GetLastError.KERNEL32 ref: 00000265B01B1641

Strings

%s as %s\%s: %d, xrefs: 00000265B01B1647

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: ByteCharCurrentDirectoryMultiWide$CreateErrorInfoLastLogonProcessStartupWithmalloc
String ID: %s as %s\%s: %d
API String ID: 3435635427-816037529
Opcode ID: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
Instruction ID: 6b387fc2d67d6a014391ecfedae7f98d621336c6adae75e94fa1f9d10de98b8d
Opcode Fuzzy Hash: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
Instruction Fuzzy Hash: C2515E32204F9186E764DF16B84475AB7A5FBD9B88F484125EE8943B6DDF3DC056CB00

Function 00000265B207F257 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B207F27D

Part of subcall function 00000265B208115F: _getptd_noexit.LIBCMT ref: 00000265B2081163

_invalid_parameter_noinfo.LIBCMT ref: 00000265B207F289
__crtIsPackagedApp.LIBCMT ref: 00000265B207F29A
_dosmaperr.LIBCMT ref: 00000265B207F2E4

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2917016420-0
Opcode ID: cfbfe809ff06962f400f8854e8dfaca57605153f463412cb5835124c7fa4a529
Instruction ID: 89ee90d6c480f0ae5500d615f03bbbbb4a8cb32f12b3f4124bbc7bcc07a65827
Opcode Fuzzy Hash: cfbfe809ff06962f400f8854e8dfaca57605153f463412cb5835124c7fa4a529
Instruction Fuzzy Hash: 5531F430614E1D8FFB44EF7898AD37972D1FF98319F14426DA44AC72EAEA39C8418752

Function 00000265B01BE98C Relevance: 10.6, APIs: 7, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000265B01BE9D7
OpenProcessToken.ADVAPI32 ref: 00000265B01BE9FB
GetLastError.KERNEL32 ref: 00000265B01BEA05

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: ErrorLast$OpenProcessToken
String ID:
API String ID: 2009710997-0
Opcode ID: 12a3f9e128b967964898bf965f43ef985f021f837df021f2e119c6413e458a11
Instruction ID: af69da07114a3e106d052e80983b80698ac4bfaa6d712a3cb0b3b48bffc1325a
Opcode Fuzzy Hash: 12a3f9e128b967964898bf965f43ef985f021f837df021f2e119c6413e458a11
Instruction Fuzzy Hash: 41318F35704FA042FB18FB62EC9975A66D0BFD9B9CF1C4128EA4643699DF3EC446CA40

Function 00000265B2089B83 Relevance: 10.6, APIs: 7, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B2089B9C

Part of subcall function 00000265B208115F: _getptd_noexit.LIBCMT ref: 00000265B2081163

__lock_fhandle.LIBCMT ref: 00000265B2089BE4
__doserrno.LIBCMT ref: 00000265B2089C19
_errno.LIBCMT ref: 00000265B2089C20
_unlock_fhandle.LIBCMT ref: 00000265B2089C30

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 4120058822-0
Opcode ID: 9341880fa3ae8ea43da77f4714028596b22b009dd5c4526b8d460d71b2af8a07
Instruction ID: 148feecebfb853a69c3891a9fc8f8c33ce26affcb36dacef0e08a93b50839cd7
Opcode Fuzzy Hash: 9341880fa3ae8ea43da77f4714028596b22b009dd5c4526b8d460d71b2af8a07
Instruction Fuzzy Hash: A021D030608E6D8EE7147BA898F937A76D2AF41318F05022CE11A8F7DBD66B58408375

Function 00000265B01CFBD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00000265B01CFC04

Part of subcall function 00000265B01C1600: _getptd.LIBCMT ref: 00000265B01C1616
Part of subcall function 00000265B01C1600: __updatetlocinfo.LIBCMT ref: 00000265B01C164B
Part of subcall function 00000265B01C1600: __updatetmbcinfo.LIBCMT ref: 00000265B01C1672

_errno.LIBCMT ref: 00000265B01CFC1F
_invalid_parameter_noinfo.LIBCMT ref: 00000265B01CFC2A

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
Instruction ID: 596527fb2956cf06ef0f9c17d9c11670ce0b2f2a69f9a8ca5f700cec573eb03b
Opcode Fuzzy Hash: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
Instruction Fuzzy Hash: 6A31A072304BE886E7389B51D849B9DB6A4FB44BFCF1C4125EE540BB99CB36C851C704

Function 00000265B01B596C Relevance: 10.6, APIs: 7, Instructions: 52COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00000265B01B597D
ioctlsocket.WS2_32 ref: 00000265B01B599E
GetTickCount.KERNEL32 ref: 00000265B01B59E3
ioctlsocket.WS2_32 ref: 00000265B01B5A05

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: CountTickioctlsocket
String ID:
API String ID: 3686034022-0
Opcode ID: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
Instruction ID: 98b6fba4812263e1c1648aed8c274acaa5a4d007cfc7017489ebb128e29a710d
Opcode Fuzzy Hash: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
Instruction Fuzzy Hash: 6B119431204EE096F7186B65EC4D3597360FF84BACF580324DA65866E8DF7AD88A9710

Function 00000265B01B0AA0 Relevance: 10.5, APIs: 7, Instructions: 45pipethreadfileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000265B01B0AC6
ConnectNamedPipe.KERNEL32 ref: 00000265B01B0ADC
ReadFile.KERNEL32 ref: 00000265B01B0B06
ImpersonateNamedPipeClient.ADVAPI32 ref: 00000265B01B0B17
GetCurrentThread.KERNEL32 ref: 00000265B01B0B21
OpenThreadToken.ADVAPI32 ref: 00000265B01B0B39
DisconnectNamedPipe.KERNEL32 ref: 00000265B01B0B4F

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: NamedPipe$Thread$ClientConnectCurrentDisconnectErrorFileImpersonateLastOpenReadToken
String ID:
API String ID: 4232080776-0
Opcode ID: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
Instruction ID: 9a3f15cbadba4de07a9813a06cdd863109740abce50f0241cbdf0e6db5d47366
Opcode Fuzzy Hash: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
Instruction Fuzzy Hash: 5F21BE32210EE086F759AB21EC9D76A3365FFD8B4CF8C0216E80A425ADCF6EC549C710

Function 00000265B01C0B10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B01C0B4C

Part of subcall function 00000265B01C1D18: _getptd_noexit.LIBCMT ref: 00000265B01C1D1C

_invalid_parameter_noinfo.LIBCMT ref: 00000265B01C0B57
memcpy_s.LIBCMT ref: 00000265B01C0C1C
_fileno.LIBCMT ref: 00000265B01C0C87
_filbuf.LIBCMT ref: 00000265B01C0CB5
_errno.LIBCMT ref: 00000265B01C0D05

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
Instruction ID: e8b3aac241594f0927df6dbc4c6429e54a841ccd37561cae6fa1cc8e417a5e95
Opcode Fuzzy Hash: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
Instruction Fuzzy Hash: 89510931704EF086FA3E8AA65D087696694BF44BFCF1C4714AE394BBDDCB36D8918240

Function 00000265B01CA348 Relevance: 9.1, APIs: 6, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 00000265B01CA375

Part of subcall function 00000265B01C3E58: _FF_MSGBANNER.LIBCMT ref: 00000265B01C3E75
Part of subcall function 00000265B01C3E58: _NMSG_WRITE.LIBCMT ref: 00000265B01C3E7F

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00000265B01CA3F8
EnterCriticalSection.KERNEL32 ref: 00000265B01CA414
LeaveCriticalSection.KERNEL32 ref: 00000265B01CA424
_calloc_crt.LIBCMT ref: 00000265B01CA49A
__lock_fhandle.LIBCMT ref: 00000265B01CA502

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterInitializeLeaveSpin__lock_fhandle_calloc_crt_mtinitlocknum
String ID:
API String ID: 445582508-0
Opcode ID: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
Instruction ID: fcaaf49fda44208da46ca93b73088a42dce2f4c5393bad58fa0b58871b46620c
Opcode Fuzzy Hash: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
Instruction Fuzzy Hash: FA51BD32605EE082EB3A8F10D848329A7A5FF94B6CF9D4155DA4A4B7E8DB7AC841C700

Function 00000265B01B1694 Relevance: 9.1, APIs: 6, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 00000265B01B5FEC: malloc.LIBCMT ref: 00000265B01B6008

Part of subcall function 00000265B01C0620: _errno.LIBCMT ref: 00000265B01C0577
Part of subcall function 00000265B01C0620: _invalid_parameter_noinfo.LIBCMT ref: 00000265B01C0582

fseek.LIBCMT ref: 00000265B01B1730

Part of subcall function 00000265B01C0EA4: _errno.LIBCMT ref: 00000265B01C0ECC
Part of subcall function 00000265B01C0EA4: _invalid_parameter_noinfo.LIBCMT ref: 00000265B01C0ED7

_ftelli64.LIBCMT ref: 00000265B01B1738

Part of subcall function 00000265B01C0F18: _errno.LIBCMT ref: 00000265B01C0F36
Part of subcall function 00000265B01C0F18: _invalid_parameter_noinfo.LIBCMT ref: 00000265B01C0F41

fseek.LIBCMT ref: 00000265B01B1748

Part of subcall function 00000265B01C0EA4: _fseek_nolock.LIBCMT ref: 00000265B01C0EF5

GetFullPathNameA.KERNEL32 ref: 00000265B01B176B
malloc.LIBCMT ref: 00000265B01B1788

Part of subcall function 00000265B01BF284: _FF_MSGBANNER.LIBCMT ref: 00000265B01BF2B4
Part of subcall function 00000265B01BF284: _NMSG_WRITE.LIBCMT ref: 00000265B01BF2BE
Part of subcall function 00000265B01BF284: HeapAlloc.KERNEL32 ref: 00000265B01BF2D9
Part of subcall function 00000265B01BF284: _callnewh.LIBCMT ref: 00000265B01BF2F2
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF2FD
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF308

Part of subcall function 00000265B01AD044: malloc.LIBCMT ref: 00000265B01AD057

Part of subcall function 00000265B01AD074: htonl.WS2_32 ref: 00000265B01AD07F

fclose.LIBCMT ref: 00000265B01B1845

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfomalloc$fseek$AllocFullHeapNamePath_callnewh_fseek_nolock_ftelli64fclosehtonl
String ID:
API String ID: 3587854850-0
Opcode ID: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
Instruction ID: 5f25075e232cfb397a4eaf3a946f17b0dd5688ef36ed9946b0116ea98882b198
Opcode Fuzzy Hash: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
Instruction Fuzzy Hash: 0A41A431300EE046EA18EB129C597AD6251BFD8BDCF488125EE5A477DADF3EC506C700

Function 00000265B01B5C60 Relevance: 9.1, APIs: 6, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32 ref: 00000265B01B5C78
GetOEMCP.KERNEL32 ref: 00000265B01B5C82
GetCurrentProcessId.KERNEL32 ref: 00000265B01B5CA8
GetTickCount.KERNEL32 ref: 00000265B01B5CB0

Part of subcall function 00000265B01C044C: _getptd.LIBCMT ref: 00000265B01C0454

GetCurrentProcess.KERNEL32 ref: 00000265B01B5CEC

Part of subcall function 00000265B01B0C64: GetModuleHandleA.KERNEL32 ref: 00000265B01B0C79
Part of subcall function 00000265B01B0C64: GetProcAddress.KERNEL32 ref: 00000265B01B0C89

GetCurrentProcessId.KERNEL32 ref: 00000265B01B5D5E

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: CurrentProcess$AddressCountHandleModuleProcTick_getptd
String ID:
API String ID: 3426420785-0
Opcode ID: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
Instruction ID: 8cdff15867be3cf14ba58afed8377c8bfbf3a9196d91c18268e18ca4fd178b14
Opcode Fuzzy Hash: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
Instruction Fuzzy Hash: 56417E31710EB055FB08EBB1DC8D7D926A4BF8879CF484511EE1A476AEDF3AC1068710

Function 00000265B01AEA48 Relevance: 9.1, APIs: 6, Instructions: 109networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000265B01BE0FC: RevertToSelf.ADVAPI32 ref: 00000265B01BE10A

InternetOpenA.WININET ref: 00000265B01AEB0C
InternetSetOptionA.WININET ref: 00000265B01AEB2C
InternetSetOptionA.WININET ref: 00000265B01AEB44
InternetConnectA.WININET ref: 00000265B01AEB7A
InternetSetOptionA.WININET ref: 00000265B01AEBB7
InternetSetOptionA.WININET ref: 00000265B01AEBE2

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: Internet$Option$ConnectOpenRevertSelf
String ID:
API String ID: 1513466045-0
Opcode ID: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
Instruction ID: 0339c4326fb9d8e1f1eae201d5f5a94a45ed63649c706a146237130b5202c36f
Opcode Fuzzy Hash: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
Instruction Fuzzy Hash: 5E419A75200FE182EB2CEB11EC99BA97791FB8474DF084115DA5B07BAADF7EC4068700

Function 00000265B01B6F2C Relevance: 9.1, APIs: 6, Instructions: 99networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B01B6F5E

Part of subcall function 00000265B01BF284: _FF_MSGBANNER.LIBCMT ref: 00000265B01BF2B4
Part of subcall function 00000265B01BF284: _NMSG_WRITE.LIBCMT ref: 00000265B01BF2BE
Part of subcall function 00000265B01BF284: HeapAlloc.KERNEL32 ref: 00000265B01BF2D9
Part of subcall function 00000265B01BF284: _callnewh.LIBCMT ref: 00000265B01BF2F2
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF2FD
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF308

htonl.WS2_32 ref: 00000265B01B6F91
recvfrom.WS2_32 ref: 00000265B01B6FD5
WSAGetLastError.WS2_32 ref: 00000265B01B6FE2

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno$AllocErrorHeapLast_callnewhhtonlmallocrecvfrom
String ID:
API String ID: 2310505145-0
Opcode ID: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
Instruction ID: 95c7502f8a78719018ceec9504124ba8b4abddff9977be5ab39bc027f4858169
Opcode Fuzzy Hash: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
Instruction Fuzzy Hash: E0415171205EE0C6EB18AF25EC4871A77A1FB9579CF5C8215FA89477ACDB3AC481CB10

Function 00000265B01B79C4 Relevance: 9.1, APIs: 6, Instructions: 96threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000265B01B79FF
UpdateProcThreadAttribute.KERNEL32 ref: 00000265B01B7A3F
GetLastError.KERNEL32 ref: 00000265B01B7A49
GetCurrentProcess.KERNEL32 ref: 00000265B01B7A7E
GetCurrentProcess.KERNEL32 ref: 00000265B01B7ABE
GetCurrentProcess.KERNEL32 ref: 00000265B01B7AEF

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ErrorLast$AttributeProcThreadUpdate
String ID:
API String ID: 1014270282-0
Opcode ID: b3d57bf1a8e1718da0dab59a644853e162df0a73d9a39d542a15f5b5bcb328ed
Instruction ID: 82c9577e9c2b559908c129caf23edd3a766dae92803f800063ff033377e67f55
Opcode Fuzzy Hash: b3d57bf1a8e1718da0dab59a644853e162df0a73d9a39d542a15f5b5bcb328ed
Instruction Fuzzy Hash: F7418132614FD086EB58DF62E8483997794FB89BDCF0C4625EA4943B99DB3DC6058B10

Function 00000265B207FA67 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B207F9BE

Part of subcall function 00000265B208115F: _getptd_noexit.LIBCMT ref: 00000265B2081163

_invalid_parameter_noinfo.LIBCMT ref: 00000265B207F9C9
_getstream.LIBCMT ref: 00000265B207F9E9
_errno.LIBCMT ref: 00000265B207F9FB
_errno.LIBCMT ref: 00000265B207FA0D
_openfile.LIBCMT ref: 00000265B207FA3B

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: 14f9975bf4e765c4172f8029720c17abc7a3d9028f0f4e986d1a5709473ec300
Instruction ID: 7656f341f0d7cb759ca35ec77cf28f5a681182cffc07d1e9fb54a8d8fcf740fc
Opcode Fuzzy Hash: 14f9975bf4e765c4172f8029720c17abc7a3d9028f0f4e986d1a5709473ec300
Instruction Fuzzy Hash: AA213D70628F6E5FF790BB3C489D37A76D2FB98308F01052A9449C72AAEE35CC404362

Function 00000265B01C0620 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B01C0577

Part of subcall function 00000265B01C1D18: _getptd_noexit.LIBCMT ref: 00000265B01C1D1C

_invalid_parameter_noinfo.LIBCMT ref: 00000265B01C0582
_getstream.LIBCMT ref: 00000265B01C05A2
_errno.LIBCMT ref: 00000265B01C05B4
_errno.LIBCMT ref: 00000265B01C05C6
_openfile.LIBCMT ref: 00000265B01C05F4

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
Instruction ID: 0eeefffcb98c2d54062534211f630df5972e22edd132d828c6685da9662f87b0
Opcode Fuzzy Hash: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
Instruction Fuzzy Hash: 46210871314EE186F73A9B619C0835DA6987F45BECF4C442099498FB9EDB3EC5508B00

Function 00000265B01AFC64 Relevance: 9.1, APIs: 6, Instructions: 58fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B01AFC85

Part of subcall function 00000265B01BF284: _FF_MSGBANNER.LIBCMT ref: 00000265B01BF2B4
Part of subcall function 00000265B01BF284: _NMSG_WRITE.LIBCMT ref: 00000265B01BF2BE
Part of subcall function 00000265B01BF284: HeapAlloc.KERNEL32 ref: 00000265B01BF2D9
Part of subcall function 00000265B01BF284: _callnewh.LIBCMT ref: 00000265B01BF2F2
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF2FD
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF308

free.LIBCMT ref: 00000265B01AFCC0
fwrite.LIBCMT ref: 00000265B01AFD01
fclose.LIBCMT ref: 00000265B01AFD09
free.LIBCMT ref: 00000265B01AFD16

Part of subcall function 00000265B01BF244: HeapFree.KERNEL32 ref: 00000265B01BF25A
Part of subcall function 00000265B01BF244: _errno.LIBCMT ref: 00000265B01BF264
Part of subcall function 00000265B01BF244: GetLastError.KERNEL32 ref: 00000265B01BF26C

GetLastError.KERNEL32 ref: 00000265B01AFD1B

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno$ErrorHeapLastfree$AllocFree_callnewhfclosefwritemalloc
String ID:
API String ID: 1616846154-0
Opcode ID: 17de93f2489608755237434f8f5e09f648d27c8e17da9d8174f51a1e36afe512
Instruction ID: 98647ebaea8a0a7d86aba9305c0cc23b4bfe578f7fb00ba42b7a8d562a236c03
Opcode Fuzzy Hash: 17de93f2489608755237434f8f5e09f648d27c8e17da9d8174f51a1e36afe512
Instruction Fuzzy Hash: DA116035704FE041E928F752A8593AE5291BFD5BECF4C4225AE694BBCEDF2EC5018740

Function 00000265B01B4488 Relevance: 9.1, APIs: 6, Instructions: 51pipefileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000265B01B44A6
WaitNamedPipeA.KERNEL32 ref: 00000265B01B44BB
CreateFileA.KERNEL32 ref: 00000265B01B44E5
SetNamedPipeHandleState.KERNEL32 ref: 00000265B01B4507
DisconnectNamedPipe.KERNEL32 ref: 00000265B01B4514
SetLastError.KERNEL32 ref: 00000265B01B4529

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: NamedPipe$ErrorLast$CreateDisconnectFileHandleStateWait
String ID:
API String ID: 3798860377-0
Opcode ID: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
Instruction ID: 7f5c9103b9ca14fa780ebb3aa5e1907737ae77f9922941c9b53ab191565053fd
Opcode Fuzzy Hash: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
Instruction Fuzzy Hash: 77118432604EA093FB249B25FD5D71D6291FBD4BACF488210EA6A57A9CCF7DC4468701

Function 00000265B01BEFEC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B01BF00F

Part of subcall function 00000265B01BF284: _FF_MSGBANNER.LIBCMT ref: 00000265B01BF2B4
Part of subcall function 00000265B01BF284: _NMSG_WRITE.LIBCMT ref: 00000265B01BF2BE
Part of subcall function 00000265B01BF284: HeapAlloc.KERNEL32 ref: 00000265B01BF2D9
Part of subcall function 00000265B01BF284: _callnewh.LIBCMT ref: 00000265B01BF2F2
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF2FD
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF308

malloc.LIBCMT ref: 00000265B01BF01D

Part of subcall function 00000265B01BF284: _callnewh.LIBCMT ref: 00000265B01BF318
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF31D

malloc.LIBCMT ref: 00000265B01BF03F
_snprintf.LIBCMT ref: 00000265B01BF05A

Part of subcall function 00000265B01BF63C: _errno.LIBCMT ref: 00000265B01BF673
Part of subcall function 00000265B01BF63C: _invalid_parameter_noinfo.LIBCMT ref: 00000265B01BF67E

malloc.LIBCMT ref: 00000265B01BF075

Strings

HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d, xrefs: 00000265B01BF044

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$AllocHeap_invalid_parameter_noinfo_snprintf
String ID: HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d
API String ID: 3518644649-2739389480
Opcode ID: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
Instruction ID: 93c224f93d7148299d491cae9f2e75e38a9bfe36a2097c143ebd37037a161187
Opcode Fuzzy Hash: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
Instruction Fuzzy Hash: A901A135601BE041EA48EB52B8487596699FBC8BE8F184219FEA9477CACF39C0418780

Function 00000265B01B31F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strchr.LIBCMT ref: 00000265B01B322E
strchr.LIBCMT ref: 00000265B01B324C
malloc.LIBCMT ref: 00000265B01B3264
malloc.LIBCMT ref: 00000265B01B3271
rand.LIBCMT ref: 00000265B01B333D
free.LIBCMT ref: 00000265B01B345B
free.LIBCMT ref: 00000265B01B3463

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: freemallocstrchr$rand
String ID:
API String ID: 1305919620-0
Opcode ID: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
Instruction ID: 0040ed011982af758725ad8190e9095cf580942dc6026471c300bb674fe10dee
Opcode Fuzzy Hash: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
Instruction Fuzzy Hash: 52710B72604FD441FA2AAF29A8193EA6390FFD5B9CF0C5115DF85177AADF2EC1568300

Function 00000265B20635B7 Relevance: 8.9, APIs: 7, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B2063604

Part of subcall function 00000265B207E6CB: _FF_MSGBANNER.LIBCMT ref: 00000265B207E6FB
Part of subcall function 00000265B207E6CB: _NMSG_WRITE.LIBCMT ref: 00000265B207E705
Part of subcall function 00000265B207E6CB: _callnewh.LIBCMT ref: 00000265B207E739
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E744
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E74F

malloc.LIBCMT ref: 00000265B206360F

Part of subcall function 00000265B207E6CB: _callnewh.LIBCMT ref: 00000265B207E75F
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E764

free.LIBCMT ref: 00000265B20636F6
free.LIBCMT ref: 00000265B20636FE
free.LIBCMT ref: 00000265B2063706
free.LIBCMT ref: 00000265B2063712
free.LIBCMT ref: 00000265B206371F

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: a46d6df1e63736bbf5e6f8efd513222b2720334364c4a35ae3722e37f335d37b
Instruction ID: 9f74afb3ceef36df7a457cc44e1d68776349c6fc787a1442939fdd6264e99479
Opcode Fuzzy Hash: a46d6df1e63736bbf5e6f8efd513222b2720334364c4a35ae3722e37f335d37b
Instruction Fuzzy Hash: 4551E934218E1E4BE75A9B2D94A967A73D0FB59748F40812DE84AC329BEF11DC02C7D6

Function 00000265B01A4170 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B01A41BD

Part of subcall function 00000265B01BF284: _FF_MSGBANNER.LIBCMT ref: 00000265B01BF2B4
Part of subcall function 00000265B01BF284: _NMSG_WRITE.LIBCMT ref: 00000265B01BF2BE
Part of subcall function 00000265B01BF284: HeapAlloc.KERNEL32 ref: 00000265B01BF2D9
Part of subcall function 00000265B01BF284: _callnewh.LIBCMT ref: 00000265B01BF2F2
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF2FD
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF308

malloc.LIBCMT ref: 00000265B01A41C8

Part of subcall function 00000265B01BF284: _callnewh.LIBCMT ref: 00000265B01BF318
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF31D

free.LIBCMT ref: 00000265B01A42AF
free.LIBCMT ref: 00000265B01A42B7
free.LIBCMT ref: 00000265B01A42BF
free.LIBCMT ref: 00000265B01A42CB
free.LIBCMT ref: 00000265B01A42D8

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc$AllocHeap
String ID:
API String ID: 996410232-0
Opcode ID: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
Instruction ID: e7244914e68d0f10a1751ba5a60213503f6ba51f3d730e784b6cc07c1d28a71d
Opcode Fuzzy Hash: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
Instruction Fuzzy Hash: 3541BC32300FF18BEA5D9B66AD5836A27A4FB89B8CF484125EF6617749DF35D422C300

Function 00000265B01AF274 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

htonl.WS2_32 ref: 00000265B01AF2ED
htonl.WS2_32 ref: 00000265B01AF2F7
malloc.LIBCMT ref: 00000265B01AF310
free.LIBCMT ref: 00000265B01AF37D

Strings

zyxwvutsrqponmlk, xrefs: 00000265B01AF34C

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: htonl$freemalloc
String ID: zyxwvutsrqponmlk
API String ID: 1249573706-3884694604
Opcode ID: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
Instruction ID: 9dc242aca840f79a25bbc3edb67af1a5048fe97fa6f871980fe45629802cc5c2
Opcode Fuzzy Hash: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
Instruction Fuzzy Hash: 5E31EA31301BE046EB18EA76AD593696691BF95BDCF084438ED5A47B9FDB3DC4468300

Function 00000265B01B3FA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000265B01B3FE7
GetProcAddress.KERNEL32 ref: 00000265B01B3FF7
GetLastError.KERNEL32 ref: 00000265B01B40BF

Part of subcall function 00000265B01BCC00: GetCurrentProcess.KERNEL32 ref: 00000265B01BCC8D

Part of subcall function 00000265B01BD134: GetCurrentProcess.KERNEL32 ref: 00000265B01BD161

Strings

ntdll.dll, xrefs: 00000265B01B3FD9
NtMapViewOfSection, xrefs: 00000265B01B3FED

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: CurrentProcess$AddressErrorHandleLastModuleProc
String ID: NtMapViewOfSection$ntdll.dll
API String ID: 1006775078-3170647572
Opcode ID: 4efd516be26a68cc1ab5fab53fe02ed59a35285f2b4b3cec42098ec83d9277dd
Instruction ID: 0125ac618860e30cae47a1d00271a07dba37843a279663bfab72a2e89dfba98e
Opcode Fuzzy Hash: 4efd516be26a68cc1ab5fab53fe02ed59a35285f2b4b3cec42098ec83d9277dd
Instruction Fuzzy Hash: 5531B632700F9482EB18EB51A8597596790FB98BBCF084725EE69077D9DF7DC4458700

Function 00000265B01B1FB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B01B1FD2

Part of subcall function 00000265B01BF284: _FF_MSGBANNER.LIBCMT ref: 00000265B01BF2B4
Part of subcall function 00000265B01BF284: _NMSG_WRITE.LIBCMT ref: 00000265B01BF2BE
Part of subcall function 00000265B01BF284: HeapAlloc.KERNEL32 ref: 00000265B01BF2D9
Part of subcall function 00000265B01BF284: _callnewh.LIBCMT ref: 00000265B01BF2F2
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF2FD
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF308

_snprintf.LIBCMT ref: 00000265B01B1FF1

Part of subcall function 00000265B01BF63C: _errno.LIBCMT ref: 00000265B01BF673
Part of subcall function 00000265B01BF63C: _invalid_parameter_noinfo.LIBCMT ref: 00000265B01BF67E

remove.LIBCMT ref: 00000265B01B1FFD
remove.LIBCMT ref: 00000265B01B2004

Strings

%s\%s, xrefs: 00000265B01B1FD7

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno$remove$AllocHeap_callnewh_invalid_parameter_noinfo_snprintfmalloc
String ID: %s\%s
API String ID: 1896346573-4073750446
Opcode ID: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
Instruction ID: e420fdfa2ad1df70992b7e26783a7f06000d8eacd8c8a577f91461318ff94894
Opcode Fuzzy Hash: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
Instruction Fuzzy Hash: 8FF06D35204FE085E618AB11BC1529AA260FB88BDCF5C4125BF8817B9ECF3AC4118744

Function 00000265B206BEBB Relevance: 7.9, APIs: 6, Instructions: 411COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000265B2075433: malloc.LIBCMT ref: 00000265B207544F

malloc.LIBCMT ref: 00000265B206BF82

Part of subcall function 00000265B207E6CB: _FF_MSGBANNER.LIBCMT ref: 00000265B207E6FB
Part of subcall function 00000265B207E6CB: _NMSG_WRITE.LIBCMT ref: 00000265B207E705
Part of subcall function 00000265B207E6CB: _callnewh.LIBCMT ref: 00000265B207E739
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E744
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E74F

Part of subcall function 00000265B207B677: malloc.LIBCMT ref: 00000265B207B6E3

Part of subcall function 00000265B207DEEF: malloc.LIBCMT ref: 00000265B207DF3F

Part of subcall function 00000265B207DEEF: realloc.LIBCMT ref: 00000265B207DF4E

malloc.LIBCMT ref: 00000265B206C091
_snprintf.LIBCMT ref: 00000265B206C108
_snprintf.LIBCMT ref: 00000265B206C12E
_snprintf.LIBCMT ref: 00000265B206C155
free.LIBCMT ref: 00000265B206C30D

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errno$_callnewhfreerealloc
String ID:
API String ID: 74200508-0
Opcode ID: fd4b1ce187cf5d2c7b3c7d1d5f2f485ec143d87fcb2d796d9dd721ce5a89571b
Instruction ID: f82a73cc6f2ad2728dc14838c2d0490ead91a4ba237c045a2a84f89302fc6eb4
Opcode Fuzzy Hash: fd4b1ce187cf5d2c7b3c7d1d5f2f485ec143d87fcb2d796d9dd721ce5a89571b
Instruction Fuzzy Hash: EFD1B930714E2C4BF759BB6584EE7B972D2EB94304F10452DA44BC32EBDE36D80687A2

Function 00007FF65B3B2E00 Relevance: 7.8, APIs: 5, Instructions: 299COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF65B3B2F81
fputc.MSVCRT ref: 00007FF65B3B30B2

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID: fputcmemset
String ID:
API String ID: 947785774-0
Opcode ID: 555f8774b8e81171a088c9ae3eef83ff67c5074706860f87334bd2843081a2d8
Instruction ID: e5ba10496a4496e123422b110033c234012989d7016ac7815ec08934b7299dcf
Opcode Fuzzy Hash: 555f8774b8e81171a088c9ae3eef83ff67c5074706860f87334bd2843081a2d8
Instruction Fuzzy Hash: 49B1D6A2E1895186EB258E29D8043393A91BF087A4F1D4335DA1EBB7EDCE3CE941C741

Function 00000265B207263B Relevance: 7.8, APIs: 6, Instructions: 264stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strchr.LIBCMT ref: 00000265B2072675
strchr.LIBCMT ref: 00000265B2072693
malloc.LIBCMT ref: 00000265B20726AB
malloc.LIBCMT ref: 00000265B20726B8
free.LIBCMT ref: 00000265B20728A2
free.LIBCMT ref: 00000265B20728AA

Part of subcall function 00000265B207E68B: _errno.LIBCMT ref: 00000265B207E6AB

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: freemallocstrchr$_errno
String ID:
API String ID: 4025974267-0
Opcode ID: f35e4bf4a30ec4413237561f10dac7197b8990473e0b46e11b580f4fb44e5963
Instruction ID: 16ce87273dcb52e014cd966505d55594e570efb61a7919a077fc54a542d34bbe
Opcode Fuzzy Hash: f35e4bf4a30ec4413237561f10dac7197b8990473e0b46e11b580f4fb44e5963
Instruction Fuzzy Hash: E281E930618EAC4FE7A5AB2C846D3F673D1FF99309F04016DD589C71ABDA36884783A1

Function 00000265B2070ADB Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00000265B2075433: malloc.LIBCMT ref: 00000265B207544F

Part of subcall function 00000265B207FA67: _errno.LIBCMT ref: 00000265B207F9BE
Part of subcall function 00000265B207FA67: _invalid_parameter_noinfo.LIBCMT ref: 00000265B207F9C9

fseek.LIBCMT ref: 00000265B2070B77

Part of subcall function 00000265B20802EB: _errno.LIBCMT ref: 00000265B2080313
Part of subcall function 00000265B20802EB: _invalid_parameter_noinfo.LIBCMT ref: 00000265B208031E

_ftelli64.LIBCMT ref: 00000265B2070B7F

Part of subcall function 00000265B208035F: _errno.LIBCMT ref: 00000265B208037D
Part of subcall function 00000265B208035F: _invalid_parameter_noinfo.LIBCMT ref: 00000265B2080388

fseek.LIBCMT ref: 00000265B2070B8F

Part of subcall function 00000265B20802EB: _fseek_nolock.LIBCMT ref: 00000265B208033C

malloc.LIBCMT ref: 00000265B2070BCF

Part of subcall function 00000265B207E6CB: _FF_MSGBANNER.LIBCMT ref: 00000265B207E6FB
Part of subcall function 00000265B207E6CB: _NMSG_WRITE.LIBCMT ref: 00000265B207E705
Part of subcall function 00000265B207E6CB: _callnewh.LIBCMT ref: 00000265B207E739
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E744
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E74F

fclose.LIBCMT ref: 00000265B2070C8C

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo$fseekmalloc$_callnewh_fseek_nolock_ftelli64fclose
String ID:
API String ID: 2887643383-0
Opcode ID: f1c4e02295faa99f8843714657dd5281141177bf23df19fa39898597ddf49910
Instruction ID: 74c90bb4224708072b02ce85cce120cfbabbded78929c3dd93076fabf246c93d
Opcode Fuzzy Hash: f1c4e02295faa99f8843714657dd5281141177bf23df19fa39898597ddf49910
Instruction Fuzzy Hash: EF518A31628E1C4FD749EB2894ED7B972D2FB88304F50466DE44BC32EBDD3599068792

Function 00000265B208978F Relevance: 7.7, APIs: 5, Instructions: 201COMMON

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 00000265B20897BC

Part of subcall function 00000265B208329F: _FF_MSGBANNER.LIBCMT ref: 00000265B20832BC
Part of subcall function 00000265B208329F: _NMSG_WRITE.LIBCMT ref: 00000265B20832C6

_lock.LIBCMT ref: 00000265B20897CF
_lock.LIBCMT ref: 00000265B208982A
_calloc_crt.LIBCMT ref: 00000265B20898E1

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _lock$_calloc_crt_mtinitlocknum
String ID:
API String ID: 3962633935-0
Opcode ID: b1e94c722dda090378a8e761eed7513b06593d91ccd6790d0d4411b736f80c7c
Instruction ID: 3029ecca449db1b7af67232ab83e22aa6f2773ac9f077c3f823aba8647d1fe5f
Opcode Fuzzy Hash: b1e94c722dda090378a8e761eed7513b06593d91ccd6790d0d4411b736f80c7c
Instruction Fuzzy Hash: D8513530514F1D8FE718AF18C8D9376B3D0FB94318F11065DE88ACB7AADA75D8428792

Function 00000265B2064937 Relevance: 7.7, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B2064981

Part of subcall function 00000265B207E6CB: _FF_MSGBANNER.LIBCMT ref: 00000265B207E6FB
Part of subcall function 00000265B207E6CB: _NMSG_WRITE.LIBCMT ref: 00000265B207E705
Part of subcall function 00000265B207E6CB: _callnewh.LIBCMT ref: 00000265B207E739
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E744
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E74F

malloc.LIBCMT ref: 00000265B206498C

Part of subcall function 00000265B207E6CB: _callnewh.LIBCMT ref: 00000265B207E75F
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E764

free.LIBCMT ref: 00000265B2064A73
free.LIBCMT ref: 00000265B2064A7B
free.LIBCMT ref: 00000265B2064A87
free.LIBCMT ref: 00000265B2064A94

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 9dd44889f23309e2c133c4e883ac3d7c03cf28f4ebc62bcd805b5d39935d1e2d
Instruction ID: 0334ba735a2d5a66103d0ae75d653b7fa72fde262c4bd3e03f2864f62ad4bcce
Opcode Fuzzy Hash: 9dd44889f23309e2c133c4e883ac3d7c03cf28f4ebc62bcd805b5d39935d1e2d
Instruction Fuzzy Hash: 91412930318F2D4BEB7A9E29589937A32C5E796358F10412DD48BC3297EE22D80347E6

Function 00000265B20800A4 Relevance: 7.7, APIs: 5, Instructions: 169COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000265B207FF9E
memcpy_s.LIBCMT ref: 00000265B2080063
_fileno.LIBCMT ref: 00000265B20800CE

Part of subcall function 00000265B2084E9B: _errno.LIBCMT ref: 00000265B2084EA4
Part of subcall function 00000265B2084E9B: _invalid_parameter_noinfo.LIBCMT ref: 00000265B2084EAF

Part of subcall function 00000265B208637F: __doserrno.LIBCMT ref: 00000265B20863B9
Part of subcall function 00000265B208637F: _errno.LIBCMT ref: 00000265B20863C0

_filbuf.LIBCMT ref: 00000265B20800FC
_errno.LIBCMT ref: 00000265B208014C

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo$__doserrno_filbuf_filenomemcpy_s
String ID:
API String ID: 1812282339-0
Opcode ID: 1d80507bd446d673e38c574efff92c11e3e4791c727a6c64fa90c2c2373988e9
Instruction ID: 290d24ea0fcf772d1af32a50f45c1c2dc7aaa45b052ffaee75e433b7ff666e49
Opcode Fuzzy Hash: 1d80507bd446d673e38c574efff92c11e3e4791c727a6c64fa90c2c2373988e9
Instruction Fuzzy Hash: F741EA3131CF2D4AEB2C562C58AD33A72C3E795724F25032DE49AC76DADE12D85247D1

Function 00000265B20817E3 Relevance: 7.6, APIs: 5, Instructions: 149COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 00000265B2081800

Part of subcall function 00000265B2084E9B: _errno.LIBCMT ref: 00000265B2084EA4
Part of subcall function 00000265B2084E9B: _invalid_parameter_noinfo.LIBCMT ref: 00000265B2084EAF

_errno.LIBCMT ref: 00000265B2081810

Part of subcall function 00000265B208115F: _getptd_noexit.LIBCMT ref: 00000265B2081163

_errno.LIBCMT ref: 00000265B208182C
_isatty.LIBCMT ref: 00000265B208188D
_getbuf.LIBCMT ref: 00000265B2081899

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty
String ID:
API String ID: 304646821-0
Opcode ID: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
Instruction ID: 2c5520d8cc9cd9ca4ce42085b84e20abc5552920fc3de47284196be8cd50b8fe
Opcode Fuzzy Hash: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
Instruction Fuzzy Hash: CF51D330114E2C8FEB589F28C4EA776B7E1EF48314F140659D45ACFADAD636C84187A0

Function 00000265B2078667 Relevance: 7.6, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B2078696

Part of subcall function 00000265B207E6CB: _FF_MSGBANNER.LIBCMT ref: 00000265B207E6FB
Part of subcall function 00000265B207E6CB: _NMSG_WRITE.LIBCMT ref: 00000265B207E705
Part of subcall function 00000265B207E6CB: _callnewh.LIBCMT ref: 00000265B207E739
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E744
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E74F

_snprintf.LIBCMT ref: 00000265B20786AE

Part of subcall function 00000265B207EA83: _errno.LIBCMT ref: 00000265B207EABA
Part of subcall function 00000265B207EA83: _invalid_parameter_noinfo.LIBCMT ref: 00000265B207EAC5

free.LIBCMT ref: 00000265B20786C5

Part of subcall function 00000265B207E68B: _errno.LIBCMT ref: 00000265B207E6AB

malloc.LIBCMT ref: 00000265B2078715
_snprintf.LIBCMT ref: 00000265B207872D
free.LIBCMT ref: 00000265B2078755

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
String ID:
API String ID: 761449704-0
Opcode ID: faf2166294d0965833cb84c6e7fe882f3c5ed13ceeefabe40a4c11aee224dca5
Instruction ID: ea1e94a6a91a59111862eada1f5defc32bda57cad67709c38d5601d444b370ea
Opcode Fuzzy Hash: faf2166294d0965833cb84c6e7fe882f3c5ed13ceeefabe40a4c11aee224dca5
Instruction Fuzzy Hash: 9041B03070CE5C4FE699AB2C686D3B877D2E799314F548659D08EC32ABDA35DC0287A1

Function 00000265B01B00F8 Relevance: 7.6, APIs: 5, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
Instruction ID: 8af5d18fa59db06f934ac98c290b1635b4bfe7bde92454b62cbe923d6e2b2488
Opcode Fuzzy Hash: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
Instruction Fuzzy Hash: 6651EF72B04EA095FB19FB65C8893ED2360FF94B8CF489115EE092769ADF39C549C700

Function 00000265B01C062C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B01C0664

Part of subcall function 00000265B01C1D18: _getptd_noexit.LIBCMT ref: 00000265B01C1D1C

_invalid_parameter_noinfo.LIBCMT ref: 00000265B01C066F
_flush.LIBCMT ref: 00000265B01C0721
_fileno.LIBCMT ref: 00000265B01C0742
_flsbuf.LIBCMT ref: 00000265B01C0785

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1640621425-0
Opcode ID: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
Instruction ID: 376ccb07e09edf46f40bea9e2dc73f11389b09aa5a1cbd6b971b8c012204b951
Opcode Fuzzy Hash: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
Instruction Fuzzy Hash: 1A41D431300FF046FA7E9E665D4835AB699BF84FFCF1C42209E964F6D9D63AD4918600

Function 00000265B01A54F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B01A553A

Part of subcall function 00000265B01BF284: _FF_MSGBANNER.LIBCMT ref: 00000265B01BF2B4
Part of subcall function 00000265B01BF284: _NMSG_WRITE.LIBCMT ref: 00000265B01BF2BE
Part of subcall function 00000265B01BF284: HeapAlloc.KERNEL32 ref: 00000265B01BF2D9
Part of subcall function 00000265B01BF284: _callnewh.LIBCMT ref: 00000265B01BF2F2
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF2FD
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF308

malloc.LIBCMT ref: 00000265B01A5545

Part of subcall function 00000265B01BF284: _callnewh.LIBCMT ref: 00000265B01BF318
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF31D

free.LIBCMT ref: 00000265B01A562C
free.LIBCMT ref: 00000265B01A5634
free.LIBCMT ref: 00000265B01A5640
free.LIBCMT ref: 00000265B01A564D

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc$AllocHeap
String ID:
API String ID: 996410232-0
Opcode ID: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
Instruction ID: 42037b145d584534cd86a56254cc105894acd7a6a72c29eb21d26dbe4e3546eb
Opcode Fuzzy Hash: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
Instruction Fuzzy Hash: 9141C432208FF546EF1AEB265C1866E6799BF95BCCF8D4024DD694B749DE3AC406C700

Function 00000265B01B2D70 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 94stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000265B01B31F4: strchr.LIBCMT ref: 00000265B01B322E
Part of subcall function 00000265B01B31F4: strchr.LIBCMT ref: 00000265B01B324C
Part of subcall function 00000265B01B31F4: malloc.LIBCMT ref: 00000265B01B3264
Part of subcall function 00000265B01B31F4: malloc.LIBCMT ref: 00000265B01B3271
Part of subcall function 00000265B01B31F4: rand.LIBCMT ref: 00000265B01B333D

strchr.LIBCMT ref: 00000265B01B2DD6
_snprintf.LIBCMT ref: 00000265B01B2E0C

Part of subcall function 00000265B01BF63C: _errno.LIBCMT ref: 00000265B01BF673
Part of subcall function 00000265B01BF63C: _invalid_parameter_noinfo.LIBCMT ref: 00000265B01BF67E

_snprintf.LIBCMT ref: 00000265B01B2E23

Strings

%s&%s, xrefs: 00000265B01B2E1C
?%s, xrefs: 00000265B01B2E05

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
String ID: %s&%s$?%s
API String ID: 1095232423-1750478248
Opcode ID: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
Instruction ID: 62e9ad349d0eb7a9fb999a8719def877358d0533af8c44eba319d8c6505ba933
Opcode Fuzzy Hash: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
Instruction Fuzzy Hash: C741A372200ED091EA29AF2ED5492E8A3A0FFD8B9DF085511DF4917B65EF35D1A7C340

Function 00000265B01CAC98 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00000265B01CACFA
_isleadbyte_l.LIBCMT ref: 00000265B01CAD2A
MultiByteToWideChar.KERNEL32 ref: 00000265B01CAD69
MultiByteToWideChar.KERNEL32 ref: 00000265B01CADB7
_errno.LIBCMT ref: 00000265B01CADC1

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
Instruction ID: 290ce71699e204f5fcd6fc463ac8d882cfbf1b6b9ad74c24afe1c18e7ce20176
Opcode Fuzzy Hash: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
Instruction Fuzzy Hash: B441F432201BD086E7798F14D98836D7BA1FF84BACF5C4161EB8A5BB9DCB39C8418700

Function 00000265B206F0AB Relevance: 7.6, APIs: 5, Instructions: 90fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B206F0CC

Part of subcall function 00000265B207E6CB: _FF_MSGBANNER.LIBCMT ref: 00000265B207E6FB
Part of subcall function 00000265B207E6CB: _NMSG_WRITE.LIBCMT ref: 00000265B207E705
Part of subcall function 00000265B207E6CB: _callnewh.LIBCMT ref: 00000265B207E739
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E744
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E74F

free.LIBCMT ref: 00000265B206F107
fwrite.LIBCMT ref: 00000265B206F148
fclose.LIBCMT ref: 00000265B206F150
free.LIBCMT ref: 00000265B206F15D

Part of subcall function 00000265B207E68B: _errno.LIBCMT ref: 00000265B207E6AB

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno$free$_callnewhfclosefwritemalloc
String ID:
API String ID: 1696598829-0
Opcode ID: 847eb6b7486c9ee4865d8d7c518a95bf0648219dea0f29af020a53809fe39c03
Instruction ID: e5fd30c2bc531c82e3c85e7f4fad1be752d5ab794b4c1539001a7f10c38f8be2
Opcode Fuzzy Hash: 847eb6b7486c9ee4865d8d7c518a95bf0648219dea0f29af020a53809fe39c03
Instruction Fuzzy Hash: 6F218330228E2C4BE745F72985AD3BD76D1FB98358F54452D644EC32EADD29CD0183A2

Function 00000265B2089A33 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B2089A44

Part of subcall function 00000265B208115F: _getptd_noexit.LIBCMT ref: 00000265B2081163

__doserrno.LIBCMT ref: 00000265B2089A3C

Part of subcall function 00000265B20810EF: _getptd_noexit.LIBCMT ref: 00000265B20810F3

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction ID: 74f4d49ddb2565f25e7426127e1fc758c0e6a6b95a839dfe687a68a0cceff96d
Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction Fuzzy Hash: D801F930124C6D4EF6587764CCE93B672A2FF8132DF554254E019CFADBD67A44408771

Function 00000265B01CA5EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B01CA5FD

Part of subcall function 00000265B01C1D18: _getptd_noexit.LIBCMT ref: 00000265B01C1D1C

__doserrno.LIBCMT ref: 00000265B01CA5F5

Part of subcall function 00000265B01C1CA8: _getptd_noexit.LIBCMT ref: 00000265B01C1CAC

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction ID: c523987e044953d512350091b5624abebe44e2bbd54fa497d4f05ca5f382578f
Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction Fuzzy Hash: 2301D172602EF445FA2E6B64CC893AC2560BF51B3DFED4340D52A0E3EAC62AC4524610

Function 00007FF65B3B1CB0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 231memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00007FF65B3BC0B0,00007FF65B3BC0B8,00000001,?,?,?,?,00007FFE2167ADA0,00007FF65B3B1228,?,?,?,00007FF65B3B13E6), ref: 00007FF65B3B1EAD

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF65B3B1F17
Unknown pseudo relocation bit size %d., xrefs: 00007FF65B3B1FF2
Unknown pseudo relocation protocol version %d., xrefs: 00007FF65B3B1FFE

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: 3f5ecf0c864aea2a70ecd982c90d4553c0d8b705a79e49b9268a78e357bff83a
Instruction ID: 99531ebfc4b0df1ac283a177240a087a7f3db6382b8a6d9d51b14a2df7e9d5b4
Opcode Fuzzy Hash: 3f5ecf0c864aea2a70ecd982c90d4553c0d8b705a79e49b9268a78e357bff83a
Instruction Fuzzy Hash: 4F917E32E29D5686EA208B25D9402796291BF5D7A4F6C8335DD2DB77FCDF2CE842D200

Function 00000265B01AD83C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMONLIBRARYCODE

Download Yara Rule

Strings

%s!%s, xrefs: 00000265B01AD9EB

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID:
String ID: %s!%s
API String ID: 0-2935588013
Opcode ID: 2575759d0ae14333fa4d595125301f6413fce9519f9dbc799c601f61bbf3305b
Instruction ID: ebad6af699bc4316e5c28f96ef43c368a0277ddd14702ce3348eae261fbecd5a
Opcode Fuzzy Hash: 2575759d0ae14333fa4d595125301f6413fce9519f9dbc799c601f61bbf3305b
Instruction Fuzzy Hash: 25516576204FE086EB689F55D80875973A1FB88B9CF484126DF9B4778DDB39C942C704

Function 00000265B01B2818 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93sleeppipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32 ref: 00000265B01B28A3
GetStartupInfoA.KERNEL32 ref: 00000265B01B28AD
Sleep.KERNEL32 ref: 00000265B01B28F4

Part of subcall function 00000265B01B48D8: GetTickCount.KERNEL32 ref: 00000265B01B48F1
Part of subcall function 00000265B01B48D8: GetTickCount.KERNEL32 ref: 00000265B01B4932

Strings

h, xrefs: 00000265B01B284D

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: CountTick$CreateInfoPipeSleepStartup
String ID: h
API String ID: 1809008225-2439710439
Opcode ID: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
Instruction ID: 3a02014222ebd22e2e6e58d771dcaee045a113bcdd21c6435098459ce8e32407
Opcode Fuzzy Hash: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
Instruction Fuzzy Hash: 0741A832600F989AE310DF65E84468EB7B0F78879CF104205EE9C53BA8DF39C546CB40

Function 00007FF65B3B2053 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00007FF65B3B20D2

Strings

CCG , xrefs: 00007FF65B3B2075

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 6073a758f237ae6f803d3cf6a55fdba62ff33d07738ec308fd8f7cf96dd68a23
Instruction ID: b8801e286975ba4a9772c4fcdd35f1c31d46e5e16b74655255d3f7d857af8660
Opcode Fuzzy Hash: 6073a758f237ae6f803d3cf6a55fdba62ff33d07738ec308fd8f7cf96dd68a23
Instruction Fuzzy Hash: 37218961E09E0646FE682A69CC943781982AF8D354F1D8A35CA2DF63FDDD2DE8C1C211

Function 00000265B01BE1D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32 ref: 00000265B01BE26D
LookupAccountSidA.ADVAPI32 ref: 00000265B01BE2B2
_snprintf.LIBCMT ref: 00000265B01BE2DA

Strings

%s\%s, xrefs: 00000265B01BE2C8

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: AccountInformationLookupToken_snprintf
String ID: %s\%s
API String ID: 2107350476-4073750446
Opcode ID: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
Instruction ID: d886de8e7ad4598f387ed8e581c0ca0917344b392fb351001d4fd3c6745016e1
Opcode Fuzzy Hash: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
Instruction Fuzzy Hash: B8312F36204FD195EB38DF61E8446DA73A8FB88B8CF488125EA8D57B59DF39C606C740

Function 00000265B01B4224 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000265B01B424E
GetProcAddress.KERNEL32 ref: 00000265B01B425E

Strings

RtlCreateUserThread, xrefs: 00000265B01B4254
ntdll.dll, xrefs: 00000265B01B423B

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: RtlCreateUserThread$ntdll.dll
API String ID: 1646373207-2935400652
Opcode ID: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
Instruction ID: 8acea0e09225c5f760119ea72def34017dd6e67b6dc2657b09ca5933d5801b2a
Opcode Fuzzy Hash: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
Instruction Fuzzy Hash: 88112D32214F9092DB24DF51F884549B7B8FB98B88F9D8235EA9D43B18DF39C556C700

Function 00000265B01B3C0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000265B01B3C30
GetProcAddress.KERNEL32 ref: 00000265B01B3C40

Strings

ntdll, xrefs: 00000265B01B3C23
NtQueueApcThread, xrefs: 00000265B01B3C36

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: NtQueueApcThread$ntdll
API String ID: 1646373207-1374908105
Opcode ID: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
Instruction ID: 02af006c49ff81cf29e62c8f76fbe2aee1d9a7c97b20022f03d7967bde35e82c
Opcode Fuzzy Hash: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
Instruction Fuzzy Hash: E3018435200F9192EA049B52FC5825AA7A0FB99BD8F584626DE6843B58DF39C4628300

Function 00000265B01B0C64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000265B01B0C79
GetProcAddress.KERNEL32 ref: 00000265B01B0C89

Strings

kernel32, xrefs: 00000265B01B0C72
IsWow64Process, xrefs: 00000265B01B0C7F

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
Instruction ID: 71e3d38ea60f4c9d78a9a6672dbd210c088d42e1785af9caa13b55ac1189f86e
Opcode Fuzzy Hash: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
Instruction Fuzzy Hash: FBE09A70221E91A2EE599B55EC893256360FFA878CF4C2220D96B0626CEF2DC18AC700

Function 00000265B01B20AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000265B01B20BC
GetProcAddress.KERNEL32 ref: 00000265B01B20CC

Strings

kernel32, xrefs: 00000265B01B20B5
Wow64DisableWow64FsRedirection, xrefs: 00000265B01B20C2

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 1646373207-736604160
Opcode ID: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
Instruction ID: 4c9e97ab836eab1f1805a9319a6c0997b236b5019e0b253e2ae384522d1ea684
Opcode Fuzzy Hash: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
Instruction Fuzzy Hash: 97D05B30751E95A1FD1D5791BC4D2546350BF79B4CF4C1211CC2D06358DE2DC18BC310

Function 00000265B01B20E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000265B01B20F4
GetProcAddress.KERNEL32 ref: 00000265B01B2104

Strings

kernel32, xrefs: 00000265B01B20ED
Wow64RevertWow64FsRedirection, xrefs: 00000265B01B20FA

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 1646373207-3900151262
Opcode ID: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
Instruction ID: 713d727f73dba9209cedf39e06c6d4fc8b8bf0f8dbde6b8e9311e6c7210a6e69
Opcode Fuzzy Hash: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
Instruction Fuzzy Hash: 27D05B30751ED561FD1D9791BC4E25413507F69B4DF4C1110C82906358DE2DC18BC310

Function 00000265B206E04B Relevance: 6.5, APIs: 5, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 00000265B206E11A
_snprintf.LIBCMT ref: 00000265B206E145
_snprintf.LIBCMT ref: 00000265B206E161
_snprintf.LIBCMT ref: 00000265B206E216
_snprintf.LIBCMT ref: 00000265B206E22D

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _snprintf
String ID:
API String ID: 3512837008-0
Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction ID: 42c9775346c1c8abd1620e2c6a91e60cb96ad85b21314eff1893eb701f00a179
Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction Fuzzy Hash: 8691E430618E5C8FEB45EF19D8D9BBA73E5FBA4304F004129E446C31A6DE39D946CB92

Function 00000265B207E433 Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B207E456

Part of subcall function 00000265B207E6CB: _FF_MSGBANNER.LIBCMT ref: 00000265B207E6FB
Part of subcall function 00000265B207E6CB: _NMSG_WRITE.LIBCMT ref: 00000265B207E705
Part of subcall function 00000265B207E6CB: _callnewh.LIBCMT ref: 00000265B207E739
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E744
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E74F

malloc.LIBCMT ref: 00000265B207E464

Part of subcall function 00000265B207E6CB: _callnewh.LIBCMT ref: 00000265B207E75F
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E764

malloc.LIBCMT ref: 00000265B207E486
_snprintf.LIBCMT ref: 00000265B207E4A1

Part of subcall function 00000265B207EA83: _errno.LIBCMT ref: 00000265B207EABA
Part of subcall function 00000265B207EA83: _invalid_parameter_noinfo.LIBCMT ref: 00000265B207EAC5

malloc.LIBCMT ref: 00000265B207E4BC

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
String ID:
API String ID: 2026495703-0
Opcode ID: b352101c7262c8bcb4a5e96376bd10b91777e0dce9561e268234f3b9efdf5141
Instruction ID: 9f9fcf410352fda836da5846df0638becbd253c56dee392f7dcab9d66cb5604b
Opcode Fuzzy Hash: b352101c7262c8bcb4a5e96376bd10b91777e0dce9561e268234f3b9efdf5141
Instruction Fuzzy Hash: BB116330A1DF184FE7A8EB6CA49936576D1F79C710F10495EE08EC32ABDA34AC4247D2

Function 00007FF65B3B32B0 Relevance: 6.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71253800d1795a9d3461c9a2abaf0dff8d7b3023a836dbffc4b560ae3a195706
Instruction ID: 943284425a3c6784de83b27e36900f8dd59cc1555d9b62b0efe116523e549cd3
Opcode Fuzzy Hash: 71253800d1795a9d3461c9a2abaf0dff8d7b3023a836dbffc4b560ae3a195706
Instruction Fuzzy Hash: C6919872E09A6286E76A8F29C50477A6A91BB08B94F598131CF0DB77DCDF3CE845C740

Function 00000265B207FA73 Relevance: 6.2, APIs: 4, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B207FAAB

Part of subcall function 00000265B208115F: _getptd_noexit.LIBCMT ref: 00000265B2081163

_invalid_parameter_noinfo.LIBCMT ref: 00000265B207FAB6
_flush.LIBCMT ref: 00000265B207FB68
_fileno.LIBCMT ref: 00000265B207FB89

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 634798775-0
Opcode ID: 34e7f92ebff520e6a17a4e985317f9f17b8bd586bad3667c73d28a98cf0395a5
Instruction ID: fbc49c1ee4ec7ede00be569b51e219c3c5f2fe11e38783c5caed57c0b0917af9
Opcode Fuzzy Hash: 34e7f92ebff520e6a17a4e985317f9f17b8bd586bad3667c73d28a98cf0395a5
Instruction Fuzzy Hash: A7512970218F1D4BE6686A6D54FE33572D1E798314F24422ED45AC31FEEA62CC5283D2

Function 00000265B01BBFC0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
Instruction ID: 253cc2fd112bf36f96920cebdfb1cc19a9155254a467ecde90e3d6c6232591b8
Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
Instruction Fuzzy Hash: 7C618035241EA0C6E75CAB29DD8D76C33E0FB98B9CF1C4129E9094B7A9C73AC4428B40

Function 00000265B2060517 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 00000265B206055E
clock.LIBCMT ref: 00000265B206056B
clock.LIBCMT ref: 00000265B2060574
clock.LIBCMT ref: 00000265B2060581

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction ID: a06859aca2d036b3f0423bd05d74b3bc83845bb964877012f079e9efb5aa6227
Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction Fuzzy Hash: 3321353184CB2D0FEB68E99D68CA337B6D1F794350F11422DE8CA83147E5529C4243E2

Function 00007FF65B3B7940 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00007FF65B3B799A
MultiByteToWideChar.KERNEL32 ref: 00007FF65B3B79DA

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 60955b7da004b012cd6c20307c8efa49db5495c7d84d8066373e77440e57a3b0
Instruction ID: b9d14c5e75fac2488914053634dbbf3bbe31e7cd11ac96f99b4455579a61a466
Opcode Fuzzy Hash: 60955b7da004b012cd6c20307c8efa49db5495c7d84d8066373e77440e57a3b0
Instruction Fuzzy Hash: F231767260CA81C6E3A18F25F40036A7BA0FB99784F588135DA98F7BE9DF3DD5458B00

Function 00000265B01B4A04 Relevance: 6.1, APIs: 4, Instructions: 80synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B01B4A45

Part of subcall function 00000265B01BF284: _FF_MSGBANNER.LIBCMT ref: 00000265B01BF2B4
Part of subcall function 00000265B01BF284: _NMSG_WRITE.LIBCMT ref: 00000265B01BF2BE
Part of subcall function 00000265B01BF284: HeapAlloc.KERNEL32 ref: 00000265B01BF2D9
Part of subcall function 00000265B01BF284: _callnewh.LIBCMT ref: 00000265B01BF2F2
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF2FD
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF308

htonl.WS2_32 ref: 00000265B01B4A5B

Part of subcall function 00000265B01B4C44: PeekNamedPipe.KERNEL32 ref: 00000265B01B4C7C

WaitForSingleObject.KERNEL32 ref: 00000265B01B4AB6
free.LIBCMT ref: 00000265B01B4AF2

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno$AllocHeapNamedObjectPeekPipeSingleWait_callnewhfreehtonlmalloc
String ID:
API String ID: 2495333179-0
Opcode ID: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
Instruction ID: 86e3ac74889308d900550de4c6e907aa9042c5308e95725a9c6bad340e8559df
Opcode Fuzzy Hash: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
Instruction Fuzzy Hash: 0531A436200EA082EB58FF22AD4826977A5FFC8B9CF0D8514DE565769DDB39C881C344

Function 00000265B01BC230 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_time64.LIBCMT ref: 00000265B01BC254

Part of subcall function 00000265B01C145C: GetSystemTimeAsFileTime.KERNEL32 ref: 00000265B01C146A

Part of subcall function 00000265B01C044C: _getptd.LIBCMT ref: 00000265B01C0454

malloc.LIBCMT ref: 00000265B01BC29C
strtok.LIBCMT ref: 00000265B01BC300
strtok.LIBCMT ref: 00000265B01BC311

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: Timestrtok$FileSystem_getptd_time64malloc
String ID:
API String ID: 460628555-0
Opcode ID: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
Instruction ID: 89726acc35ff12dbd1007ab30a8407646ddb140ac0f78309b689ff95250ea133
Opcode Fuzzy Hash: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
Instruction Fuzzy Hash: 3921E4B6600FE481EB18EF95A88869937A8FB84BECF1A4255EF1A47789CB31C441C740

Function 00000265B207F533 Relevance: 6.1, APIs: 4, Instructions: 64COMMONLIBRARYCODE

Download Yara Rule

APIs

_IsNonwritableInCurrentImage.LIBCMT ref: 00000265B207F550

Part of subcall function 00000265B2083987: _FindPESection.LIBCMT ref: 00000265B20839B0

_initp_misc_cfltcvt_tab.LIBCMT ref: 00000265B207F561
_initterm_e.LIBCMT ref: 00000265B207F574
_IsNonwritableInCurrentImage.LIBCMT ref: 00000265B207F5BD

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable$FindSection_initp_misc_cfltcvt_tab_initterm_e
String ID:
API String ID: 1991439119-0
Opcode ID: 4030f444e10e83babf63ca456711778ffaca7bb986e35c3fe88b540d1c4421cc
Instruction ID: 3c2bb226c3e22e4d5ec84399a1f5767edf1e8dd29a03400a8d0de0852b8700a3
Opcode Fuzzy Hash: 4030f444e10e83babf63ca456711778ffaca7bb986e35c3fe88b540d1c4421cc
Instruction Fuzzy Hash: 8C117331210E1D8AFB26FF24ECED7F633A5F754308F4445299502C60F9EE7A9A448764

Function 00000265B01CF5D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00000265B01CF5FC

Part of subcall function 00000265B01C1600: _getptd.LIBCMT ref: 00000265B01C1616
Part of subcall function 00000265B01C1600: __updatetlocinfo.LIBCMT ref: 00000265B01C164B
Part of subcall function 00000265B01C1600: __updatetmbcinfo.LIBCMT ref: 00000265B01C1672

_errno.LIBCMT ref: 00000265B01CF608

Part of subcall function 00000265B01C1D18: _getptd_noexit.LIBCMT ref: 00000265B01C1D1C

_invalid_parameter_noinfo.LIBCMT ref: 00000265B01CF613
strchr.LIBCMT ref: 00000265B01CF629

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
Instruction ID: 741615465a9db3208ea4e3db68f5bfafc9c27590ea8ea54e4a53068ff03258b7
Opcode Fuzzy Hash: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
Instruction Fuzzy Hash: 3121D272208AF041EB785615985837DA6D0FB84BFCF1C412AEA960FAEDDA6EC4418710

Function 00000265B01A10D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 00000265B01A1117
clock.LIBCMT ref: 00000265B01A1124
clock.LIBCMT ref: 00000265B01A112D
clock.LIBCMT ref: 00000265B01A113A

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction ID: 8cf1751cad701d1d916265ee771d1a26b8a64d1c482a920a423d9c07403cc408
Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction Fuzzy Hash: E911E332604BF845E7B8DE766C8466BB6D0BF843ACF1D0135EF654365DE976C8818601

Function 00000265B01BEF5C Relevance: 6.0, APIs: 4, Instructions: 39networkCOMMON

Download Yara Rule

APIs

accept.WS2_32 ref: 00000265B01BEF71
send.WS2_32 ref: 00000265B01BEFAF
send.WS2_32 ref: 00000265B01BEFC3
closesocket.WS2_32 ref: 00000265B01BEFD4

Part of subcall function 00000265B01BF098: closesocket.WS2_32 ref: 00000265B01BF0A4
Part of subcall function 00000265B01BF098: free.LIBCMT ref: 00000265B01BF0AE
Part of subcall function 00000265B01BF098: free.LIBCMT ref: 00000265B01BF0B7
Part of subcall function 00000265B01BF098: free.LIBCMT ref: 00000265B01BF0C0

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: free$closesocketsend$accept
String ID:
API String ID: 47150829-0
Opcode ID: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
Instruction ID: ec204a7b5fbab41ff7a31354f3036192f177b9bed391b4f78bc3c3bf22e49cca
Opcode Fuzzy Hash: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
Instruction Fuzzy Hash: 7F015235304DA081EB58AB36FD59B7D2361FB99FECF089215DE2607799CF2AC0818B40

Function 00000265B01B53EC Relevance: 6.0, APIs: 4, Instructions: 34sleeppipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00000265B01B5400
PeekNamedPipe.KERNEL32 ref: 00000265B01B5425
Sleep.KERNEL32 ref: 00000265B01B543B
GetTickCount.KERNEL32 ref: 00000265B01B5441

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: CountTick$NamedPeekPipeSleep
String ID:
API String ID: 1593283408-0
Opcode ID: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
Instruction ID: 07c1f51b499d82f7abc77e35b58d5f4898f109f5e443ee318e48c41aebf230bf
Opcode Fuzzy Hash: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
Instruction Fuzzy Hash: A401A931614EA092F7249725FC4931AA7A1FFC978DF6C4120EB5942A6CEF3EC4C28705

Function 00000265B01B48D8 Relevance: 6.0, APIs: 4, Instructions: 32sleeppipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00000265B01B48F1
PeekNamedPipe.KERNEL32 ref: 00000265B01B4916
Sleep.KERNEL32 ref: 00000265B01B492C
GetTickCount.KERNEL32 ref: 00000265B01B4932

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: CountTick$NamedPeekPipeSleep
String ID:
API String ID: 1593283408-0
Opcode ID: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
Instruction ID: 09d2758f4c332664b6261358179ff85b3bb603e60fddc5476ccc78ac235d8c34
Opcode Fuzzy Hash: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
Instruction Fuzzy Hash: 7E018632614EA193F7149B55FC4831AB761FBD979CF688620EB9542A7CDF3EC4818B04

Function 00000265B01BF098 Relevance: 6.0, APIs: 4, Instructions: 15COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00000265B01BF0A4
free.LIBCMT ref: 00000265B01BF0AE

Part of subcall function 00000265B01BF244: HeapFree.KERNEL32 ref: 00000265B01BF25A
Part of subcall function 00000265B01BF244: _errno.LIBCMT ref: 00000265B01BF264
Part of subcall function 00000265B01BF244: GetLastError.KERNEL32 ref: 00000265B01BF26C

free.LIBCMT ref: 00000265B01BF0B7
free.LIBCMT ref: 00000265B01BF0C0

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: free$ErrorFreeHeapLast_errnoclosesocket
String ID:
API String ID: 1525665891-0
Opcode ID: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
Instruction ID: fd0cd107033aaadbab1477fe29fbb2eaaecf0fe16edd3984107d17f75b024c66
Opcode Fuzzy Hash: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
Instruction Fuzzy Hash: 9FE04236610C9481EE18FBA2DCBA1681230BBD8F9CF1800659F1E4A2AA8E66C8958344

Function 00000265B207ECA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B207ECF8

Part of subcall function 00000265B208115F: _getptd_noexit.LIBCMT ref: 00000265B2081163

_invalid_parameter_noinfo.LIBCMT ref: 00000265B207ED03

Strings

B, xrefs: 00000265B207ED2F

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction ID: 929def01a5c40e5facffe1a23a20d6fde506af4de4e142849cd90dd5b48fcc5c
Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction Fuzzy Hash: B111BF30228F0C8FD744EF1C948976AB2D2FBA8328F10476EA019C32A5CB74C985C782

Function 00000265B01BF860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000265B01BF8B1

Part of subcall function 00000265B01C1D18: _getptd_noexit.LIBCMT ref: 00000265B01C1D1C

_invalid_parameter_noinfo.LIBCMT ref: 00000265B01BF8BC

Strings

B, xrefs: 00000265B01BF8E8

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction ID: 4471a6f10a1ac3ae6889a9ad9db79795e6f7e859b8a5ef16d05125a36ba94b24
Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction Fuzzy Hash: 6B11A572610B9086EB249F56E8483997660FB98FFCF684325AF580BBD9CF38C140CB00

Function 00007FF65B3B19C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF65B3B1A40

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF65B3B1A27
Unknown error, xrefs: 00007FF65B3B1AAC

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: f6fe61a779a87eb39abcfee344401f2a187891694e862ef8347c9b1371331ef3
Instruction ID: 92b3f3a122bb109c5e3daefafa6a18d69d969bed2bf63c11a63a9603f789b584
Opcode Fuzzy Hash: f6fe61a779a87eb39abcfee344401f2a187891694e862ef8347c9b1371331ef3
Instruction Fuzzy Hash: B3015E63D1CF8482E6018F18D8401BA7331FBAE789F299325EA8D76569DF29E592C700

Function 00007FF65B3B1A80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF65B3B1A40

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF65B3B1A27
Overflow range error (OVERFLOW), xrefs: 00007FF65B3B1A80

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 87a7770db71728519d94f0787ec26e0744cbef0beaec10e93c49723dc7caa2ef
Instruction ID: 756674d6d02b032279955e21aedc1e02d5d6e93d1f8188ad975a010eaa489f71
Opcode Fuzzy Hash: 87a7770db71728519d94f0787ec26e0744cbef0beaec10e93c49723dc7caa2ef
Instruction Fuzzy Hash: 73F06226C08E8882D2028F1CE4001BB7331FF4E788F285325EF8D7A169DF28E582C700

Function 00007FF65B3B1A90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF65B3B1A40

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF65B3B1A27
The result is too small to be represented (UNDERFLOW), xrefs: 00007FF65B3B1A90

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 0987f1bca5e4867893d9def00a6feebb28f4f6d67b3c7e1dac15035582c1f842
Instruction ID: dd68e0d0b04cd81f33b495cc4cdc3f681cceb02bd85a81ea89cab6ced25c5d7b
Opcode Fuzzy Hash: 0987f1bca5e4867893d9def00a6feebb28f4f6d67b3c7e1dac15035582c1f842
Instruction Fuzzy Hash: A2F01266D18E8482D2029F1CE4001BB7335FF5E798F295325EF8D7A569DF29E582D700

Function 00007FF65B3B1AA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF65B3B1A40

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF65B3B1A27
Total loss of significance (TLOSS), xrefs: 00007FF65B3B1AA0

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 1895b7346dc32dca3c0fb7393d22f38cbd53d2c6ec44ade5251a4a741e2b0a1f
Instruction ID: 2e164e44f49d271ff788a8c5fffaf81534f584a07590dd4c478d345d0fe7265a
Opcode Fuzzy Hash: 1895b7346dc32dca3c0fb7393d22f38cbd53d2c6ec44ade5251a4a741e2b0a1f
Instruction Fuzzy Hash: 22F01266D18E8482D2029F1CE4001BB7335FF5D798F285325EF8D7A569DF29E5829700

Function 00007FF65B3B1A60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF65B3B1A40

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF65B3B1A27
Argument domain error (DOMAIN), xrefs: 00007FF65B3B1A60

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: a1c64b0ed614ac845be99ae91a72a71460bb04601bf6c00efd1426a2d7401224
Instruction ID: 67709f71d3efc48a7e8c4e2a8d5c67572f6cc36317e89f0828e985887049693b
Opcode Fuzzy Hash: a1c64b0ed614ac845be99ae91a72a71460bb04601bf6c00efd1426a2d7401224
Instruction Fuzzy Hash: D9F06226C08E8882D2028F1CE4001BB7331FF4E788F285325EF8D7A169DF29E582C700

Function 00007FF65B3B1A70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF65B3B1A40

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF65B3B1A27
Partial loss of significance (PLOSS), xrefs: 00007FF65B3B1A70

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 33d30dbd4ff50b0859772142c1d47765158d2ad64e64a143ae7efa0c629909e8
Instruction ID: e6e3d5cc6fc9e9fe9f81767e2b61c6abdf6c5435753f81e98bd5cb992af877fc
Opcode Fuzzy Hash: 33d30dbd4ff50b0859772142c1d47765158d2ad64e64a143ae7efa0c629909e8
Instruction Fuzzy Hash: E8F01266D18E8482D2029F1CE4001BB7335FF5E798F295325EF8D7A569DF29E582D700

Function 00007FF65B3B19F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF65B3B1A40

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF65B3B1A27
Argument singularity (SIGN), xrefs: 00007FF65B3B19F8

Memory Dump Source

Source File: 00000000.00000002.2912126968.00007FF65B3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65B3B0000, based on PE: true

Associated: 00000000.00000002.2912112951.00007FF65B3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912142684.00007FF65B3B8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912155900.00007FF65B3B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912172386.00007FF65B3BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2912188119.00007FF65B3C0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff65b3b0000_JP1KbvjWcM.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: de13d2bc3325a385dd781bb96c52ce61e4d0120fd2352701a1b64ed63d8d5b79
Instruction ID: dc0a2dc7ea51c75eb2b5f752b9bc1c35ce9267af599f91f394d36ec9b403d134
Opcode Fuzzy Hash: de13d2bc3325a385dd781bb96c52ce61e4d0120fd2352701a1b64ed63d8d5b79
Instruction Fuzzy Hash: 87F03616D08E8482D6029F1CE4001AB7335FF5D799F185326EF8D7A569DF29E582C700

Function 00000265B01A1CC4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE

Download Yara Rule

APIs

calloc.LIBCMT ref: 00000265B01A1D6A

Part of subcall function 00000265B01CEE08: _calloc_impl.LIBCMT ref: 00000265B01CEE18
Part of subcall function 00000265B01CEE08: _errno.LIBCMT ref: 00000265B01CEE2B
Part of subcall function 00000265B01CEE08: _errno.LIBCMT ref: 00000265B01CEE35

free.LIBCMT ref: 00000265B01A1EF3
free.LIBCMT ref: 00000265B01A1EFD
free.LIBCMT ref: 00000265B01A1F0F

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: free$_errno$_calloc_implcalloc
String ID:
API String ID: 4000150058-0
Opcode ID: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
Instruction ID: 19d8326a8506864fbb48434fe4ed2c4bbdfe469278efcd0852deedb16da67364
Opcode Fuzzy Hash: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
Instruction Fuzzy Hash: 3EC1FA36604FE48AE764CF65E88439E77A4F788B88F14412AEB8D87B58DB79C455CB00

Function 00000265B207A18B Relevance: 5.2, APIs: 4, Instructions: 226COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B207A1BF

Part of subcall function 00000265B207E6CB: _FF_MSGBANNER.LIBCMT ref: 00000265B207E6FB
Part of subcall function 00000265B207E6CB: _NMSG_WRITE.LIBCMT ref: 00000265B207E705
Part of subcall function 00000265B207E6CB: _callnewh.LIBCMT ref: 00000265B207E739
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E744
Part of subcall function 00000265B207E6CB: _errno.LIBCMT ref: 00000265B207E74F

free.LIBCMT ref: 00000265B207A306
free.LIBCMT ref: 00000265B207A36A
free.LIBCMT ref: 00000265B207A376

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 220d10eecca3932b28677e19a5d899b4e1de467fae96e5e6bbac4d4284393be2
Instruction ID: a39332540fd7c5c3bbffe75e410bd9749f0b4ab749dfd8decb9e37eb239df1d6
Opcode Fuzzy Hash: 220d10eecca3932b28677e19a5d899b4e1de467fae96e5e6bbac4d4284393be2
Instruction Fuzzy Hash: DB619430218E2D4BEB59EB2894ED7FD72D1E794354F10052DF44BC32EBDE25984297A2

Function 00000265B2063747 Relevance: 5.2, APIs: 4, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B20637AA

Memory Dump Source

Source File: 00000000.00000002.2911937188.00000265B2060000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B2060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b2060000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: eb22e79342f6c44f5990d3d93bc1acaf377093f70efb3d4e41a798bd81bbd69f
Instruction ID: 6f94b6025edffcf0eeaabc59d19d864bdd156c5a7480b4c9b957c1c937cd3674
Opcode Fuzzy Hash: eb22e79342f6c44f5990d3d93bc1acaf377093f70efb3d4e41a798bd81bbd69f
Instruction Fuzzy Hash: 1151D630208F1A4FEB599F2D94D92B973D1FB84714F10555DD84BC329BEA21EC0287D2

Function 00000265B01BAD44 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B01BAD78

Part of subcall function 00000265B01BF284: _FF_MSGBANNER.LIBCMT ref: 00000265B01BF2B4
Part of subcall function 00000265B01BF284: _NMSG_WRITE.LIBCMT ref: 00000265B01BF2BE
Part of subcall function 00000265B01BF284: HeapAlloc.KERNEL32 ref: 00000265B01BF2D9
Part of subcall function 00000265B01BF284: _callnewh.LIBCMT ref: 00000265B01BF2F2
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF2FD
Part of subcall function 00000265B01BF284: _errno.LIBCMT ref: 00000265B01BF308

free.LIBCMT ref: 00000265B01BAEBF
free.LIBCMT ref: 00000265B01BAF23
free.LIBCMT ref: 00000265B01BAF2F

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: free$_errno$AllocHeap_callnewhmalloc
String ID:
API String ID: 3531731211-0
Opcode ID: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
Instruction ID: 306d2127f90d1082c245738e226d18a192b6471621d35c7a6a414663893a04d1
Opcode Fuzzy Hash: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
Instruction Fuzzy Hash: 0951B275301AE585EA2CBB21DC583BD6391BFC079CF9C0469AA1A57BDEEB7BC4018300

Function 00000265B01A4300 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000265B01A4363

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
Instruction ID: 47ba9b8e30b0862b13b4631427ad2d81a7cbb78d184f8a5ea992d052432cc632
Opcode Fuzzy Hash: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
Instruction Fuzzy Hash: 46417132204BF087EB5CDB26A81876D63A1FBC8B8CF484525DE6A57789DF35D805C700

Function 00000265B01B1038 Relevance: 5.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 00000265B01B9170: GetCurrentProcess.KERNEL32 ref: 00000265B01B9188

GetLastError.KERNEL32 ref: 00000265B01B10A7
malloc.LIBCMT ref: 00000265B01B113C
free.LIBCMT ref: 00000265B01B1185
GetLastError.KERNEL32 ref: 00000265B01B11B5

Memory Dump Source

Source File: 00000000.00000002.2911591072.00000265B01A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000265B01A0000, based on PE: true

Associated: 00000000.00000002.2911591072.00000265B01E8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01EE000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2911591072.00000265B01F3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_265b01a0000_JP1KbvjWcM.jbxd

Yara matches

Similarity

API ID: ErrorLast$CurrentProcessfreemalloc
String ID:
API String ID: 1397824077-0
Opcode ID: cf62d47a1d5fdb9c876962cfa4c676d021a3fa8d1c8180fd698ba2a0010a64ef
Instruction ID: 2ff61a850e3dc7108fccfca1789e7bb768619293d6f89c977473f6345fd7f0f4
Opcode Fuzzy Hash: cf62d47a1d5fdb9c876962cfa4c676d021a3fa8d1c8180fd698ba2a0010a64ef
Instruction Fuzzy Hash: 25419572314EE181E768EB26E8447AE6391FFC478CF455425AF8947A9EEF3AC1418700

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report JP1KbvjWcM.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Threatname: Metasploit

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

\Device\Mailslot\slot-80

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
JP1KbvjWcM.exe

Function 00000265B01AE68C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 165
networkfileCOMMONLIBRARYCODE

Function 00000265B01B5E28 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116
stringCOMMONLIBRARYCODE

Function 00007FF65B3B1180 Relevance: 10.6, APIs: 7, Instructions: 138
sleepstringCOMMON

Function 00000265B01A1184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
encryptionCOMMONLIBRARYCODE

Function 00000265B01ACA74 Relevance: 7.8, APIs: 6, Instructions: 296
COMMONLIBRARYCODE

Function 00000265B022098B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
networkmemoryfileCOMMON

Function 00007FF65B3B1485 Relevance: 6.1, APIs: 4, Instructions: 53
memorythreadCOMMON

Function 00007FF65B3B1550 Relevance: 6.1, APIs: 4, Instructions: 53
filesleepCOMMON

Function 00000265B0220932 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 544
librarynetworkCOMMON

Function 00000265B01AF014 Relevance: 4.6, APIs: 3, Instructions: 66
networkCOMMONLIBRARYCODE

Function 00000265B0220B5E Relevance: 3.1, APIs: 2, Instructions: 74
memoryfilenetworkCOMMON

Function 00007FF65B3B161A Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Function 00007FF65B3B16A9 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Function 00007FF65B3B7E50 Relevance: 3.0, APIs: 2, Instructions: 13
synchronizationCOMMON

Function 00000265B207936B Relevance: 1.4, APIs: 1, Instructions: 136
memoryCOMMON